Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
broadcom5.exe
Resource
win7-20240903-en
General
-
Target
broadcom5.exe
-
Size
13.2MB
-
MD5
de5df8536b7d4d9c45fc2e9c6639f24e
-
SHA1
5394559d6e470025d886678f4d625a3d01f55d64
-
SHA256
7382e6823dc5b6f0ae9b4a67f30a6fe8dc400dfa95278ec647d06e6550ada24e
-
SHA512
b14c108ac482d54ee000b729170a765f4506ebeb1e7ebbfd7c4367e93cb1b46da642096d8191f1cea13e16b05c124fd7bdaea9323cb53c9a7b5d92629ed7ccad
-
SSDEEP
393216:7DfYtlZKIfz5Nk7uSff1yosdxz60CptWbN/33YFEr:7D2lnkaSnCd00Cps/fr
Malware Config
Extracted
cryptbot
analforeverlovyu.top
thirtv13sb.top
-
url_path
/v1/upload.php
Extracted
lumma
https://preachstrwnwjw.shop/api
https://complainnykso.shop/api
https://basedsymsotp.shop/api
https://charistmatwio.shop/api
https://grassemenwji.shop/api
https://ignoracndwko.shop/api
https://stitchmiscpaew.shop/api
https://commisionipwn.shop/api
https://tenntysjuxmz.shop/api
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 2740 powershell.exe 1048 powershell.exe 4924 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.execscript.execscript.execscript.exebroadcom5.exeWScript.exebuild_5.execscript.execscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation broadcom5.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation build_5.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation cscript.exe -
Executes dropped EXE 5 IoCs
Processes:
build_5.exebuild_5.exeChannel5.exeFile1.exeWindows.exepid process 2020 build_5.exe 2412 build_5.exe 4892 Channel5.exe 732 File1.exe 452 Windows.exe -
Loads dropped DLL 18 IoCs
Processes:
build_5.exepid process 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe 2412 build_5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 49 api64.ipify.org 50 api64.ipify.org 51 ipinfo.io 52 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Channel5.exeFile1.exedescription pid process target process PID 4892 set thread context of 3936 4892 Channel5.exe RegAsm.exe PID 732 set thread context of 4272 732 File1.exe RegAsm.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 42 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
build_5.exeRegAsm.exepowershell.execmd.exebuild_5.execscript.execmd.exeWScript.exeChannel5.execmd.exetaskkill.execmd.execmd.execmd.execscript.execmd.execscript.execmd.execmd.execmd.exetaskkill.exetaskkill.execscript.exeFile1.execmd.execscript.execmd.exetaskkill.exebroadcom5.execmd.exeRegAsm.execmd.exetaskkill.exeWindows.execmd.execscript.exepowershell.exetaskkill.exepowershell.execmd.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build_5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build_5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Channel5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language File1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language broadcom5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Windows.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Windows.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4620 taskkill.exe 1624 taskkill.exe 4264 taskkill.exe 4328 taskkill.exe 3696 taskkill.exe 4264 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
broadcom5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings broadcom5.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1048 powershell.exe 1048 powershell.exe 4924 powershell.exe 4924 powershell.exe 2740 powershell.exe 2740 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
taskkill.exetaskkill.exepowershell.exepowershell.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4620 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeDebugPrivilege 4264 taskkill.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 4328 taskkill.exe Token: SeDebugPrivilege 3696 taskkill.exe Token: SeDebugPrivilege 4264 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
broadcom5.exeWScript.exebuild_5.exebuild_5.execmd.execscript.execmd.execmd.execscript.execmd.exepowershell.exeChannel5.execmd.exedescription pid process target process PID 640 wrote to memory of 4992 640 broadcom5.exe WScript.exe PID 640 wrote to memory of 4992 640 broadcom5.exe WScript.exe PID 640 wrote to memory of 4992 640 broadcom5.exe WScript.exe PID 4992 wrote to memory of 2020 4992 WScript.exe build_5.exe PID 4992 wrote to memory of 2020 4992 WScript.exe build_5.exe PID 4992 wrote to memory of 2020 4992 WScript.exe build_5.exe PID 2020 wrote to memory of 2412 2020 build_5.exe build_5.exe PID 2020 wrote to memory of 2412 2020 build_5.exe build_5.exe PID 2020 wrote to memory of 2412 2020 build_5.exe build_5.exe PID 2412 wrote to memory of 2640 2412 build_5.exe cmd.exe PID 2412 wrote to memory of 2640 2412 build_5.exe cmd.exe PID 2412 wrote to memory of 2640 2412 build_5.exe cmd.exe PID 2640 wrote to memory of 1880 2640 cmd.exe cscript.exe PID 2640 wrote to memory of 1880 2640 cmd.exe cscript.exe PID 2640 wrote to memory of 1880 2640 cmd.exe cscript.exe PID 1880 wrote to memory of 1192 1880 cscript.exe cmd.exe PID 1880 wrote to memory of 1192 1880 cscript.exe cmd.exe PID 1880 wrote to memory of 1192 1880 cscript.exe cmd.exe PID 2412 wrote to memory of 3096 2412 build_5.exe cmd.exe PID 2412 wrote to memory of 3096 2412 build_5.exe cmd.exe PID 2412 wrote to memory of 3096 2412 build_5.exe cmd.exe PID 1192 wrote to memory of 4620 1192 cmd.exe taskkill.exe PID 1192 wrote to memory of 4620 1192 cmd.exe taskkill.exe PID 1192 wrote to memory of 4620 1192 cmd.exe taskkill.exe PID 2412 wrote to memory of 1048 2412 build_5.exe powershell.exe PID 2412 wrote to memory of 1048 2412 build_5.exe powershell.exe PID 2412 wrote to memory of 1048 2412 build_5.exe powershell.exe PID 2412 wrote to memory of 1428 2412 build_5.exe cmd.exe PID 2412 wrote to memory of 1428 2412 build_5.exe cmd.exe PID 2412 wrote to memory of 1428 2412 build_5.exe cmd.exe PID 1428 wrote to memory of 3932 1428 cmd.exe cscript.exe PID 1428 wrote to memory of 3932 1428 cmd.exe cscript.exe PID 1428 wrote to memory of 3932 1428 cmd.exe cscript.exe PID 3932 wrote to memory of 1640 3932 cscript.exe cmd.exe PID 3932 wrote to memory of 1640 3932 cscript.exe cmd.exe PID 3932 wrote to memory of 1640 3932 cscript.exe cmd.exe PID 2412 wrote to memory of 2392 2412 build_5.exe cmd.exe PID 2412 wrote to memory of 2392 2412 build_5.exe cmd.exe PID 2412 wrote to memory of 2392 2412 build_5.exe cmd.exe PID 1640 wrote to memory of 1624 1640 cmd.exe taskkill.exe PID 1640 wrote to memory of 1624 1640 cmd.exe taskkill.exe PID 1640 wrote to memory of 1624 1640 cmd.exe taskkill.exe PID 1048 wrote to memory of 4892 1048 powershell.exe Channel5.exe PID 1048 wrote to memory of 4892 1048 powershell.exe Channel5.exe PID 1048 wrote to memory of 4892 1048 powershell.exe Channel5.exe PID 4892 wrote to memory of 3936 4892 Channel5.exe RegAsm.exe PID 4892 wrote to memory of 3936 4892 Channel5.exe RegAsm.exe PID 4892 wrote to memory of 3936 4892 Channel5.exe RegAsm.exe PID 4892 wrote to memory of 3936 4892 Channel5.exe RegAsm.exe PID 4892 wrote to memory of 3936 4892 Channel5.exe RegAsm.exe PID 4892 wrote to memory of 3936 4892 Channel5.exe RegAsm.exe PID 4892 wrote to memory of 3936 4892 Channel5.exe RegAsm.exe PID 4892 wrote to memory of 3936 4892 Channel5.exe RegAsm.exe PID 4892 wrote to memory of 3936 4892 Channel5.exe RegAsm.exe PID 4892 wrote to memory of 3936 4892 Channel5.exe RegAsm.exe PID 2412 wrote to memory of 4924 2412 build_5.exe powershell.exe PID 2412 wrote to memory of 4924 2412 build_5.exe powershell.exe PID 2412 wrote to memory of 4924 2412 build_5.exe powershell.exe PID 2412 wrote to memory of 4380 2412 build_5.exe cmd.exe PID 2412 wrote to memory of 4380 2412 build_5.exe cmd.exe PID 2412 wrote to memory of 4380 2412 build_5.exe cmd.exe PID 4380 wrote to memory of 372 4380 cmd.exe cscript.exe PID 4380 wrote to memory of 372 4380 cmd.exe cscript.exe PID 4380 wrote to memory of 372 4380 cmd.exe cscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\broadcom5.exe"C:\Users\Admin\AppData\Local\Temp\broadcom5.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\Channel5.exe /F /t7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\Channel5.exe /F /t8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:3096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "saps C:\Users\Public\Channel5.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Public\Channel5.exe"C:\Users\Public\Channel5.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
PID:3936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\File1.exe /F /t7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\File1.exe /F /t8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "saps C:\Users\Public\File1.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924 -
C:\Users\Public\File1.exe"C:\Users\Public\File1.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
PID:4272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\Windows.exe /F /t7⤵
- System Location Discovery: System Language Discovery
PID:3420 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\Windows.exe /F /t8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "saps C:\Users\Public\Windows.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Users\Public\Windows.exe"C:\Users\Public\Windows.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:4584 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\xarirogemi.exe /F /t7⤵
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\xarirogemi.exe /F /t8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\setup1.exe /F /t7⤵
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\setup1.exe /F /t8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "cscript.exe C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:3524 -
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Public\make.vbs6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill/IM C:\Users\Public\385104.exe /F /t7⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM C:\Users\Public\385104.exe /F /t8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Users\Public\make.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:2044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
15KB
MD5a3198df52c95a2cf065805d8afbff2fd
SHA1a524cc7901aa55718d4d3ba2caa660f9d16403ce
SHA256c764ac779af983a14355281b26887092d97252c4071624f6ba9f21d04c6e9dbd
SHA5120e90ab22e399f157860ace5447d0b9ad4b5c8331441ec4ab5582c9fa32db2edd89f626e44744bbbf1f586aff21befb3762ad725bf589771c3a2dfd2b962b33c8
-
Filesize
15KB
MD54f0aa5e5b20e44070696496d75ddbc3b
SHA17e2884323ec3127cbf598babc46a31d11d4db06a
SHA256f09d573489b037f4ea820eafdd89a0941ee40fdd480e33514cd2d246d1b030b8
SHA512164ac7b906eebe82ee525624779a083e79d4b13556d3ebf2aaeaa984eaf08c98f5db31e077808da10441c3e3afdc4e57207f5134738193feabc11ef6251950e4
-
Filesize
13.1MB
MD5489841193bb17bed86528363199e802d
SHA1b21527944d7f543b568aedbbe9833ffdb621b06a
SHA2569e551b2304a6d8b72f38080a717d35900365dda5ce2aea2f2b14e90eba59cd7f
SHA51285c250271c44ccafd753495356a9a1bd8d940a8c3443c51e1d8d1fbe1d79ab39226e9e18402b088ec340b05f45e0caeb8a2f7c195479e3b5e9cdbd23260405df
-
Filesize
183B
MD55bbb490df19cbff919dc8338db84f363
SHA11acb4bdbd0ff2b9c38613191c5f11e4ae35156c2
SHA256738a9b1cd2c12511e87076fefbfe39aff55278ed86b3cc32fb968078cc6e6a03
SHA5126b1ccd500347c13ac37f5b214db7717d35879cc6d4c909b7b8ecb7ce54e1cfe8b6d0202afe5edc77721f08e4f94291e8ae97abfb77cb8e758f15a62c6054d40f
-
Filesize
88KB
MD517f01742d17d9ffa7d8b3500978fc842
SHA12da2ff031da84ac8c2d063a964450642e849144d
SHA25670dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0
-
Filesize
80KB
MD57768e3da5a04fa817e7dccc2508a411c
SHA12bbd7b9ffea0fe8f19992b39593910dc5808c013
SHA256fe351e980e0c098f33615e0d54aef87eb79aebb9a0b179f33bcf0f93fc9a6338
SHA512e219cf8a0929a211336d4e6e4345603ddc209df5994755ac144870b93d6d72d96cb4617aace8015195e62c031146043b255409576b3bbd89a725fe8c1ef8ba67
-
Filesize
155KB
MD5795674562f6495081500cd0e7c1770f1
SHA1bfe59f036f08213b8299ab6c1a5cbf361b387210
SHA2561f841ec41003f74e656735ed74b84365427ef6e330c312fa458d2cee9cedc99b
SHA512fa6250afb16f5a69d070dc261df858b23d740054beaf8469842018d805e4af0803cb98d3247e14c09f0613745d7282f5b3290f9157a5d3c96a0f8f313286db2d
-
Filesize
197KB
MD5bfddafd620167cd795a3d17895e4f5d7
SHA12c545940e7da32caddc07fbc96e3b543a085a34d
SHA2562f994d1555703739de1f4498d0196c5f96dfffad0eb60b161718c16168b53bd1
SHA51255dbfcd5083e411d1361b2219c752543a2aa7587c4eeb876407b33d421b64fb432da2cedc629e92c8d45702058cd47e74d645aedac730b3dd3d65b611e9c260e
-
Filesize
48KB
MD5144ea77a7bf8cebd601ba88147b1e3a5
SHA11c198c5d5a11bb1a6f7e8482741d7c201b095929
SHA25605f013509826fb8a690403baa9e8879d577b67fc9a7e8c1f09aa054a9339eca2
SHA51220dce3609d932c6c7d40d70d69d826448c6175470c27fabbde132bfb198b207b5d7477dbc53280dee5ed40d88a646ab1164a3826803b961180db46d628c3ab55
-
Filesize
145KB
MD53445dfd51b2f41d60d5c2508b4be33d5
SHA1bd40e271e588bbfffc3624c50fcd15cb5cf382be
SHA256e2ca5e4bd2fbdb52069c90182fea1873b111a2045f7e26cdb3772896d1a199ef
SHA5125da1c72b1749db04f1cd71c20e536b8899d2fe05ca730233bd5e6db91cbfa7e45d2ec157668fe5d7a1ef28377b206f277a945106dff6a635942129810ab62c74
-
Filesize
28KB
MD5aad725ff62836169e0b09a8833c70b7a
SHA109b5c0d4ea306c67708cf853e8e89a34f9b1682b
SHA2560cb74d8aad8805c081c5585aef216828c010545469164067294d38b9410d3e2c
SHA512995862ed27b01cdff796d376def382f3e16010a726b0ccbb5444eafaffd6515d7a1c1d8af11915c0df19860601f113a3e047a6094e579ce1939a039afef6a89a
-
Filesize
71KB
MD5dc3270c15c0bb4bff94a16575377f403
SHA1333c5003215e0a903cbdc9f8d1747d46df34ada2
SHA256ebfc54652c2d3b4fc0f69b06972b056060e55f6aab06bf0caa1328c5e76eb118
SHA512327ff12b3b5ad264aa6478227658d3d59073a6606ec675236df0f0d33d723fa9e7fbf8a80b5cdbab1b2522ae51769c5425fd95f2c870fb546199de95478e3e88
-
Filesize
154KB
MD5ff678e483e580cfb5c78b0485645fc59
SHA1fe3e0db48f4ae86040a4cda5f0c5cf012a09fd28
SHA2560e97b0f87c7b9ec74d9162fc6e41a800f60825167c50845031c2207dcddf3346
SHA512637e3662f6d541d14ac2817e301b3d882e159bbf08f15f8bac1eee2a29973cd999efde1252db0a4a085741f8ea0d99bbbfb175114058937e2074dc7aa1d419cb
-
Filesize
1.3MB
MD58dad91add129dca41dd17a332a64d593
SHA170a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA2568de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA5122163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50
-
Filesize
3.3MB
MD52e9277a5dd088949086d450da0e5f4e8
SHA1c939886464bb65dc4667d8e477d97a619eadddfc
SHA2567de51a1913ca3b10027f83d99ccccb166d6a3c06ca5d6358f260342dbacdbf6a
SHA5129f16c77cd90e1b6657f3d2cbd131273bf24becff01c198690ebadb2c454e3f84b88a7e9c6fecdb7f564e1aa99a5583bbd1933e5db408efce3a9095776fa1a056
-
Filesize
620KB
MD58b8fb5ec8d5fca88463bb9ad9fa23344
SHA1cbc26ffca78f03b146c84925749029ca2777b30a
SHA256b777ccc04c05ca5b0a6ff68e6c46ad9837dc02311ee132ad6a81910f4a1ed54f
SHA5123763752732822b80622d5260745313575993f535b1fed49434483b644009eb09ab91a1a7f32df22ada477d873ddb0726e0ab5e9416b08fa70e6446d8e981104d
-
Filesize
66KB
MD597386f12a1c19e14451f5e4697e5fdc8
SHA16bee5f0a7b8863779a02491c93cb46cd8b6916ef
SHA256130632508b1a7f6293bb67e13441e0e21164a5df8e5dabaec9ebe73a35544bad
SHA51266dbf574585bd72f2487f341026a811533740241bea1a33395f8967c4b9283aa35c7d765a03337cdec4f56ea5940ef02491d9fdee497a2deb5fc4296d19261e2
-
Filesize
5.6MB
MD50eac9fa387647c388fab4239bfe5a0b5
SHA1fafb679a58b8d85b50af18a4c0a7402fa890ee39
SHA25665900b1bc22af5bb974385f7f2a8742ffd12860010cbe0aedb62ff5598998414
SHA51270042322b98681c73f83f05e03f61a8ad985944cf07633653706c9b87be738e6698099f40328058ee80d4063f8e85aba7c674c3af079cf082376fb1dc9005e86
-
Filesize
527KB
MD5fada0e603afb67d1893cde008e118dc7
SHA1cb13da46b767c873ba9b563dc69ab3c6dd45d6ed
SHA256b02fd24536f917bbd110da4712106a391e453cc6323f4e6c60a683f077b1514e
SHA5123f6a2ee6f612d3b18708318660ac0a00efb2bdab202eba9dd0539f65bf8f2a125c3717b6cf254c15520b0a34b016ea9ccd1d06e88d408bad94f79a2b1a5a4da3
-
Filesize
106KB
MD57aa3274f9d767fe6c2994b455fe33a64
SHA1b1bd2b0635710fa8252b1300a96700c9569e84cb
SHA2565beb99a5e1e83b8f5e4a6c6185348f689f73071c0b68b6a70964ea53c5c17f22
SHA5129fa282afc951612ca26c5b78bb3e2091b6cb3b17b2ad21f67a2f79387161519dbf80c52c2ad62e8575abebfef7ec48a296390a9a8a678db31bb09d01ff04f4cc
-
Filesize
26KB
MD5c66bc949390c8af8573f877f506d2a6c
SHA168730f0ac9e023eecfec9c8b1546e6c8678dc54f
SHA256ac861ea9320c0ec16c1c8eaa68fbf35dcff977d4e980bd50cdc7195d6f00e9e4
SHA512fd498a872596843e3161955d482371c7ca4690105b5ed4417d26b3b9533c0ac1e7a9627c4900d38320800eb30fc20b1377bb64bbf909b896e31ec401e057d0a8
-
Filesize
1.1MB
MD5c190e5d70fdcdd1cbeaa23de04795c97
SHA186abddf9d67aabd6d744e12114c2764d2cba2156
SHA2564e60bd8e5d8676f1b2ca30f06c5bb858cd6db35801ffbf6b6ceec336d880e808
SHA512328e80e68391d0e84b8a02c6b1a9231a8376c45286e6669880a65a140943f55e9e0e83c16dd4fc636811298f583d4570ca9b718bd0ee19ef8ec75f711af428d3
-
Filesize
101KB
MD591c7e0eda0d840c320815c6e914b02cf
SHA17024fe76f7585b8a634e762a1d5686fbba5f6437
SHA2560ac64c91f49af4a1b86446c85e53e9ee899e27047368f9819a3c16c6e53454ab
SHA5123e59849b891a833807c6c6eb6253c57effcf3c2b95bb430a17ce676e4b5bb3fb0d335effd6a794e2a910f29fa68d11f81e6ddc3a8e18336fc5e80c49891d8cf0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize4KB
MD54e55b42d326b24bef5bd415891725b28
SHA192a78f46dc2e28078d71135a9911a02b9a779e7b
SHA256f98bad06aa5c1a91be60f59325addf86fe076e0e97a0ee6295c89496e35ec0de
SHA5123e360444498fcf62e00703501889a3239fef1037228075b1c071766bcaf943e259fe4a3d56524cb5d87ff149c9d85e47f3783a35f68144729c4445d62b2fac93
-
Filesize
7.3MB
MD53861a0771a80ee4a0fee71d27e55ea3b
SHA1ec3ce37a9a1cb7be6203a2f8f0ca0905c6fe15ff
SHA256ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876
SHA5121f9b74dd8fbe10d9d2e26053ca374f7a8f18c10a153c7a4b8c46032033fdc155f5f5310fdd516d3a4632644f7d76137447694958c28485bd506aa68775c34f6d
-
Filesize
315KB
MD5115d4283a126ef5b8da99582cfaf9b17
SHA1bc3343e28434368e95ab31f1edeaa1baaffc9e95
SHA256e1cad6961c9fcbbcb8a974c5d6cc58a248d2d69880d1ca8355ef8a92c3bc8afc
SHA5121d78d9f9b8a2e7bb3c7505edd808e3dae5b9b782483ecd1de07012e3dd30eb21e3b13712177b64a5c8aa229244f1eb2c6794aa44b5ea2dd2771b5b3109a0f4e4
-
Filesize
6.3MB
MD5cc70a5edd4a5a8db874c97d21119f59d
SHA14b1d7b51e875a4b6aa05967459e17ea0d3286f39
SHA2564311121804332b647e02280a9c551c85c16a46f24f2d2107a9bdceaa8923afa1
SHA512f2806d7988073539723708821f0246021a77724c992901282036f77bdb57ddf7e495644d7f00c6f96fd3aa0fa65e6142ed9e823c2cab1474d41ee5bc083b2268
-
Filesize
141B
MD524edf70cd3dfaed22ccbfcdb46fedb6a
SHA134ce910db6cc63654a3bbc117397ad26c6136ac9
SHA2562d2114848d90467e84cce62f55f894488f751e1c5ce38d9a83f265d5b330b4ed
SHA512657cbf6b5bcaf8a20169636b55537cdf5dcc7995406fec3ed83941826c1292b118632f780183b2b8ea4bb251ac4740e7dfa472d73c9d9863efcdf3ef441a7a69
-
Filesize
146B
MD566232297ab8364e4ab1413149fa28778
SHA1b94045bf663494af1907a461ec36d60d5e2c2b0c
SHA256317a69633fe3714a2321edb7223a9dc68f84aab3477567f400772a3abe16c13f
SHA51201abaf92bec4ddb5f64c13aecbd24a58d814dacc32218709cef1c8d53cdce32ad030957661364b8d4a6bb6ae0b8f430aba1064d888bd89e0e18d8587ef21d9ec
-
Filesize
143B
MD5cc3d3ed7869701b037203bea64221135
SHA188a4818165efc31cfac7534aa1cef73dc08972ce
SHA256a1340d619e4952340929cf07848de213d5ab27e2b9ab8399a52d1c8fdec8ab67
SHA512f0d8d4fd64e1aaa30d0045017cbc36c5297dd6725a87a4dd8d528f80cc838de9295e2483eae5296ab774616b88bccdce0061f495c3e93c317236301dcece7981
-
Filesize
142B
MD52984059e341e42c0f34e0b5fe4f2f3d1
SHA1444fd218f43d8a4286c024f08d84a8ac38e18bba
SHA2566214a167b290b206611f527f281ae5ace91918cd8d6e77a1c8a01a13465b99ba
SHA512786be5ea24debffbfbc5737fa497ccef97507bb0a76f93544a9f8e5f02f89a5e83382aa78058d962de3330addd86aee5be32b8c15382f79666ff94885cace168
-
Filesize
142B
MD5ed2fc077f746f28281b9fe0626c41b61
SHA1fac7d476679773b6beef32c9c99a3d9d5df9ceed
SHA256b48e03c1e333435ab55a86861d9655f6ddab65cde214995dfd1cf07e6b821b6d
SHA51277e5d23a2139afaeeee9aad0b8ca1751b6187b1e8bdf72114fdbd094f34aee00ef952305575e9c5976a0a80fb049dba1ae1a2030c24b48c60643ebfcb5966f77
-
Filesize
144B
MD5dfeb6563fc630d666751198da478e60b
SHA15daaa7e50685dced4398fda98f507b4bbe54fbf8
SHA256e068d932251118af2d66569cdee1b2b7c27e432a15bd7f5060023d09a7ca3ba8
SHA51280c4eeeb512a2328296a4ff8aa5273c44cf2fbadd3cfa8fcdc773b9863a4b9636c6228484a045e2e9a846bcb1f5c014faaeae7e0414626ea93c728c4d9737add