Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
31-08-2024 16:45
General
-
Target
51abf67011f60975d76946357ee94a48.exe
-
Size
1.8MB
-
MD5
51abf67011f60975d76946357ee94a48
-
SHA1
ca1761459e162628d9db5093f1935834ba36214d
-
SHA256
438fee0f31c00d0de0b13027e8ec9c47030556d3d8865e5518cac184edf6cd0a
-
SHA512
597210f441a0df09e537854f0f387109f1f1a780b948417890ec35c3868121f6eee5f9ff5cb48cd9523649e1689a337530de7325b659df3226d26cc32ffb402d
-
SSDEEP
49152:90+/6lnwtw5s/CIUFXottseV1jOBGpusqdZg/:4lnps3ttseu8pung
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.250.45:26212
Extracted
redline
@CLOUDYTTEAM
65.21.18.51:45580
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
lumma
https://femininedspzmhu.shop/api
https://locatedblsoqp.shop/api
https://traineiwnqo.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects ZharkBot payload 1 IoCs
ZharkBot is a botnet written C++.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
ZharkBot
ZharkBot is a botnet written C++.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 9 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 23 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Indirect Command Execution 1 TTPs 6 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 57 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\51abf67011f60975d76946357ee94a48.exe"C:\Users\Admin\AppData\Local\Temp\51abf67011f60975d76946357ee94a48.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xo3CoLO8Qs.exe"C:\Users\Admin\AppData\Roaming\xo3CoLO8Qs.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\6uVpXdk8bx.exe"C:\Users\Admin\AppData\Roaming\6uVpXdk8bx.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000129001\caesium-image-compressor.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\caesium-image-compressor.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1000228001\PureSyncInst.exe"C:\Users\Admin\AppData\Local\Temp\1000228001\PureSyncInst.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\1000238002\Amadeus.exe"C:\Users\Admin\1000238002\Amadeus.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe"C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\7zSE70F.tmp\Install.exe.\Install.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\7zSE9A0.tmp\Install.exe.\Install.exe /kHdidM "385107" /S6⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force11⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"7⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bISIDNXXYteSJEZXLD" /SC once /ST 16:48:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSE9A0.tmp\Install.exe\" W7 /HoDcdidjYd 385107 /S" /V1 /F7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000267001\52i.exe"C:\Users\Admin\AppData\Local\Temp\1000267001\52i.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 4925⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000239001\runtime.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\runtime.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5132 -ip 51321⤵
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwB1AGkAZABcAFQAeQBwAGUASQBkAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwB1AGkAZABcAFQAeQBwAGUASQBkAC4AZQB4AGUA1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Guid\TypeId.exeC:\Users\Admin\AppData\Roaming\Guid\TypeId.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indirect Command Execution
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
425KB
MD5ced97d60021d4a0bfa03ee14ec384c12
SHA17af327df2a2d1e0e09034c2bdf6a47f788cec4e4
SHA2569e06eed4e1237ffdc84f0ff666fbe4b39e1bd2c60bd542870f7e1bfb10555951
SHA512af0a02daa759010a1edfc78f14c5fe321c10802d0b9df55b515fe501114af0835a05bbd5dd5e2167b4b1f39bb6da787343bf9141d5f811113f71749741b47811
-
Filesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
Filesize
15KB
MD5d4a0fb6e604c880307f5121482258ce1
SHA1ef200488612ec7d2c6602e9142162cf211059f46
SHA2569ed5e6f75f4bf22b5f9ddcc625a2b720078de6ab4f50992973ea49c59c70188e
SHA512e62d93c0f9dff7a23d6e24654ffd8552adfc9e3dd2f7822be4527f47b193fc843e4f53c5615fd39ae411d40b95888bc33b360774e1518bd71dda1e171d9ab034
-
Filesize
314KB
MD56134586375c01f97f8777bae1bf5ed98
SHA14787fa996b75dbc54632cc321725ee62666868a1
SHA256414becb8aabd4e8c406e84df062bee1a45cffa334ae30022078cfa71da9e330d
SHA512652ed16d96b5700f105c2bab8e7258f167bc1615b6397be7340c08df7c977842844326e07fdef677aecfaf07263f99bb7968c9fc926e90e5a33d2ed793f8436b
-
Filesize
1.1MB
MD58e74497aff3b9d2ddb7e7f819dfc69ba
SHA11d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA5129aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
187KB
MD57a02aa17200aeac25a375f290a4b4c95
SHA17cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6
-
Filesize
6.5MB
MD5297fa8c27084d876f6699d121f9c06fa
SHA12ce4110ebd75d61111a7bc1674f9e2d95b48571e
SHA256ab42e51949918d17a582fb5a4c614c335616703f41ab8e71ad1ece652e33f521
SHA512d4319da7596224bc9a62ad3a27907fb57a36bef210916120e51cefc31aa5bacb2aba852c0e6a9188632377139704c92329e6d628789491976175a5d6dced02b6
-
Filesize
10.0MB
MD5304a5a222857d412cdd4effbb1ec170e
SHA134924c42524ca8e7fcc1fc604626d9c5f277dba2
SHA256d67fb52973c445a3488a9d6a9a9ff3ebebb05b1c0e853cebfa8bba1a5953f0d6
SHA512208b39436b520e909eb8262f68314dcb93852ea5f00a1d4ce8bd682dd5e20ad313e65ff293c8062bfed95ffe101f6ead3d7da4886e779031101329a3764b855f
-
Filesize
15B
MD5d5ed74dc7d1bea716c32ed5efaa8f625
SHA169b28bac3fdb3dd6cf7748af00fc433391e8aeb9
SHA2565458848903d44a7340933dd519e21a8305bd6f78bd9a98fb1e79c7395255b9f7
SHA51205d5d3feb3c27360f5f1e2fc4fc8ab8f98d1db1824f609f763d78c3b5d360335bd1a715fc27bef13ebe3c3b8323b601e99ccf7d1b404de25951849f9b436061d
-
Filesize
1KB
MD50bde7d4b3da67537eaf9188e6f8049cf
SHA164300fc482d01d38b40ab20e15960b6509665e5a
SHA2565dc1ae0b875dc0d78dbc5532226f5f31b762b4d1229984f605d27bf895ab6807
SHA5122d4d27ab5b3dd2a701a944e9b5372b40ee4f8b3267f133be7ad0d4b42528302aaa002b6132722e2ad1fe629fc3e8baf1011c8dad326062e9c0946d6f1b6eafb4
-
Filesize
9.2MB
MD5366eb232ccb1d3d063e8074f8c4b529f
SHA113e30ac58cfc74cb05edaf0074eb09927ab5a9fa
SHA25633d866c385c3d05981986f7e3d56eac4966821813d216670d37aa7af7c30d62c
SHA5120a9c2acbf9ef27345efeadda579fea582b3299f96078b9a2959bad5e87a0e7840949518fd905c82cb49b8ed604d93b404fdf85a11d71de1e1ba3dba9c0abab6f
-
Filesize
539KB
MD54d40ebb93aa34bf94d303c07c6a7e5e5
SHA19333bc5b3f78f0a3cca32e1f6a90af8064bf8a81
SHA256ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5
SHA5129cdce881809159ad07d99e9691c1457e7888aa96cf0ea93a19eea105b9db928f8f61c8de98c3b9179556b528fde4eb790d59e954db8a86799aecb38461741d3a
-
Filesize
7.2MB
MD514a56f81287d1e037fc6405247c31d20
SHA17648bc39a1d198bc115e5871466fd4478f70b175
SHA256a8b4bc268063265eba47d7325dbc3f118045c24478d740d3d69c245872ade20a
SHA512dbd0e1ef97b5c8dd2d2d78b823140863406046cc735a1ac62edef04fa7ab6f9d9644b62cba40637d404016accecb06aab6d3c56c7a27dae05978cf9da8c42d0e
-
Filesize
715KB
MD54d190c235680b3e4481e4d7685e9a118
SHA117c5654e4077f9e0dd8e17e92e36696bed55557a
SHA2564083f1ea732fd45abe2f648f824be39e3e511a59179fa7c8349d7f7f75e3d3b4
SHA512517807dd7345c926cfc2e58d883764368c723900871ab358949a09bb6b23dcaef1a8db8096ebb2df08112e6914f893cdcc0b5fa8b78bc70008390598353ba771
-
Filesize
319KB
MD50ec1f7cc17b6402cd2df150e0e5e92ca
SHA18405b9bf28accb6f1907fbe28d2536da4fba9fc9
SHA2564c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4
SHA5127caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861
-
Filesize
1.8MB
MD551abf67011f60975d76946357ee94a48
SHA1ca1761459e162628d9db5093f1935834ba36214d
SHA256438fee0f31c00d0de0b13027e8ec9c47030556d3d8865e5518cac184edf6cd0a
SHA512597210f441a0df09e537854f0f387109f1f1a780b948417890ec35c3868121f6eee5f9ff5cb48cd9523649e1689a337530de7325b659df3226d26cc32ffb402d
-
Filesize
81KB
MD5be6950a3cfa7f45fa39db5665f862583
SHA18999127e35eed5071fbfd95225b2917be15a3ac6
SHA256799431d8a9b28d7bef56198b934a56c818b2e8724f959af623b4793043a954c8
SHA51211216c980d450cfe2ef23301aee2d968e4ce9d8605482623b65951e32edf8352b5caadf64f43bb198e49643e40cf5bac4d3db23c744a1c6cfebe43bd5369b6ac
-
Filesize
6.4MB
MD5059a2ba5620f3f4b2316685ecfcd36bd
SHA146c0517fceeb7350c938ed699d8d8eafd6dc3280
SHA256f40e8231e63a2e2984bd119a3423c25de2807c2a1a1ae18fc07797d7160280e5
SHA5126a5c2e0418449175e6cb07f3ddcce15dac7477fb7b6b2857c807524f21a6b856e97dfb7209e0f69826321853899bc7bbda547ca7ec769d516e3394931c3cd346
-
Filesize
6.7MB
MD5523c9df50948340df2e82213b22c72b7
SHA19260e4afb910e4f0c98aad1bf8b9bc31f5d7467f
SHA25626f9eafb7869a2bfa9af2ede0363c2a41af6839c4263f6c107ab723de9dd2e37
SHA51228432c1fe74d0f74f3b2edce9cdb2a987e170cd19738384ca63be432108d17d636fc78fc4d55a84b36f7c19ea1999988cd488798064daef986784d6eb4e92c32
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
304KB
MD530f46f4476cdc27691c7fdad1c255037
SHA1b53415af5d01f8500881c06867a49a5825172e36
SHA2563a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f
-
Filesize
2KB
MD5a2476f01bf3bae508ff3a9785fa35523
SHA1ad5a83fb7c52232eefd6826623dc9a06dc77afbc
SHA256ef68e7777e7fc45f5e9e2ddbbb6eee1a68aac44c4ca7ff7a08dc78bd77edfe8b
SHA512ebc48f55f69f5276a4c337314d31ea045375a6f407013e6b219e7a761d3c7ad574225f4e6dfe4dcf04269d49e9516c887bc886be7e3009f644e27d1a3bb3d8d1
-
Filesize
544KB
MD588367533c12315805c059e688e7cdfe9
SHA164a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA5127a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714
-
Filesize
2KB
MD55b28a99e346b15e18efd6ffaf964fffe
SHA137fe6cead5d3da7837a27cfcea09aadd712ce09a
SHA25608af6cdf7f718f41b10f4a6a3cf0adc2fd5386a6630694c8eeb52c92bb9ac368
SHA512636b21cb3d13de3462100cee70d704f96e5f223ec8e793dc4e8ca40f24cb5d90c3acafed63d11f5ebf4d7536d99017e7598475e7e8c82519622315d7dc72d676
-
Filesize
2KB
MD51a97a99a3330aeb139954a424954d22b
SHA1164701c702e5fc3b323f0042b37f953e06b32c06
SHA256beb31b9e738eeee834b1d5920f461b179cb21c136c97db08fae6cb13de25790a
SHA5121e01585de8c3dde88e87bcd444ccf430fa0734ec4bc2dfc2642b2da909ad0a38345ba4bf6e39ba151eeece4c1c3c159f6ebc5bbec31fbe27cc96c3bf331ccc7f
-
Filesize
1.1MB
-
Filesize
736KB
-
Filesize
336KB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
344KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
10.1MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
520KB
-
Filesize
568KB
-
Filesize
448KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.6MB
-
Filesize
472KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
328KB
-
Filesize
40KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
336KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
136KB
-
Filesize
2.3MB
-
Filesize
972KB
-
Filesize
2.3MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
328KB
-
Filesize
568KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
6.2MB
-
Filesize
136KB