matiex | 7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe
Size

1.9MB
MD5

9dd6a382a4b8e3295ed977f1cc176c0a
SHA1

cd990deea4530f113c617b9cda0eeea7ada9170e
SHA256

7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964
SHA512

a9181c76e87101bedff793689df0d60d89e49469b0b6f768961f0185bbda82d78837db236a2a8bf9585252ee467d2081ce02769662b57d6b3386836550d5e7dc
SSDEEP

24576:zRgV9lX4ePztJzKe4QTnExJrP6+RtCFKOqRuGmjpMg8R5w+cTll8add1Lj6vull+:zR6bbJR7OyKiKO0VaqgY5w+eTZ3Ejmr6

Score

10^/10

matiex predatorstealer wshrat collection credential_access discovery execution keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

wshrat

http://blackhillls.ddns.net:1334

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/320-4-0x0000000000400000-0x00000000005F1000-memory.dmp	family_matiex
C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe	family_matiex
C:\Users\Admin\AppData\Local\Temp\BsA2woE9zZbLwSC.exe	family_matiex
behavioral2/memory/1456-36-0x0000000000400000-0x00000000005F1000-memory.dmp	family_matiex
behavioral2/memory/3224-53-0x0000000000A20000-0x0000000000A92000-memory.dmp	family_matiex
behavioral2/memory/1644-96-0x0000000000400000-0x00000000005F1000-memory.dmp	family_matiex

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe	family_wshrat
C:\Users\Admin\AppData\Local\Temp\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js	family_wshrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Blocklisted process makes network request 7 IoCs

Processes:

wscript.exe

flow pid process

28 1560 wscript.exe
31 1560 wscript.exe
57 1560 wscript.exe
65 1560 wscript.exe
69 1560 wscript.exe
82 1560 wscript.exe
83 1560 wscript.exe

flow	pid	process
28	1560	wscript.exe
31	1560	wscript.exe
57	1560	wscript.exe
65	1560	wscript.exe
69	1560	wscript.exe
82	1560	wscript.exe
83	1560	wscript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exescvhost.exescvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	scvhost.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2692 notepad.exe

pid	process
2692	notepad.exe

Drops startup file 3 IoCs

Processes:

notepad.exeWScript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js	wscript.exe

Executes dropped EXE 5 IoCs

Processes:

scvhost.exeBsA2woE9zZbLwSC.exescvhost.exescvhost.exebin.exe

pid process

1456 scvhost.exe
3224 BsA2woE9zZbLwSC.exe
640 scvhost.exe
1644 scvhost.exe
228 bin.exe
Loads dropped DLL 2 IoCs

Processes:

bin.exe

pid process

228 bin.exe
228 bin.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1456	scvhost.exe
3224	BsA2woE9zZbLwSC.exe
640	scvhost.exe
1644	scvhost.exe
228	bin.exe

pid	process
228	bin.exe
228	bin.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/640-34-0x0000000000400000-0x0000000000760000-memory.dmp	upx
behavioral2/memory/640-42-0x0000000000400000-0x0000000000760000-memory.dmp	upx
behavioral2/memory/640-38-0x0000000000400000-0x0000000000760000-memory.dmp	upx
behavioral2/memory/640-39-0x0000000000400000-0x0000000000760000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

scvhost.exeBsA2woE9zZbLwSC.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scvhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scvhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scvhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BsA2woE9zZbLwSC.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BsA2woE9zZbLwSC.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BsA2woE9zZbLwSC.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\""	wscript.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 freegeoip.app
25 checkip.dyndns.org
27 ip-api.com
34 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

scvhost.exe

description pid process target process

PID 1456 set thread context of 640 1456 scvhost.exe scvhost.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4824 3224 WerFault.exe BsA2woE9zZbLwSC.exe

flow	ioc
35	freegeoip.app
25	checkip.dyndns.org
27	ip-api.com
34	freegeoip.app

description	pid	process	target process
PID 1456 set thread context of 640	1456	scvhost.exe	scvhost.exe

pid	pid_target	process	target process
4824	3224	WerFault.exe	BsA2woE9zZbLwSC.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

scvhost.exeWScript.exescvhost.exenotepad.exeBsA2woE9zZbLwSC.exescvhost.exewscript.execmd.exebin.exe9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BsA2woE9zZbLwSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe

Modifies registry class 1 IoCs

Processes:

scvhost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings scvhost.exe
NTFS ADS 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe:ZoneIdentifier notepad.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	scvhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe:ZoneIdentifier	notepad.exe

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	83	WSHRAT\|7A047C37\|PVMNUDVD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom
HTTP User-Agent header	31	WSHRAT\|7A047C37\|PVMNUDVD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom
HTTP User-Agent header	57	WSHRAT\|7A047C37\|PVMNUDVD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom
HTTP User-Agent header	65	WSHRAT\|7A047C37\|PVMNUDVD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom
HTTP User-Agent header	69	WSHRAT\|7A047C37\|PVMNUDVD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom
HTTP User-Agent header	82	WSHRAT\|7A047C37\|PVMNUDVD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exescvhost.exescvhost.exe

pid	process
320	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe
320	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe
1456	scvhost.exe
1456	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe
1644	scvhost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

scvhost.exe

pid process

1456 scvhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BsA2woE9zZbLwSC.exescvhost.exe

description pid process

Token: SeDebugPrivilege 3224 BsA2woE9zZbLwSC.exe
Token: SeDebugPrivilege 640 scvhost.exe

pid	process
1456	scvhost.exe

description	pid	process
Token: SeDebugPrivilege	3224	BsA2woE9zZbLwSC.exe
Token: SeDebugPrivilege	640	scvhost.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exenotepad.exescvhost.exeWScript.exescvhost.execmd.exe

description	pid	process	target process
PID 320 wrote to memory of 2692	320	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe	notepad.exe
PID 320 wrote to memory of 2692	320	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe	notepad.exe
PID 320 wrote to memory of 2692	320	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe	notepad.exe
PID 320 wrote to memory of 2692	320	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe	notepad.exe
PID 320 wrote to memory of 2692	320	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe	notepad.exe
PID 2692 wrote to memory of 1456	2692	notepad.exe	scvhost.exe
PID 2692 wrote to memory of 1456	2692	notepad.exe	scvhost.exe
PID 2692 wrote to memory of 1456	2692	notepad.exe	scvhost.exe
PID 1456 wrote to memory of 4532	1456	scvhost.exe	WScript.exe
PID 1456 wrote to memory of 4532	1456	scvhost.exe	WScript.exe
PID 1456 wrote to memory of 4532	1456	scvhost.exe	WScript.exe
PID 1456 wrote to memory of 3224	1456	scvhost.exe	BsA2woE9zZbLwSC.exe
PID 1456 wrote to memory of 3224	1456	scvhost.exe	BsA2woE9zZbLwSC.exe
PID 1456 wrote to memory of 3224	1456	scvhost.exe	BsA2woE9zZbLwSC.exe
PID 1456 wrote to memory of 640	1456	scvhost.exe	scvhost.exe
PID 1456 wrote to memory of 640	1456	scvhost.exe	scvhost.exe
PID 1456 wrote to memory of 640	1456	scvhost.exe	scvhost.exe
PID 1456 wrote to memory of 1644	1456	scvhost.exe	scvhost.exe
PID 1456 wrote to memory of 1644	1456	scvhost.exe	scvhost.exe
PID 1456 wrote to memory of 1644	1456	scvhost.exe	scvhost.exe
PID 4532 wrote to memory of 1560	4532	WScript.exe	wscript.exe
PID 4532 wrote to memory of 1560	4532	WScript.exe	wscript.exe
PID 4532 wrote to memory of 1560	4532	WScript.exe	wscript.exe
PID 640 wrote to memory of 1820	640	scvhost.exe	cmd.exe
PID 640 wrote to memory of 1820	640	scvhost.exe	cmd.exe
PID 640 wrote to memory of 1820	640	scvhost.exe	cmd.exe
PID 1820 wrote to memory of 228	1820	cmd.exe	bin.exe
PID 1820 wrote to memory of 228	1820	cmd.exe	bin.exe
PID 1820 wrote to memory of 228	1820	cmd.exe	bin.exe

outlook_office_path 1 IoCs

Processes:

BsA2woE9zZbLwSC.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BsA2woE9zZbLwSC.exe

outlook_win_path 1 IoCs

Processes:

BsA2woE9zZbLwSC.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BsA2woE9zZbLwSC.exe

C:\Users\Admin\AppData\Local\Temp\9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Deletes itself
  - Drops startup file
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js"
      4⤵
      Checks computer location settings
      Drops startup file
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js"
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\BsA2woE9zZbLwSC.exe
      "C:\Users\Admin\AppData\Local\Temp\BsA2woE9zZbLwSC.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:3224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 2012
        5⤵
        Program crash
        
        PID:4824
  - - C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bin.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Users\Admin\AppData\Local\Temp\bin.exe
        
        bin.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:228
  - - C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe" 2 640 240639281
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3224 -ip 3224
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BsA2woE9zZbLwSC.exe

Filesize
432KB

MD5
db1c4abd9f89e2accb740f7c01cb1504

SHA1
3a290627dc9ceec7f013c48a4032d69573cc4dbd

SHA256
877586c1dbff58fb4c4b9e0543c8e76bad590557b132d8f36b24733558ea02a9

SHA512
474746e5584aa500a7ffbaef4e940c7631c38b4b74557a4b38a8e3a0434a427b3ffb1b7ab3f46a7d226bd3f789df62ee74fbc0f230e19cd246ca8cb6a27a16f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js

Filesize
184KB

MD5
4e47fc3b25104418b7f7a5523e51639a

SHA1
de60259e11ec477b9083d641ffdbc88230a0927b

SHA256
f0e2f3ca73d64210c1d6a7ca07a2a145f3e94b0d41f99cd45f9fe008d288f345

SHA512
a76d6098d2df124d4cb0f773410f186cd579d288d5cd30c6dcf90f24aca01b2d4777274abb1278287a9accada490bb1187209f8c53207c3baf8c26f606fc7225

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin.exe

Filesize
23KB

MD5
345da28112fc97cbad74e45c510fd783

SHA1
dc88113783ed200262428c3000c35fdd093c5b64

SHA256
b6e61d4a8e0fe205cd03d4fa1d9ffc4ce8c77b9a3efecdb6f9523dccf6bd9864

SHA512
e9b294b03ffd005ce6d8380be285baf762d0f135676c1fd4737f43c34e39ad3da77e7c3a07a7197475c1d17b09628b03e9e9c1808698dd89852ad60b9febfa2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bookmarks.txt

Filesize
13B

MD5
61f8a15f0bf3ef90a36796b6cbb7b105

SHA1
9a0893ee4bfb0e58c64902fc4da215dcbec12e3f

SHA256
678150f8aa675320e486b135418a7ed5b546514a5aa808588eccc12fe8cd2130

SHA512
5afb5a40e95b289db50db7aa151a5a526ef04824533fccd0ad3d6ea813cc5621b8009521d7f5db69fbcb1a46640e963427fd6b42721df26f1fbfc89f59a8abab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

Filesize
11B

MD5
c62837b28d4938edd0ed433c62d0fbff

SHA1
e9ea5b724941b7c1d2ac740b896f97ad804e58d3

SHA256
041a0aa02efee5c154ee06e5bb07fcde75d5a2a0277e390a170cf9e719d93ffe

SHA512
12c5692a05b1b8b4fe6e2f4a7347886cfcc51b62aec46dbeaaa3c0c8949576e7693ccb60611a9915c9f2a7376003fc71210ea580fb0976783c3bf268ac132793

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords.txt

Filesize
13B

MD5
7294c881f5e23198c7000056e50ef7e7

SHA1
65f942dda2ae75aad6444e7a9ccc7352b5c88e23

SHA256
2be7f0deacefc2c099e3309e42989fac20dc32af7e722d0bdeb3bc72f44698f4

SHA512
ca66605f5b605bdc060ae870fd4d48b20651e0fa8ae126de3e511ada760d1e32fe1709ae536fa46b166d89f1d36501130f9a86c845c2a2776bbdb8f577e7ddb3

Download Submit
C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe

Filesize
1.9MB

MD5
9dd6a382a4b8e3295ed977f1cc176c0a

SHA1
cd990deea4530f113c617b9cda0eeea7ada9170e

SHA256
7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964

SHA512
a9181c76e87101bedff793689df0d60d89e49469b0b6f768961f0185bbda82d78837db236a2a8bf9585252ee467d2081ce02769662b57d6b3386836550d5e7dc

Download Submit
memory/228-90-0x0000000005D50000-0x0000000005DF8000-memory.dmp

Filesize
672KB

Download
memory/228-79-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/320-4-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/320-0-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/320-3-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/320-1-0x0000000002540000-0x000000000254F000-memory.dmp

Filesize
60KB

Download
memory/640-69-0x0000000008600000-0x0000000008618000-memory.dmp

Filesize
96KB

Download
memory/640-34-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/640-94-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/640-39-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/640-56-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/640-40-0x0000000001260000-0x000000000140A000-memory.dmp

Filesize
1.7MB

Download
memory/640-42-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/640-61-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/640-64-0x00000000059A0000-0x00000000059F6000-memory.dmp

Filesize
344KB

Download
memory/640-63-0x0000000005990000-0x000000000599A000-memory.dmp

Filesize
40KB

Download
memory/640-38-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1456-36-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1456-15-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/1456-12-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1644-54-0x0000000003F40000-0x0000000003F4F000-memory.dmp

Filesize
60KB

Download
memory/1644-96-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2692-5-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3224-60-0x0000000005350000-0x00000000053B6000-memory.dmp

Filesize
408KB

Download
memory/3224-57-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/3224-53-0x0000000000A20000-0x0000000000A92000-memory.dmp

Filesize
456KB

Download