Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
23-08-2024 09:19
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
phorphiex
http://185.215.113.66/
http://77.91.77.92/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv
rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw
bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
-
mutex
55a4er5wo
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Extracted
vidar
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
100 RND
91.92.243.191:5401
6871a79e-e4f7-4fb3-ae38-dc20c1d657a0
-
delay
1
-
install
true
-
install_file
hyperhostvc.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
DeerStealer 2 IoCs
Detects DeerStealer malware - JaffaCakes118.
-
Detect Vidar Stealer 2 IoCs
-
Modifies security service 2 TTPs 3 IoCs
-
Phorphiex payload 3 IoCs
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
-
VenomRAT 2 IoCs
Detects VenomRAT - JaffaCakes118.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs 18 IoCs
-
Async RAT payload 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Contacts a large (1621) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Drops startup file 4 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 21 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 60 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: SetClipboardViewer 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysmablsvr.exeC:\Windows\sysmablsvr.exe4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1112715124.exeC:\Users\Admin\AppData\Local\Temp\1112715124.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\t.exe"C:\Users\Admin\AppData\Local\Temp\Files\t.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysarddrvs.exeC:\Windows\sysarddrvs.exe4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop DoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop BITS6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\2386426348.exeC:\Users\Admin\AppData\Local\Temp\2386426348.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66b0ba4420669_main.exe"C:\Users\Admin\AppData\Local\Temp\Files\66b0ba4420669_main.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\JDHJKKFBAEGD" & exit5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 106⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\254974193.exeC:\Users\Admin\AppData\Local\Temp\254974193.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\307032253.exeC:\Users\Admin\AppData\Local\Temp\307032253.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\sysmysldrv.exeC:\Windows\sysmysldrv.exe5⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc stop UsoSvc7⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc7⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv7⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop DoSvc7⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop BITS7⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\171795968.exeC:\Users\Admin\AppData\Local\Temp\171795968.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\build2.exe"C:\Users\Admin\AppData\Local\Temp\Files\build2.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe"C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwAVQBrAG8AZABiAGMAZABjAGwALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwAVQBrAG8AZABiAGMAZABjAGwALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE4AdgBhAHUAcgBuAGgAcQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAHYAYQB1AHIAbgBoAHEALgBlAHgAZQA=4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe"C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\1.exe"C:\Users\Admin\AppData\Local\Temp\Files\1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Files\client.exe"C:\Users\Admin\AppData\Local\Temp\Files\client.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "hyperhostvc" /tr '"C:\Users\Admin\AppData\Roaming\hyperhostvc.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "hyperhostvc" /tr '"C:\Users\Admin\AppData\Roaming\hyperhostvc.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB55.tmp.bat""4⤵
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\hyperhostvc.exe"C:\Users\Admin\AppData\Roaming\hyperhostvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\server.exe"C:\Users\Admin\AppData\Local\Temp\Files\server.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66bdeddcda135_SicGap.exe"C:\Users\Admin\AppData\Local\Temp\Files\66bdeddcda135_SicGap.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Video Video.cmd & Video.cmd & exit4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 196985⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "PoliticsProceedsLengthPowers" Russian5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Confidentiality + ..\Script + ..\Lodge + ..\Representations + ..\Garcia + ..\Advanced + ..\Attribute + ..\Richards + ..\Nokia + ..\Players + ..\Show + ..\Depends + ..\Blacks + ..\Crack + ..\Telecommunications + ..\Disappointed + ..\Generations + ..\Article + ..\Investments + ..\Ap + ..\Roy + ..\Forced + ..\Virgin + ..\Jackie + ..\Hub + ..\Fighters + ..\Polyester + ..\Collector x5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\19698\Infected.pifInfected.pif x5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Fi + ..\Malta + ..\Comprehensive + ..\Storm + ..\Resumes + ..\Addressed + ..\Cw + ..\Flame + ..\Order + ..\Roman + ..\Helen + ..\Elizabeth + ..\Si Y5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\19698\Infected.pifInfected.pif Y5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66bcade4d5106_absync.exe"C:\Users\Admin\AppData\Local\Temp\Files\66bcade4d5106_absync.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Programs\PDF Assist Manager\pdfconv.exe"C:\Users\Admin\AppData\Local\Programs\PDF Assist Manager\pdfconv.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Conventions" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EchoStream Technologies\EchoSync.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Conventions" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EchoStream Technologies\EchoSync.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & echo URL="C:\Users\Admin\AppData\Local\EchoStream Technologies\EchoSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "False" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EchoStream Technologies1\EchoSync.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "False" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EchoStream Technologies1\EchoSync.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync11.url" & echo URL="C:\Users\Admin\AppData\Local\EchoStream Technologies11\EchoSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync11.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\19698\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\19698\RegAsm.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\19698\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\19698\RegAsm.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\19698\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\19698\RegAsm.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
92KB
MD5be9388b42333b3d4e163b0ace699897b
SHA14e1109772eb9cb59c557380822166fe1664403bd
SHA256d281e0a0f1e1073f2d290a7eb1f77bed4c210dbf83a0f4f4e22073f50faa843f
SHA5125f887f1060b898c9a88745cde7cf509fdf42947ab8e5948b46c2df659468dc245b24d089bdbec0b314c40b83934698bf4b6feb8954e32810ff8f522aab0af19a
-
Filesize
18KB
MD5de669d6cdfb89fb36ecc1ad2bfa97dc8
SHA1a27525edc81b796339bd8508c4007923776d1ff4
SHA256699dd570b3a8c431659217c818f69e0d148c286c5d961954017e88aa572131cf
SHA512bd9947eb8d48425ace712f874de3af0ecef300920395cb551e66e09e14d1a35421082db470c6fb118606ecda87dd928f1ba2315e8444388f305d2798fa7f4140
-
Filesize
18KB
MD5d2c3311edec1cc6584c12a53d90cf149
SHA1c4daddbe2cb1fdb798ac4382a871d34bf83b464f
SHA25613e5332b121b3cf7a52a0fcfde8f88245a24f9cfed88b06f11d96d48185129f7
SHA51218c8af9187375f850e9cb6b080844c657b7daaa0772c89fd0bd840b3026f43c018716392a465975a85644cd4c22f29f2caac14c37d1e540ac340b69fa956cd43
-
Filesize
19KB
MD5dce86bff5ca04db752b19245e111a636
SHA1f1e3a56d5be946483b5eac047540a37d6af60f03
SHA2561467e4763d7a4b66d33c01714e7ed6192c8518688a72f91bf37a51ef35095a6d
SHA512448bd6926688f32afef0d759dcdbe10915736e51f0b4b3059d402e58d677b4ed915460809a91680bd2eb640fc830dfaeda02484157a94f1d8ce2447e3a795ef8
-
Filesize
80KB
MD50b3b9466263183acb22ae949f058f45d
SHA143f2c8c13732c5b5eba7b176e11ef46480ca493c
SHA256e383e05d1356509bba9be9e8aabd26811d9448fb5902d165f6574f224f295243
SHA512e9d5195c39e9bce25a962ef57013d8b5445bf7940dafcca8e766259ecace2e718d8cf7e76222ad0ad82ae24585aa76838a36ac7b96c27370fdd359746f62e9ae
-
Filesize
80KB
MD52763df527eee507e23343b99e78bacb1
SHA1d7e040807e7eb25f5d22cc614c9a8d583fb78aac
SHA2560543ba53d581720c51ffea3aa26bcd294aa6f6fbd82a72db4532ed2b28477b91
SHA5122c8e6f4dc867843c8f7e97c2a20018a4f2058ac2d73281defe1187df47b14701b7e1a2fef74251d46281897b4c69f48d3ce771648de0a5ff8f30430bf1948a3f
-
Filesize
54KB
MD5b1ad367ceeeb9590e4607b1cc3d6cf2e
SHA1c2792ab9a287cf7929b92b99681cf2ede15b5255
SHA256aa586cc19d653a3e8462f1214721fe7beb0bd620ee6ea78233c75c9cb1096235
SHA5121ed561f067f643edc286db74a8a5c9e19e53ca7576ffd00f1547599fde771b32c1594537987a9ee889099e20114c3878d7a7a0a8d1e290148e8662f19a1335c4
-
Filesize
64KB
MD5c183a4ee3a35d7a73a7e23259fb57986
SHA175d334528d67252f2c8e759812d4d10d470e65a5
SHA25681b5c5db3a51c18878b31a638ed467b260f699e9a4a12bc73a8454cffbf5bea0
SHA512d65c8abed561baa3580afbad8b18fac600b693babc5bac1805b5939f19865553c35640c1f9fb261c47a46fc27b0ee8af4bc4db8ab0c8f4191765ebe82382198e
-
Filesize
3.9MB
MD5fee265f64791e63acdcd3e04acdc93b9
SHA1ce95f3b23180323579c9b7cdcc50fc16fceabcdf
SHA25613368bfeba0fbf3160dbbb1155b1439b7fcdb0fb59baef1cc93207821e63465f
SHA5125873c1d1c1b7362a5ce24cad8acb882baf4c8431617944db70224e9f8a9e1ce09256c37e39f80d31c4ab50ea6a9bd22e60b08823c943f7e73dc3c21c3f82b9ba
-
Filesize
3.5MB
MD59aa5a0472a382d0ff57b3113643c802f
SHA1e7adef2c4f8ac9b2387e8e2903d3d3dfe4741ae8
SHA256bb4e19bc0d9f15e8f1587ee4fef79e8c77acf884313832daed26ca162d7e1842
SHA512c1357a25f9dbdf2ee22a530f2370c5ac9278c8d4927da6bf24377018b24af29cd22fdbfff2b049cc8822e5ccd6bf76c5812d63bad9a15fc1bdb5dca3b51349bb
-
Filesize
1.0MB
MD525ed0fce4a9df59b3ed88853db8206f3
SHA14382f0adb2a94e8a4eccd6aa2d222842000b7895
SHA256c5b32f1cdc2a48f1dd2b1623598c24a2635dc57fdab3b4328f1cb3b66f5079ba
SHA5125a329229506e3f9feaefbe477699cc4b8510f949f4b1df0bf5b66ac892404a94fa5effef3d9acbdfa90bb6e494e5799fa721e14a29ec4e0f1e7b97719397939f
-
Filesize
2.6MB
MD5410e91a252ffe557a41e66a174cd6dcb
SHA154b311d2c9909ac9f03d26b30db6c94dadde4cdb
SHA25667ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202
SHA51298b7547a8f41a92899ef018125df551bdd085ac2444a4542ee9fc1e44388de6824c5b41600ba8b73feb97dd882da0c5a9844ef73509565a3be3a2dc00c10f06d
-
Filesize
74KB
MD54fb681131f7ac7824c4f0afd337986d9
SHA1c746978c6c091d94f2bbd17b1ad5954c4306bece
SHA256cc38fb3ee3227606258b1b9ccba885393d6ed4a54a51aefef30a669cdc171e80
SHA512b5c2c3f6b5fe4845c0462059d9177b0cf56a36fe528745a9ea7f27120fdf2184b44be4dc5195d9e0d98a5a5987b8bc212707b3b4cc5ada9203db61f9859f3868
-
Filesize
9KB
MD58d8e6c7952a9dc7c0c73911c4dbc5518
SHA19098da03b33b2c822065b49d5220359c275d5e94
SHA256feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278
SHA51291a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645
-
Filesize
2.6MB
MD5bf9acb6e48b25a64d9061b86260ca0b6
SHA1933ee238ef2b9cd33fab812964b63da02283ae40
SHA25602a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0
SHA512ac17e6d73922121c1f7c037d1fc30e1367072fdf7d95af344e713274825a03fc90107e024e06fccda21675ee82a2bccad0ae117e55e2b9294d1a0c5056a2031d
-
Filesize
79KB
MD5e2e3268f813a0c5128ff8347cbaa58c8
SHA14952cbfbdec300c048808d79ee431972b8a7ba84
SHA256d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3
SHA512cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc
-
Filesize
88KB
MD5ababca6d12d96e8dd2f1d7114b406fae
SHA1dcd9798e83ec688aacb3de8911492a232cb41a32
SHA256a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba
SHA512b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f
-
Filesize
6KB
MD5cfb7fbf1d4b077a0e74ed6e9aab650a8
SHA1a91cfbcc9e67e8f4891dde04e7d003fc63b7d977
SHA256d93add71a451ec7c04c99185ae669e59fb866eb38f463e9425044981ed1bcae0
SHA512b174d0fed1c605decc4e32079a76fbb324088b710ce1a3fe427a9a30c7bdcd6ac1ad223970cdc64061705f9a268afa96463ee73536b46991981d041517b77785
-
Filesize
92KB
MD5480f0a33415fccd35749733956331fd2
SHA11a228afa08f255256d470975d6cf04ec30bed3e3
SHA256618fa849b1307d1c365e6c1548c00a10cacaab3d13b88ba686a4e164627a9c54
SHA5125ea75b0d7f75da3b18b2275a7c0948b379898ecedbec8d4deee4491c24ada6bbe4774567ab31d2f187c2e81c32c6e516f0c807951f60e75681bcda2cd0615d49
-
Filesize
872KB
MD5dd3e52220464f9170dd078bf1806432a
SHA1532e6a06e50d52b27faf5547fc674bbb9567c77b
SHA256793ded66170394af89a8ef7dfa900ff5ae6ef04d1f2796e07f4ef53c2bd3e9fa
SHA512c52a70d3b14209419694fe60d5acb595da2b09d20916cd80c376493a9d6e5fc71605d76abbb5489d107959d1ccf5ccab9f2b7b16e166edfd1d9a0b955044e795
-
Filesize
57KB
MD597d9879f54c5009bb05c65fc040bc48c
SHA130a19d06e3c95c8ace858d6c4db7606f3087f969
SHA25662de3bc63c9b80265fa7d41d0228ca27f7b5f0bbe059aa0b1610f34a371b762a
SHA5126906ba5af7e8e91ff3cbcac8d2de15e8f513c1867b428cb4a39b14ec9df16e16276c9e3de8e98c7082e54f8e4b463dc50cee63e8d49c0d4918d4af46c3d2fe68
-
Filesize
62KB
MD5c8c14c35234f20179003685c0207c8ab
SHA1fde19a2389fb1ef2e9be6544feb758138fb9718b
SHA2562169ccd7bba7e7a169d2f9fcd6f55dbe2b63f578af69d142d445686f07665853
SHA5128a9df452282b011a968da6ba406d03df8fb584261d0b4b9ddc22aee486b91716b40a66b39f82d81584c432f7bdba0410442e25282378eace98b9c1bef4feb6c9
-
Filesize
71KB
MD586f299b678ef06d6a291886566a9af15
SHA11921ffc0feafc400be4d220e7552f9819ca03617
SHA256bf62e33c3c7e2c077147eda4a1184739f62589641330fc520688588ce9d14db4
SHA5128682e92a574b611ff6230fb0a754ae4d2d58701b0d708f475a872ffbc304fd0d219e67da465a55e7bdcf3afcf94b6d51e9dd953331d124f7c6cfd5062391a7a3
-
Filesize
98KB
MD5cf676927ffb2b4d27fe35ffb095a27a8
SHA1b2630f67a6a132a18376ac0b23e8e07de9b678ab
SHA25668438e46e505eda705fa2bb3293e98e63ffb23c7dbeb9ef4856be8c5d40152cc
SHA51290f6eaf589dec69e12dd373ec4ca164e29d726860c34831fa8ed3cdbf2a81a795e6aab91b16654464fe7fa696333c2e45068520d6faf08da9fcf9b756d38b81f
-
Filesize
73KB
MD54e3b569a628317972b3e86cec6f20c94
SHA1bd5cda27a0eff2b1a0ab86d675033cad7de5a841
SHA25634aeded461a6692a68f9f19629c5192d47a3f6bcacbd8590505a7f7048856d5f
SHA512b998fcf46ddf5782a7e070143f8c5e6540cd56096a0ed949a10dc9beb8e7fc6a2dee734bd84eb3efd4622b161e040696bc5bbc5a5f49b934bc20197957912d31
-
Filesize
698B
MD5bd895d878e7f7f113791d05f750bcc98
SHA1766fc61e2cdc1d9b19048bc6bfbbc9130a6b57a9
SHA2560f19ece05fa078cea91ea0b18da103733ad72d46fdedbca98bea8dfde49f5f4a
SHA512eaaf312d92a9d0e72c0c93f758af3e6462dbcbb30c2d02b68917d0b390b9e96bd6a4ebb9a5ea46df06591a3bddf777f5478a3d540e878048c063920cb0b0732a
-
Filesize
91KB
MD52f030998e0667ae2aa67464c5e6641ac
SHA1b45d5102a71ef5d8eb0dea63366981b0603eaeb4
SHA25637d123e108c814c26b349b3695e1c22c9f06928c839c35cbaa7a9a9e95b78ed0
SHA512b0905c6b269f5abfdcee23279fb1433b26dc0790b1d65e5956e9b1bade06a6850e0f85883414e3f26d870d0bab816671fcde42f3e032e02fb4610792e8707cda
-
Filesize
76KB
MD5f510d7ea6ebf3a71640b85ed41d835b7
SHA11e5335f181391bd3e682a650ca96c3409254777a
SHA2565f7a9967c6d5bb90a8ec5de86958f7643388311490ce6959363b7f66c136c7e2
SHA512047f5cb6e6616ab99247b2ecfa45a40805bbdd2fae6e7c27c1835b70bd0c219fc0a8c4fedb940e85ff36f0c8d512e186a5abc09b8465397b4ddd4211d4f3e002
-
Filesize
23KB
MD578fcea1b0441d3174c9b2c8d64ee362a
SHA181421582fd70a1119f627961579e6e5932278a9b
SHA2561a8df61c9e751500c916bb0e53360b4643fba243c9cafbc82a9ac0ff6bddb58c
SHA51220d045f53d375ee88e2843e172eac0c1bcbe5fd7cb4776dcf60e43073e422f99fedc311bdd0683e9a266df58ba4c55878775d8b36741c77978d3a35ce12e2b6e
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
154B
MD55a800cdcc91285dcb3ef7549985343fa
SHA1a70d17616fdc54c540a7ab7728f00c58da418948
SHA256b700b16cc032b1da87e02e0c84e8132315fc1ae0f97578611c475f6f97053b67
SHA5124f28d11ce9a435b63070b40b04c18fdb1f0b10f976f084093dbe258877348914bcee0cf18aa0105943a982dae2cadd671558e373f74f5d6818a5afa4a788b300
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
300KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
592KB
-
Filesize
660KB
-
Filesize
120KB
-
Filesize
204KB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
112KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
660KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
532KB
-
Filesize
6.9MB
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
880KB
-
Filesize
336KB
-
Filesize
1.1MB
-
Filesize
5.0MB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
352KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
984KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
3.9MB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
112KB
-
Filesize
1.1MB
-
Filesize
96KB
-
Filesize
864KB
-
Filesize
1.1MB
-
Filesize
632KB
-
Filesize
328KB
-
Filesize
736KB