be7644cecc2a38c7e940eac967a4f1874975044605c9435c91cc72a2f6da8373

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe
Size

7.9MB
MD5

0cb1cd96a9040375ccb2bf55b7cbf016
SHA1

7390264e8d9565db41d11c030a5534ada49fc96a
SHA256

be7644cecc2a38c7e940eac967a4f1874975044605c9435c91cc72a2f6da8373
SHA512

00c2fb996b8b24cd16fb045ee41822c5c493b290a31b0a1f938654a6f09c36f5d6db00d6432b4bbb8978e8c3599097eb4985b2548cad1f81aace99055c2e0b52
SSDEEP

98304:SLBrws1ai4FNIfEKhjwwnVigX6vMpfoh4AA31WVKcBQH:SOs1ai4NKh/VBQM9oVPIcG

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\ProgramData\\Samsung\\svdhost.exe\",\"C:\\Users\\Admin\\AppData\\Roaming\\Fsdisk\\Moderax\\svdhost.exe\",\"C:\\Users\\Admin\\AppData\\Roaming\\Alexa\\Virtual\\hostcls.exe\""	mpc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	mpc.exe

Executes dropped EXE 8 IoCs

pid	Process
1460	x0x.exe
3740	mpc.exe
3192	mpc.exe
4372	mpc.exe
1692	mpc.exe
1996	mpc.exe
2532	mpc.exe
1120	mpc.exe

Loads dropped DLL 18 IoCs

pid	Process
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe
4372	mpc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
12	raw.githubusercontent.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
5072	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpc.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
4916	taskkill.exe
4232	taskkill.exe
1584	taskkill.exe
1376	taskkill.exe
2660	taskkill.exe
2536	taskkill.exe
1660	taskkill.exe
4884	taskkill.exe
1132	taskkill.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2380	wmic.exe
Token: SeSecurityPrivilege	2380	wmic.exe
Token: SeTakeOwnershipPrivilege	2380	wmic.exe
Token: SeLoadDriverPrivilege	2380	wmic.exe
Token: SeSystemProfilePrivilege	2380	wmic.exe
Token: SeSystemtimePrivilege	2380	wmic.exe
Token: SeProfSingleProcessPrivilege	2380	wmic.exe
Token: SeIncBasePriorityPrivilege	2380	wmic.exe
Token: SeCreatePagefilePrivilege	2380	wmic.exe
Token: SeBackupPrivilege	2380	wmic.exe
Token: SeRestorePrivilege	2380	wmic.exe
Token: SeShutdownPrivilege	2380	wmic.exe
Token: SeDebugPrivilege	2380	wmic.exe
Token: SeSystemEnvironmentPrivilege	2380	wmic.exe
Token: SeRemoteShutdownPrivilege	2380	wmic.exe
Token: SeUndockPrivilege	2380	wmic.exe
Token: SeManageVolumePrivilege	2380	wmic.exe
Token: 33	2380	wmic.exe
Token: 34	2380	wmic.exe
Token: 35	2380	wmic.exe
Token: 36	2380	wmic.exe
Token: SeIncreaseQuotaPrivilege	2380	wmic.exe
Token: SeSecurityPrivilege	2380	wmic.exe
Token: SeTakeOwnershipPrivilege	2380	wmic.exe
Token: SeLoadDriverPrivilege	2380	wmic.exe
Token: SeSystemProfilePrivilege	2380	wmic.exe
Token: SeSystemtimePrivilege	2380	wmic.exe
Token: SeProfSingleProcessPrivilege	2380	wmic.exe
Token: SeIncBasePriorityPrivilege	2380	wmic.exe
Token: SeCreatePagefilePrivilege	2380	wmic.exe
Token: SeBackupPrivilege	2380	wmic.exe
Token: SeRestorePrivilege	2380	wmic.exe
Token: SeShutdownPrivilege	2380	wmic.exe
Token: SeDebugPrivilege	2380	wmic.exe
Token: SeSystemEnvironmentPrivilege	2380	wmic.exe
Token: SeRemoteShutdownPrivilege	2380	wmic.exe
Token: SeUndockPrivilege	2380	wmic.exe
Token: SeManageVolumePrivilege	2380	wmic.exe
Token: 33	2380	wmic.exe
Token: 34	2380	wmic.exe
Token: 35	2380	wmic.exe
Token: 36	2380	wmic.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	4884	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	4232	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 5072	2596	2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe	84
PID 2596 wrote to memory of 5072	2596	2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe	84
PID 2596 wrote to memory of 2380	2596	2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe	88
PID 2596 wrote to memory of 2380	2596	2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe	88
PID 2596 wrote to memory of 1460	2596	2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe	102
PID 2596 wrote to memory of 1460	2596	2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe	102
PID 2596 wrote to memory of 1460	2596	2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe	102
PID 2596 wrote to memory of 3740	2596	2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe	104
PID 2596 wrote to memory of 3740	2596	2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe	104
PID 2596 wrote to memory of 3740	2596	2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe	104
PID 3740 wrote to memory of 3192	3740	mpc.exe	105
PID 3740 wrote to memory of 3192	3740	mpc.exe	105
PID 3740 wrote to memory of 3192	3740	mpc.exe	105
PID 3192 wrote to memory of 4372	3192	mpc.exe	107
PID 3192 wrote to memory of 4372	3192	mpc.exe	107
PID 3192 wrote to memory of 4372	3192	mpc.exe	107
PID 4372 wrote to memory of 1332	4372	mpc.exe	115
PID 4372 wrote to memory of 1332	4372	mpc.exe	115
PID 4372 wrote to memory of 1332	4372	mpc.exe	115
PID 4372 wrote to memory of 3888	4372	mpc.exe	117
PID 4372 wrote to memory of 3888	4372	mpc.exe	117
PID 4372 wrote to memory of 3888	4372	mpc.exe	117
PID 4372 wrote to memory of 2200	4372	mpc.exe	118
PID 4372 wrote to memory of 2200	4372	mpc.exe	118
PID 4372 wrote to memory of 2200	4372	mpc.exe	118
PID 4372 wrote to memory of 640	4372	mpc.exe	119
PID 4372 wrote to memory of 640	4372	mpc.exe	119
PID 4372 wrote to memory of 640	4372	mpc.exe	119
PID 4372 wrote to memory of 2220	4372	mpc.exe	121
PID 4372 wrote to memory of 2220	4372	mpc.exe	121
PID 4372 wrote to memory of 2220	4372	mpc.exe	121
PID 4372 wrote to memory of 3320	4372	mpc.exe	122
PID 4372 wrote to memory of 3320	4372	mpc.exe	122
PID 4372 wrote to memory of 3320	4372	mpc.exe	122
PID 4372 wrote to memory of 1620	4372	mpc.exe	123
PID 4372 wrote to memory of 1620	4372	mpc.exe	123
PID 4372 wrote to memory of 1620	4372	mpc.exe	123
PID 4372 wrote to memory of 4204	4372	mpc.exe	125
PID 4372 wrote to memory of 4204	4372	mpc.exe	125
PID 4372 wrote to memory of 4204	4372	mpc.exe	125
PID 4372 wrote to memory of 5112	4372	mpc.exe	126
PID 4372 wrote to memory of 5112	4372	mpc.exe	126
PID 4372 wrote to memory of 5112	4372	mpc.exe	126
PID 4372 wrote to memory of 4736	4372	mpc.exe	127
PID 4372 wrote to memory of 4736	4372	mpc.exe	127
PID 4372 wrote to memory of 4736	4372	mpc.exe	127
PID 4372 wrote to memory of 2904	4372	mpc.exe	128
PID 4372 wrote to memory of 2904	4372	mpc.exe	128
PID 4372 wrote to memory of 2904	4372	mpc.exe	128
PID 4372 wrote to memory of 4476	4372	mpc.exe	129
PID 4372 wrote to memory of 4476	4372	mpc.exe	129
PID 4372 wrote to memory of 4476	4372	mpc.exe	129
PID 4372 wrote to memory of 1460	4372	mpc.exe	131
PID 4372 wrote to memory of 1460	4372	mpc.exe	131
PID 4372 wrote to memory of 1460	4372	mpc.exe	131
PID 4372 wrote to memory of 512	4372	mpc.exe	132
PID 4372 wrote to memory of 512	4372	mpc.exe	132
PID 4372 wrote to memory of 512	4372	mpc.exe	132
PID 3888 wrote to memory of 1692	3888	cmd.exe	143
PID 3888 wrote to memory of 1692	3888	cmd.exe	143
PID 3888 wrote to memory of 1692	3888	cmd.exe	143
PID 3320 wrote to memory of 1584	3320	cmd.exe	144
PID 3320 wrote to memory of 1584	3320	cmd.exe	144
PID 3320 wrote to memory of 1584	3320	cmd.exe	144

C:\Users\Admin\AppData\Local\Temp\2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_0cb1cd96a9040375ccb2bf55b7cbf016_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\System32\Wbem\wmic.exe
  wmic bios get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\x0x.exe
  C:\Users\Admin\AppData\Local\Temp\x0x.exe x -p148ifdh8ajAHAjaa -o+ C:\Users\Admin\AppData\Local\Temp\mpc.part01.rar C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1460
- C:\Users\Admin\AppData\Local\Temp\mpc.exe
  C:\Users\Admin\AppData\Local\Temp\mpc.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc.exe
    "C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc.exe
      "C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c copy /y mpc\41678903251236549780 mpc\mpc.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H mpc\46197283504128096357. C:\ProgramData
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3888
      - C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc\mpc.exe
        
        mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H mpc\46197283504128096357. C:\ProgramData
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H mpc\89570341267058239146. "%USERPROFILE%\Appdata\Local\"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc\mpc.exe
        
        mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H mpc\89570341267058239146. "C:\Users\Admin\Appdata\Local\"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1120
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H mpc\32098675419873205610. "%USERPROFILE%\Appdata\Roaming\"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc\mpc.exe
        
        mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H mpc\32098675419873205610. "C:\Users\Admin\Appdata\Roaming\"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H mpc\75204139856203418759. "%USERPROFILE%\Appdata\Roaming"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
      - C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc\mpc.exe
        
        mpc\mpc.exe x -o+ -p8ay73yG6s6gHu8H mpc\75204139856203418759. "C:\Users\Admin\Appdata\Roaming"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM nvidia.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3320
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM nvidia.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM mmi.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM mmi.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM arm.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4204
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM arm.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM mnn.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM mnn.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM mme.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM mme.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM nnu.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM nnu.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM lss.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM lss.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM onn.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM onn.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill.exe /F /IM u-eng.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:512
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM u-eng.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""%USERPROFILE%\AppData\Roaming\Alexa\Virtual\hostcls.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI31922\2.exe.manifest

Filesize
1KB

MD5
9b0fe8fb247ad93ab778d86837fa5ae0

SHA1
096dd5d7c004847cb9affef4e07b6ba42c1ebc36

SHA256
9c4599860b0d88f9339ede6f3fa76d4358c30024890afe06e9aff117b2f80354

SHA512
ec6a2caa4be4c72d4b24f678c275373d0fe7122c186a994dfb581b88e28843cbd3c0da796d0d5faae3f357e83521d7a2d532cf1bfc3d7217b5067a73c548c070

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\_ctypes.pyd

Filesize
90KB

MD5
6daf8b55801a602f84d7d568a142459c

SHA1
57a80ca9621b282727d45caa5ae1c5e3c7e93f60

SHA256
66d0cb13569e9798b04c5d049cff25bd4c7c8e7ddd885b62f523d90a65d0ce88

SHA512
abb1c17aea3edb46c096ca3d8cbf74c9dccad36a7b83be8cf30697760ad49f3bd3a38dc4ff1f0b715ad7996c3a23ea1c855fffd62af01d15935abc73378dcc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\_hashlib.pyd

Filesize
1.1MB

MD5
55a29ec9721c509a5b20d1a037726cfa

SHA1
eaba230581d7b46f316d6603ea15c1e3c9740d04

SHA256
dbdcf9e8cba52043b5246ad0d234da8ba4d6534b326bbbb28a6a391edf6fa4ce

SHA512
e1a2993d4dd5f2e81f299fe158ee6d1f8ef95983113c9bea9a087e42205ff06ac563762de5a0b70b535efe8cf9f980ffc14c1318aaf58de3644277e3602e0ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\_socket.pyd

Filesize
45KB

MD5
3986998b3753483f8b28c721fef6f8e4

SHA1
2ef3c0fac94c85276721ee2980f49b1bafef597d

SHA256
cbc23d6c2e3e2950452c7d255da1452338301a4c9a0b09eba83287709d2a5000

SHA512
258e2805440b36e20702c1447597698ef18a5a7f890cfece55bd4f797073c87e7bde659db3e2474e9b998213d76e2c3d5221659c6827237e06b3b6f4b3643ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\_ssl.pyd

Filesize
1.4MB

MD5
9be53b53c1ec6b56663f45464edfcde9

SHA1
f8f5dd5640d594a2b53f5bbd12893c11cf4b7d55

SHA256
b572bf14ca3d3e5158b89314b6fe2129a753edaca1958e252784561f33f9ecda

SHA512
a52727b54a03246b74460a2741324b371ccaa083a4f3123fd1175a3061d3b6707ddbaaa73b3e39435cffd8d3018ee2dee8bad6c58a17faa55b6d05a3b38ee78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\bz2.pyd

Filesize
69KB

MD5
813c016e2898c6a2c1825b586de0ae61

SHA1
7113efcccb6ab047cdfdb65ba4241980c88196f4

SHA256
693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724

SHA512
dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\python27.dll

Filesize
2.5MB

MD5
9e9e57b47f4f840dddc938db54841d86

SHA1
1ed0be9c0dadcf602136c81097da6fda9e07dbbc

SHA256
608feafc63a0d1b38772e275c9e6d3b8a5b03efc0a27eb397107db0a6d079c50

SHA512
1a0dab38ebf4d995bcda3bdf0453c85d524cc1fff1c1b92160794d7c2f98f53088ba15c4b00b35d06e0be82a4bfa6d92cd4f09dec4ec98d615a82d5ffd5cb6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\pythoncom27.dll

Filesize
388KB

MD5
bafe1a2db7031dd88803341887712cc5

SHA1
39daa19fc8c0b4301edb0c9fd3c3bc8abfea147f

SHA256
074f23f9710bbcf1447763829c0e3d16afa5502efc6f784077cf334f28ceffb7

SHA512
98395582c72e406254ade6a3b06cddecdce3b38a3a03aa9eb0bb6f81d6ac690beded7b88c4f2e5787d5aa062913080915e7e49198753cc851e8e4ef55432a9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\pywintypes27.dll

Filesize
108KB

MD5
c7d86a10bfcd65e49a109125d4ebc8d9

SHA1
5b571dc6a703a7235e8919f69c2a7a5005ccd876

SHA256
c4db872ff7d301186516882ea06422aee29e1c11b44a4d382addd5b801207818

SHA512
b7563b4d27713ec4308c24a0b15c02fb16e184b98bb73a4616792508f4ba57fe237186595b55e3fa476d6959388edd8678ea516ce620ee90c909a7b988d8b908

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\select.pyd

Filesize
10KB

MD5
e6ecff0d1588fed3a61edc1a1a5eb9bb

SHA1
2a3913a69dbdda8aefbe1f290753435979791a37

SHA256
345969d43b33717415bd5796d5a7b266592dc79a96543714828ff8fc1f249d18

SHA512
f59b356833840126f31f70ddb0e7f661db8528d82aa9450e299b81fe5adda35d44f3bceb52fb27e6843cf497211470f439a232c73245f8c606b31cb13322cd6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\unicodedata.pyd

Filesize
671KB

MD5
a46e180e03ab5c2d802b8e6214067500

SHA1
5de5efbce2e6e81b6b954b843090b387b7ba927e

SHA256
689e5061cefda6223477a6a05906a500d59bd1b2a7458730b8d43c9d3b43bdba

SHA512
68bd7ae714fb4f117eb53a0fb968083772aaeaa6428ae8510e5c109361b140c98415a1955fca49db3e9e1b6ae19909e9c50110f499306476d01141c479c16335

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\win32api.pyd

Filesize
98KB

MD5
c8311157b239363a500513b04d1f6817

SHA1
791d08f71c39bb01536f5e442f07ac7a0416b8a7

SHA256
7de358652c1732caf72f968a664301e256aae281003ddcb0f5ecef4b13101009

SHA512
ab9dadd65c582f2b12af49448fa4f5a96da00abcc257722331ac7e9cad2e2770fdb7a0f2db32c113f2df33e6c84c8c0d594a36f1fb4f3a9ccdb8f3dc1ddfbdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\win32event.pyd

Filesize
18KB

MD5
9875cd79cfb4137ef4b97407141a407f

SHA1
499ef019c4d10d2f9c86b7e335d723bd35b96123

SHA256
a9e176df950ba410ac34c2e92bf09a6c046eb91c7ad002d6b5f7bef60f0a4161

SHA512
1fb0ba196a00ca6a0a1a6e57667f460c2b8ca00bc7ce6363e066f24840ec9208a40140ced60802cdb28f1b621f490c84c89f5089f5c2985a4f3fd494ddab590e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31922\win32process.pyd

Filesize
38KB

MD5
eecbe6cd7aacd87b6f26a4ae11023e63

SHA1
3871c36df783cddc66fc42f3bb1d3eb3b489f1f9

SHA256
2f11ed07c2bd9262072bc4e8b9c99e03a3d6ca4712acb6d4c87393fddab8f205

SHA512
ed284ec9198569c69115ac8ccbb8c873cea81813a5838059a02a2b7ddbeffabe459ec5d0351ee04e33fe8639a961ef4940bf395c1e740b50a2fd523c9d923ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc\32098675419873205610

Filesize
8.9MB

MD5
248b3a49dc2e2ab98d5563a5387b98fa

SHA1
149c0f45691e073bd490d8887df563a9705610d0

SHA256
b67351d0519819b75d00dd54c74fb230c3956d9630efb7ba1c02815420616da0

SHA512
6a5d4bc380749e0c9345c71e4bd6f986882b7d88be994b205263be684934d0bcc186a1c32c386b5078d046a556b2566b84468e3de493a8a68cb854b14e76bea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc\46197283504128096357

Filesize
4.6MB

MD5
f4a769e18abd35ac0ec0158b13f6213d

SHA1
1805623b5bdca68163dc4170d32ec719f5c9999a

SHA256
606ac53c58f8d5c33ca5c5612ef91e447875d0e7789050086229497c4c9151ed

SHA512
4a849dccb1559aaa048cdb76cc178b5b9045279f1e882967c6b5e552b7f564b26ff11eb25e0737504926fca918cbebc560338ec134d2b831b3f531bcaf64e9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc\75204139856203418759

Filesize
10.1MB

MD5
d92d816d2b7ecfe217ea1a17e63f3701

SHA1
35beb46bd739cfad65e2cec5731a026b89195fa8

SHA256
a89b41469ad7fc446851e86c0a8282527448e7b7b2db5ab24cacd44fec83c982

SHA512
08c124004ef1e7fe5671b7a766688c5a5ad450fe508b155870aea3cab16df7c2802ccdf6f037cb456985fab7a5e0a1dc09da6cb07fd46484e930557c88a0c115

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckz_ZLD6\mpc\89570341267058239146

Filesize
15.0MB

MD5
97906a1ae8a648f8f1551ce3fcfb6d69

SHA1
77a2bdc3cb386741b8549fcf042d77cc188203c9

SHA256
d78636307925c76a3690c042ce17e928335693dc3b4454e5c0a14582b2565c05

SHA512
b67710f2c9575400f974a48cc621157dc0721a3547557ffdfafae60bd34ece96a64f35046759b8be300b13f93c648cc826b854225094ee5a643e4cdc2f794964

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpc.part01.rar

Filesize
25.0MB

MD5
1538ce1a54d2e8d02bf15f5ffd2c2964

SHA1
a72d0bda562eb0aa8168dc80b5cb7f664f0fa824

SHA256
1aac042399daa0d4aee787817f58a8e96c40cf00aa633e93ad02930862ea765c

SHA512
e5f4f5eb3ed4923afdad359e7e3dac440ca1a50c4da00458f5e67d7105e3b2dcfadf020d4725fbd35d0e37c227926e028332c9bc72fe221d82a665dcc6aaec90

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpc.part02.rar

Filesize
21.4MB

MD5
58f489859a0e2cf6e4c043bf9e1d1a3f

SHA1
65bd81fb41383727aa4c2b3a78e9d9be351572c1

SHA256
6351b96c252ed5741e608edff7663bda37e945f59171e7e4a6f0cd9b3c2c8045

SHA512
05c2701ffbcedc5bc392128d3462da7a1f063d3d7ce30ef6c0e6dc9fb6a6ae01819c0351de176cb144fb9931a33af715fd88fa7db748c11531762ac1f22433b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0x.exe

Filesize
584KB

MD5
a7742c996ffda7754142730220432485

SHA1
3401becb24617f98c18b9176d12220f4d7c945c9

SHA256
c915cdd250ff25970ba041a5dadfc93e8ae9629c6415b88a92718f1eae9e9666

SHA512
461935115a59acce074a686f3deadbbf02a92844a57f55e20a532c77aa788b116a930a2f6100758abd9bb3919ad15c18d498dceaee341cbcddb98bb3922c7faa

Download Submit
C:\Users\Admin\AppData\Roaming\Alexa\Virtual\microsoft.vc90.crt.manifest

Filesize
1KB

MD5
fedfdf2256720badeff9205e784b5dc8

SHA1
014f80bbb14d6f9ed5fcf0757bf2bef1a22b3b88

SHA256
6373fb8261af01506dc57dee535a0be800f3a59b18b0cc1e276807c746329ff6

SHA512
f327a925fc067d0cbf06de57db791906629509cee109cb3dbca2349901ef4e41fd8bf33b56f5faa647388f6266174960244e4f5cca260f218440d9a1cc4daa9b

Download Submit
C:\Users\Admin\AppData\Roaming\Alexa\Virtual\msvcm90.dll

Filesize
220KB

MD5
7200dca324f3d1ecd11b2b1250b2d6c7

SHA1
df3219cfbc6f6ee6ef025b320563a195be46d803

SHA256
636e12fea8c47ea528dba48827ac51a2e98b2ef0864854c9375b8170555c0a6e

SHA512
dac1154fc4e55f9e78c39fcd9fa28b1abe36d67d9c71660bd58990a1f3864acead7d1c7f55e390f3875b20685b447c3c494b3634f0dc4c7ef3b1e7a17115eb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Alexa\Virtual\msvcp90.dll

Filesize
556KB

MD5
db001faea818ae2e14a74e0adc530fc0

SHA1
7db49c1a611b38a4f494b1db23087c751faa3de1

SHA256
45cb405589c92bf74c47b7c90e299a5732a99403c51f301a5b60579caf3116e7

SHA512
90b8b52e797a43488d21ac9fc73c693b1337abf46801bd5957c2aeccba2a50550c54e6842d2cb26035b7f0c706c950c2f6ac99eb4ddd6e433b156bfdb2df62e1

Download Submit
C:\Users\Admin\AppData\Roaming\Alexa\Virtual\msvcr90.dll

Filesize
637KB

MD5
b3892e6da8e2c8ce4b0a9d3eb9a185e5

SHA1
e81c5908187d359eedb6304184e761efb38d6634

SHA256
ae163388201ef2f119e11265586e7da32c6e5b348e0cc32e3f72e21ebfd0843b

SHA512
22e01e25bf97a0169049755246773cfc26162af28248b27bf4b3daaf3e89a853738064a2b42c0fedb9bedcb3ddaf3ae957a960e2aab29784cba312ed9e1c9285

Download Submit
memory/3192-100-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4372-76-0x0000000020D20000-0x0000000020D3E000-memory.dmp

Filesize
120KB

Download
memory/4372-71-0x00000000001E0000-0x00000000001FC000-memory.dmp

Filesize
112KB

Download
memory/4372-101-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4372-81-0x0000000021310000-0x000000002137B000-memory.dmp

Filesize
428KB

Download
memory/4372-91-0x00000000233A0000-0x00000000233AD000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads