latentbot | c5eaf4973b45ebcb1e10afc0f49d5b84c4d4214103c4b77a0263a6510f2d9ac0

Analysis

max time kernel
839s
max time network
846s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal.vbs
Size

23KB
MD5

c697283f6d4effbc73365f1e6ce56754
SHA1

35f538451885c8d0ab49431df3e6d78deadb4bbe
SHA256

c5eaf4973b45ebcb1e10afc0f49d5b84c4d4214103c4b77a0263a6510f2d9ac0
SHA512

c5699a35e1c1b9a28dcc96088e8ff07e625436d0a6bcb0a869f13dff998fb4fcef02f15d275c8f1064a4d2685cd349ff80f506d7db69bcd72049e209922fac79
SSDEEP

384:oAuL8pGgtbsDFC70X0kNMthfiFQS/Lo/GY0XkUoJbG3gYgd1YQ+gNIINVS0AgAxw:LuL8pbsZCiMthqFQOLo/GY0L4p2O5d4Q

Score

10^/10

latentbot collection credential_access discovery stealer trojan

Malware Config

Extracted

Family

latentbot

j46y565i34wru.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 17 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3764-101-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/3764-102-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/3764-103-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/3764-104-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/3764-115-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/772-129-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/4112-144-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4112-145-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/772-146-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/3132-147-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/4660-149-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral2/memory/4660-148-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral2/memory/3132-156-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/3132-157-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/3132-162-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/3764-163-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft
behavioral2/memory/3764-165-0x0000000000400000-0x0000000000A7A000-memory.dmp	Nirsoft

NirSoft MailPassView 15 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3764-101-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/3764-102-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/3764-103-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/3764-104-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/3764-115-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/772-129-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/4112-144-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4112-145-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/772-146-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/3132-147-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/3132-156-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/3132-157-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/3132-162-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/3764-163-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView
behavioral2/memory/3764-165-0x0000000000400000-0x0000000000A7A000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 15 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3764-101-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/3764-102-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/3764-103-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/3764-104-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/3764-115-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/772-129-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/772-146-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/3132-147-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/4660-149-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral2/memory/4660-148-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral2/memory/3132-156-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/3132-157-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/3132-162-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/3764-163-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView
behavioral2/memory/3764-165-0x0000000000400000-0x0000000000A7A000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4816	WScript.exe
4	4816	WScript.exe
6	4816	WScript.exe
8	4816	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7fb.lnk	RegSvcs.exe

Executes dropped EXE 1 IoCs

pid	Process
2456	j0286yhmbf7ai.exe

Loads dropped DLL 2 IoCs

pid	Process
3132	RegSvcs.exe
3132	RegSvcs.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 3764	2456	j0286yhmbf7ai.exe	101
PID 3764 set thread context of 772	3764	RegSvcs.exe	109
PID 3764 set thread context of 3132	3764	RegSvcs.exe	117
PID 772 set thread context of 4112	772	RegSvcs.exe	119
PID 3132 set thread context of 4660	3132	RegSvcs.exe	120

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	j0286yhmbf7ai.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4660	RegSvcs.exe
4660	RegSvcs.exe
4660	RegSvcs.exe
4660	RegSvcs.exe
3132	RegSvcs.exe
3132	RegSvcs.exe
3132	RegSvcs.exe
3132	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3764	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4816	WScript.exe
4816	WScript.exe
2456	j0286yhmbf7ai.exe
2456	j0286yhmbf7ai.exe
2456	j0286yhmbf7ai.exe
2456	j0286yhmbf7ai.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2456	j0286yhmbf7ai.exe
2456	j0286yhmbf7ai.exe
2456	j0286yhmbf7ai.exe
2456	j0286yhmbf7ai.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2456	4816	WScript.exe	87
PID 4816 wrote to memory of 2456	4816	WScript.exe	87
PID 4816 wrote to memory of 2456	4816	WScript.exe	87
PID 2456 wrote to memory of 3384	2456	j0286yhmbf7ai.exe	89
PID 2456 wrote to memory of 3384	2456	j0286yhmbf7ai.exe	89
PID 2456 wrote to memory of 3384	2456	j0286yhmbf7ai.exe	89
PID 2456 wrote to memory of 3384	2456	j0286yhmbf7ai.exe	89
PID 2456 wrote to memory of 4180	2456	j0286yhmbf7ai.exe	90
PID 2456 wrote to memory of 4180	2456	j0286yhmbf7ai.exe	90
PID 2456 wrote to memory of 4180	2456	j0286yhmbf7ai.exe	90
PID 2456 wrote to memory of 4180	2456	j0286yhmbf7ai.exe	90
PID 2456 wrote to memory of 5088	2456	j0286yhmbf7ai.exe	91
PID 2456 wrote to memory of 5088	2456	j0286yhmbf7ai.exe	91
PID 2456 wrote to memory of 5088	2456	j0286yhmbf7ai.exe	91
PID 2456 wrote to memory of 5088	2456	j0286yhmbf7ai.exe	91
PID 2456 wrote to memory of 1780	2456	j0286yhmbf7ai.exe	92
PID 2456 wrote to memory of 1780	2456	j0286yhmbf7ai.exe	92
PID 2456 wrote to memory of 1780	2456	j0286yhmbf7ai.exe	92
PID 2456 wrote to memory of 1780	2456	j0286yhmbf7ai.exe	92
PID 2456 wrote to memory of 2380	2456	j0286yhmbf7ai.exe	93
PID 2456 wrote to memory of 2380	2456	j0286yhmbf7ai.exe	93
PID 2456 wrote to memory of 2380	2456	j0286yhmbf7ai.exe	93
PID 2456 wrote to memory of 2380	2456	j0286yhmbf7ai.exe	93
PID 2456 wrote to memory of 3000	2456	j0286yhmbf7ai.exe	95
PID 2456 wrote to memory of 3000	2456	j0286yhmbf7ai.exe	95
PID 2456 wrote to memory of 3000	2456	j0286yhmbf7ai.exe	95
PID 2456 wrote to memory of 3000	2456	j0286yhmbf7ai.exe	95
PID 2456 wrote to memory of 1888	2456	j0286yhmbf7ai.exe	97
PID 2456 wrote to memory of 1888	2456	j0286yhmbf7ai.exe	97
PID 2456 wrote to memory of 1888	2456	j0286yhmbf7ai.exe	97
PID 2456 wrote to memory of 1888	2456	j0286yhmbf7ai.exe	97
PID 2456 wrote to memory of 2020	2456	j0286yhmbf7ai.exe	98
PID 2456 wrote to memory of 2020	2456	j0286yhmbf7ai.exe	98
PID 2456 wrote to memory of 2020	2456	j0286yhmbf7ai.exe	98
PID 2456 wrote to memory of 2020	2456	j0286yhmbf7ai.exe	98
PID 2456 wrote to memory of 1812	2456	j0286yhmbf7ai.exe	99
PID 2456 wrote to memory of 1812	2456	j0286yhmbf7ai.exe	99
PID 2456 wrote to memory of 1812	2456	j0286yhmbf7ai.exe	99
PID 2456 wrote to memory of 1812	2456	j0286yhmbf7ai.exe	99
PID 2456 wrote to memory of 3620	2456	j0286yhmbf7ai.exe	100
PID 2456 wrote to memory of 3620	2456	j0286yhmbf7ai.exe	100
PID 2456 wrote to memory of 3620	2456	j0286yhmbf7ai.exe	100
PID 2456 wrote to memory of 3620	2456	j0286yhmbf7ai.exe	100
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 2456 wrote to memory of 3764	2456	j0286yhmbf7ai.exe	101
PID 3764 wrote to memory of 4516	3764	RegSvcs.exe	103
PID 3764 wrote to memory of 4516	3764	RegSvcs.exe	103
PID 3764 wrote to memory of 4516	3764	RegSvcs.exe	103
PID 3764 wrote to memory of 1540	3764	RegSvcs.exe	104
PID 3764 wrote to memory of 1540	3764	RegSvcs.exe	104
PID 3764 wrote to memory of 1540	3764	RegSvcs.exe	104

Views/modifies file attributes 1 TTPs 17 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4672	attrib.exe
3580	attrib.exe
1780	attrib.exe
1540	attrib.exe
536	attrib.exe
2388	attrib.exe
4528	attrib.exe
3384	attrib.exe
5088	attrib.exe
3912	attrib.exe
4756	attrib.exe
1044	attrib.exe
4180	attrib.exe
2380	attrib.exe
4516	attrib.exe
1872	attrib.exe
4760	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mal.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4816
- C:\nn6qi26\j0286yhmbf7ai.exe
  "C:\nn6qi26\j0286yhmbf7ai.exe" j0286yhmbf7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2456
- - \??\c:\windows\SysWOW64\attrib.exe
    "c:/windows/SysWOW64/attrib.exe"
    3⤵
    - Views/modifies file attributes
    PID:3384
- - \??\c:\windows\SysWOW64\attrib.exe
    "c:/windows/SysWOW64/attrib.exe"
    3⤵
    - Views/modifies file attributes
    PID:4180
- - \??\c:\windows\SysWOW64\attrib.exe
    "c:/windows/SysWOW64/attrib.exe"
    3⤵
    - Views/modifies file attributes
    PID:5088
- - \??\c:\windows\SysWOW64\attrib.exe
    "c:/windows/SysWOW64/attrib.exe"
    3⤵
    - Views/modifies file attributes
    PID:1780
- - \??\c:\windows\SysWOW64\attrib.exe
    "c:/windows/SysWOW64/attrib.exe"
    3⤵
    - Views/modifies file attributes
    PID:2380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:/Windows/Microsoft.NET/Framework/v4.0.30319/RegSvcs.exe"
    3⤵
    PID:3000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:/Windows/Microsoft.NET/Framework/v4.0.30319/RegSvcs.exe"
    3⤵
    PID:1888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:/Windows/Microsoft.NET/Framework/v4.0.30319/RegSvcs.exe"
    3⤵
    PID:2020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:/Windows/Microsoft.NET/Framework/v4.0.30319/RegSvcs.exe"
    3⤵
    PID:1812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:/Windows/Microsoft.NET/Framework/v4.0.30319/RegSvcs.exe"
    3⤵
    PID:3620
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:/Windows/Microsoft.NET/Framework/v2.0.50727/RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##1
      4⤵
      Views/modifies file attributes
      PID:4516
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##1
      4⤵
      Views/modifies file attributes
      PID:1540
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##1
      4⤵
      Views/modifies file attributes
      PID:536
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##1
      4⤵
      Views/modifies file attributes
      PID:2388
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##1
      4⤵
      Views/modifies file attributes
      PID:4756
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##1
      4⤵
      Views/modifies file attributes
      PID:1872
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe j0286yhmbf7 ##1
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:772
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /stext "WWy1"
        5⤵
        
        PID:2572
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /stext "WWy1"
        5⤵
        
        PID:1312
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /stext "WWy1"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4112
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##3
      4⤵
      Views/modifies file attributes
      PID:3912
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##3
      4⤵
      Views/modifies file attributes
      PID:4528
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##3
      4⤵
      Views/modifies file attributes
      PID:4672
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##3
      4⤵
      Views/modifies file attributes
      PID:4760
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##3
      4⤵
      Views/modifies file attributes
      PID:1044
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##3
      4⤵
      Views/modifies file attributes
      PID:3580
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe j0286yhmbf7 ##3
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3132
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /stext "WWy0"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\R

Filesize
142B

MD5
903fffc0093e22b03602ac37bf0b28e4

SHA1
2217c436e3cc9d4d8d10c14b06ce89610450999b

SHA256
9256cf227cd04cf799d1622d7fcabc8d9a61095ddfcb19f0ba7577de589bbc80

SHA512
9fde2c9eed8a65556d098c436dcb2ae1b16b40f0fed82b8c6fe26d5d5f36140a95962abad594e63a55410960c31331dc96d579565f6bc8baf39c38307934f309

Download Submit
C:\Users\Public\R_

Filesize
3KB

MD5
0e0ba587ab07654705778889de55ca69

SHA1
9509927b1aef6e77f62d11cd2700412c2e794141

SHA256
e14a3715207ba94862c13ea64d7d40ea96eb3f372289e52df7d390e5f112b1d8

SHA512
7cd04f5ac00879c02a864eb6b4b3a09e02a78f1b1d376e4d7e8a84a6f9cdcd2a0981b4a7f85277b3ff787c769d6afacd605637fea1656cf6c80178e56cc3eb1a

Download Submit
C:\nn6qi26\WWy0

Filesize
4KB

MD5
ea01dd92b15d2f570f6b167dad2d1fd0

SHA1
7b89141d4c3eb2f29d096f28a9bfe66eb006224a

SHA256
0515f49138d74283f9ac1042fd1a384f715b74c2b99193454dbb0cd585097727

SHA512
0e7695aea30250a41829fa4abb681b8c3ed4c0955e18f1f9f3a5456bfb3a76f016f538e557bf29b99ab6ab48c846f9fa3c4bccd8cb5fe73099a81b5946029ec8

Download Submit
C:\nn6qi26\j0286yhmbf71.7fb

Filesize
6.4MB

MD5
f1bdba8ededc7120f738b69aeacab588

SHA1
ab925af5329bfd4fed9ad7e4fbf882e7eae0c9df

SHA256
77a7a093f93dd177213ca0cda1d8b88b3aecc24317a68a798bcb843462ac5a4a

SHA512
e37702f0b535e595d43e9ef790f2b75e9755544b47f87ddecaa98cba6cae5daab70880de4c4a164c8b9ee90fb25e8900975591d96562c82acf32dd36d32b9a71

Download Submit
C:\nn6qi26\j0286yhmbf74.zip

Filesize
277KB

MD5
efca48f79b8b46a4b36b3e4a4a9473b2

SHA1
60d7955cb8d72e836f00229e40ad117791c44797

SHA256
3fbfbd042455269a51fbf8b9d067b8b7f0a939fd7fcc7d16bff4282e898691fe

SHA512
ca90b7d8dc53cc90e1d75a53802bdbc3bdc7709e59997f3714dc4a73ab10cbbc6e1d8f47427c7a08a285bb273358d4c26bd69a1567151499c2369ca24dc05052

Download Submit
C:\nn6qi26\j0286yhmbf7a3.zip

Filesize
475KB

MD5
431ea22dfc9161171857a4b4b0d654cb

SHA1
34122f53d97032a44a33794dd6473b1afee0e4ba

SHA256
9ecc9ae104e55639818b5fbc7b20c2360fdb38c590e976f9ee249375d8e08208

SHA512
39e21d684f2c90ccd569cb6b3dc2f105b58f213c06fdae6ed9d730902b91c4dd9df618864451901780af23a17f5e34328477a3cb74f2c8363e00497358a38e95

Download Submit
C:\nn6qi26\j0286yhmbf7ai.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\nn6qi26\j0286yhmbf7m1.zip

Filesize
4.5MB

MD5
fcf95a673fc6f66144fda45cf4178878

SHA1
7045244c1614b33ce9268ff204b29f335995e574

SHA256
1d2d800a6f1cf902a5b62fc93ca26dd9e73e654c76a65e35a034e6c9e12fbc79

SHA512
ed28d2428b5401b3a14ddb206f257e7678a6ced31cef034963b718b5dcd68699b1e55a535f5d73653df205e3527786e7823e90496384f1b9307edb7dfe7936ef

Download Submit
\??\c:\nn6qi26\j0286yhmbf7

Filesize
277KB

MD5
cf0dbc1c057c44e0f053db964e83507f

SHA1
8a6b1f26ed64406c3628ba547508cc88a517a202

SHA256
2eafe832a8d61339b1d552adea62cc54fcfbef6e62dda5e29c131c70aaacc379

SHA512
75431f5674866c5a735a9f68ab5210cd0ab7ce8d10bd9aed53dfc7de8e8d4def5c9489226573c2a27b3c932589f17f3b8c703bc9f4693d50a27b8203e7bc0a7f

Download Submit
\??\c:\nn6qi26\libeay32.dll

Filesize
1.3MB

MD5
de484d5dafe3c1208da6e24af40e0a97

SHA1
3e27b636863fefd991c57e8f4657aded333292e1

SHA256
007342c6b9b956f416f556b4bd6f1077e25bd077cc4f4ac136e3fccb803746e3

SHA512
e871ba131965331dcd6e7ae0ef02734e157676c7d2bba791dae274395eaac90df3e0851bd67f1e12461287860281d488e7e82c9c11cbf4657052eec78f678c3d

Download Submit
\??\c:\nn6qi26\ssleay32.dll

Filesize
330KB

MD5
284e004b654306f8db1a63cff0e73d91

SHA1
7caa9d45c1a3e2a41f7771e30d97d86f67b96b1b

SHA256
2d11228520402ef49443aadc5d0f02c9544a795a4afc89fb0434b3b81ebdd28c

SHA512
9c95824a081a2c822421c4b7eb57d68999e3c6f214483e0f177e1066fe3c915b800b67d2008181c954ad0403af0fa1ade3e4ea11d53ab7e13f4a3def9f89cf4f

Download Submit
memory/772-117-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/772-129-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/772-124-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/772-118-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/772-123-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/772-121-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/772-120-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/772-146-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/772-116-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/2456-96-0x0000000010000000-0x000000001003A000-memory.dmp

Filesize
232KB

Download
memory/3132-162-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3132-157-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3132-156-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3132-147-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3764-104-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3764-103-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3764-102-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3764-101-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3764-115-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3764-163-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3764-165-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/4112-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4112-144-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4660-148-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4660-149-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download