Analysis
-
max time kernel
1797s -
max time network
1801s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
21-08-2024 19:34
General
-
Target
$PLUGINSDIR/LangDLL.dll
-
Size
5KB
-
MD5
4cdaaf5da900a8eaed090cd22b8f8781
-
SHA1
6c7d9cfd96e66d236b66b8d50d65083a0dbb1b11
-
SHA256
09477d605677bea48019b896f068ce6c2e89004e5c5f0a86c0276db30c6515a6
-
SHA512
3797d59aeb908dcd66c63eca76cb2064416d3b66033dc687bc7a9c50e2979c42ac94773f54bc8ec45a9cd69c8056b83a2bca6efcd703f71a4b5f67e166f1e06d
-
SSDEEP
48:iV6HAvq8WeMPUptuM4Z+0x/ImnycNSCwVYOY4vnpXTHhHX/JvR0J/of5d2:2yplJ5ZbnycNSCwVYTwFB3ZR0Qd2
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Modifies WinLogon 2 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 5 IoCs
-
NTFS ADS 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#12⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 4563⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3160 -ip 31601⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb016e3cb8,0x7ffb016e3cc8,0x7ffb016e3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4092 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5332 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5452 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5572 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5564 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5988 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7128 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7072 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6268 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,11898487680789008303,3059094964917374586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7072 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\000.exe"C:\Users\Admin\Downloads\000.exe"2⤵
- Executes dropped EXE
- Modifies WinLogon
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'4⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'4⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59828ffacf3deee7f4c1300366ec22fab
SHA19aff54b57502b0fc2be1b0b4b3380256fb785602
SHA256a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7
SHA5122e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d
-
Filesize
152B
MD56fdbe80e9fe20761b59e8f32398f4b14
SHA1049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f
SHA256b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942
SHA512cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234
-
Filesize
3KB
MD50156498f39a4c68e0bd3969183a66c8f
SHA18e86edb4f2b8bd88590c2d57385e76654e73e7c0
SHA256299c4f5224c364cbd33ea4c4e09400fdfafc050b499155a88386a54ef35ad2d2
SHA512c55b583fbaaf0d4ce5a498caa7eb1a568bdd557613c8812c33cd07004309ebb699d4dc9f939e9b16858554144e8907d547ec7c75534ecec9fbdb6627c08885c2
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD575953a25311308ccd4cae8f9b9c800a1
SHA130b0f0d69703292ed20b79789a09d5ce85a73366
SHA256a644d0db9907a7dcb6507ea8c586678d3822e4b18ba5593bb97a53fe7c33c778
SHA512945802f16bb97ce56767f0238bef8804ecde1a966ba1d5c035aef67ddf29999503c4f2bb5560f298051eb872d70e31c57d25cf9c1370684c3231e40008bf1b4b
-
Filesize
5KB
MD5e3d6e9b04d6a88b91910a911f5251a3c
SHA17655b516c54099b6d3cc6c3fac7adbe72a2385a9
SHA256d4ae35445c28647296b6bfa28850a5643223e95b2b4ca975bbee414700be4228
SHA512857cf31929dfca1aca3e08715f999d0265fe711a211e22fa5528a441224a05e5186c790fbcb975d2ac0b3e7f130da456b9a737472f78f7600fd3ebbec52ba61a
-
Filesize
6KB
MD501055c79f60bf820d7ecdf542d561d20
SHA11f8c030adcccd0f8224227184a15632b7ed4d5e5
SHA256ce1cbfc54068fc73819f722ab9a71e2b5ef5624b69334fe25016b4559adf6aa3
SHA5124dce2ce2d4747453aea6c2e2cfbe11303945527ddaec1e61bdaa3b6c229e6457182cda1c0206547604940c2b10b3776e3982c26d342d100ed15907f483fa96c6
-
Filesize
6KB
MD5156d301119efd04e266e3b892f9c3cca
SHA114f1ef73951087a34bd78a69b4e5b0cf08470bb5
SHA256e5100d9e3298163847692598b043131afc0ef55e75831fb8d94245cd748a7be6
SHA5120e21b4dc8ecc2cd37de2eea4a214a315b96ad436cd897d55555b684b86b2fcd3c810f90052bda47ce8deae65d795171b4d081fb0ea12b5ae80efdd98aa333746
-
Filesize
1KB
MD5254d4050d40b8a2aee14589f2d3782d2
SHA1267ba42cde87d23ae7f2890022fbffe6be1271f8
SHA256c465fa869630a2faa3886c44b2ca48e5ddfdbf1fcb132a4b543e48076d6a3956
SHA512f6d47b0ff9e2241a8386e706ba51cff3fdea9bafbf7c58fbabfaca408ff6f6499cf2f0ca572bf23f71b0ebbbb5fbb16078688e0c8b481bfbdeb09e49bce06a5b
-
Filesize
1KB
MD52f21ff37c54c279d8d95fdca9976bc16
SHA1c0b102df8a9326fb1e1e771fab3d693a0fc61a2d
SHA2567f239c7b6a1212b38ebabea9762d1da159cb4d41a7d88a0555d702740d628e01
SHA51225fa31a467649aecf1718a9795e17a93d18b31588c14e70b62e4723f18e2aa9f14aa3ebdcfcd0723fb625ee38762b08d08d95ab6e0a2b4894d68684b9698c444
-
Filesize
1KB
MD55b9f3066efe013d94cc37091d884ebd9
SHA125b9208354b2c63c8556bd3d4d12daa6d9ee1cf8
SHA256516484bf415180cb070d1d7f0e04b23929c8f36a0c658e96587ca85ba903cfde
SHA512e6732f8784ced40c264fef08f5bbdfe6d5e6fa5601cee14ed69fcdc15413ad3b6ca945df98aceabf04fd673037139cce50b88bfae55d9e84f5b9d95df881535e
-
Filesize
1KB
MD58bf5feb6cdccd1d305aa138bae933b83
SHA1866ef4b023df972be97b23d92feb3126c4b668f7
SHA2565ac6d7aab11d5d5a75fa35a9a73f3720973fe90dce13955ed1ad1e8cf3f38273
SHA512c28c0f6eab5b0b923ec67b33e230503033f5b7683f1be0c6d3396b7713c8e1fd19aeb4c7f31f78b4f8006232c72421f0ec02cf3140feee6870e518ba07b7d9a6
-
Filesize
1KB
MD547969ed4c41e8b8a55e7140f9300a315
SHA1f697b2839e05ea1f3bd1691293cbc3b9828a38c2
SHA25655193cf47e81b675af1e0171b803a4721af75ccaa293c019d22bd22f90750316
SHA512f3cd74f3f08e6bbc1cdc12f7b59937b6a6d7e6971911afdf76f72279cda95439cd5000ee2ab3f51771f70151f20761ed4f0def9e8093082e3d24cd46a910913a
-
Filesize
1KB
MD54b2a4de4b11777502759439ecb0c26b7
SHA19413866a46a573183951b60d387e2fd4c5930c5f
SHA256607ade20cb30b6bb356b1ffed2fd54291b38d9ce6e971241cf332510c9df61fb
SHA512bab4d82208a636e85968a8570b52711e0c380a0bf69ceafab74d3cc59e1a47820343bbd51e0b8ae9b3d119f15a194a35a8e93e48c02d851b6c92fa8dcbff9234
-
Filesize
1KB
MD5a61c1a564ba849f5634f63243a9f567c
SHA1133f29957587bd7407b55cca43b39b25c7eaf3f9
SHA256557380c81a877edd37cd7138fb36a820dcb64f291bc0f274dd7577c967c0d8ac
SHA512e4a56af3026b708da22fb86e4fa7c6878a818cb8fd1bee3a1f533008333d1ea9f062cbe644ae69a666f10b2ba46cf530ada54795139e6b5f11b82dfdf1fb83bb
-
Filesize
1KB
MD5443996cfa7571ffafc9ccaa246726258
SHA1110d46bae77599421c8a8e675b44f261698d177c
SHA256a45adb6f6d3f97c96eac98fa6cb12e4ce18a523fcc03909053e169760293daf7
SHA512234de4b0ccbab0d019e58163d37e7452b1c9067a86110489ec48dcd038fcc2a2d3f4791a244325881b788f7492d4585c975f648489a40bf27d5dc639a6a1e9f4
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5a712a62829066f5ce27195ef632afe1c
SHA1458b8bf84e1b082abefc23e22fe8256471247cf4
SHA256d095a9694071eff08cf210fde925511b5588ade84e77bb1adda1ecbb0a87b213
SHA5126538384129481ff33a2b9627d60695bb20a0c050ae8464cbab4b79320de8a3af77e3523e99257bef8af28b286de701716e9e8689f57ea2e8a75f88d4dfd25815
-
Filesize
11KB
MD515135ec6da7daffcb85736d3cd22a6db
SHA1279fd6999afcf922861fedef66b86e4beef215bc
SHA2569d6bdf39df9b7fa6760f5014444dbdedea954b97234d5be4e3434fd08eabc59f
SHA5129ffdf99f7e81fab147996ccd90a0e6c2497b10c2d32963d6557685bf937a14e15accb2eb6114e7780ecfa06a6db194e831f0c016139f86416839f60a3c3c6525
-
Filesize
512KB
MD5da11217037a2fab069632fb0f783136b
SHA12034126232fb39ac9d2d733c4ad6aba9231f9830
SHA256f8d2b0462aa6bcbf2e082b23b32781a9556bd23f5ea227c6f71179da2ff6c912
SHA512eab441f7211f246063944658cbe64815fa04c68b56535e0c0e27ab5ef8949a4d6a8cc11d627e115f2cc4ec43915a0b67205bcca007e5c9828235d822dc2f7d37
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
Filesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
Filesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
Filesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
6.7MB
MD5f2b7074e1543720a9a98fda660e02688
SHA11029492c1a12789d8af78d54adcb921e24b9e5ca
SHA2564ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA51273f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
3KB
MD56f5767ec5a9cc6f7d195dde3c3939120
SHA14605a2d0aae8fa5ec0b72973bea928762cc6d002
SHA25659fe169797953f2046b283235fe80158ebf02ba586eabfea306402fba8473dae
SHA512c0fbba6ecaef82d04157c5fcf458817bf11ce29cdaf3af6cac56724efcf4305565c6e665cdcf2106c675ba0574c60606be81d9baafe804fc7d2d3a50fed0baf6
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
224KB
-
Filesize
56KB
-
Filesize
5.6MB
-
Filesize
6.7MB
-
Filesize
64KB