stealc | b10c9d5286c17c05f587660664ab7f5723817fc98343c02c6b91ccc562e1019f

Analysis

max time kernel
150s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
05/10/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66fe13d56fd43_EdgeOUpdater.exe
Size

26KB
MD5

cdb17e17bc4e4d51fde6a4620cec014c
SHA1

c184c6c58a66555685be713dcd2d11e6f0af7c37
SHA256

b10c9d5286c17c05f587660664ab7f5723817fc98343c02c6b91ccc562e1019f
SHA512

acde9cf8b3ee05efe99f5bd1e096e2016f0f6f7fc196f89f6a9592480ee0afe134d4ebdb2a5c6c8782290c5da31b07f9e58cc1722a9fe4bf70d9ca05e1b2417a
SSDEEP

384:HvVTF7OeRFOJPxyhd/jP+ZhxZL8fDPE5I0+TkFBUM9ekamBrqEjDD2DUj7+uWZFj:H95FOJPxQWV2/k7Uuhq4/+uWz

Score

10^/10

stealc vidar default discovery persistence stealer

Malware Config

Extracted

Family

vidar

http://proxy.johnmccrea.com/

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Signatures

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral1/memory/1456-194-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1456-196-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1456-205-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1456-206-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1456-217-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1456-220-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_9bb2af96ac034e61a0363e09bcdcb46d.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_7a38c2157eca49b8b658a4f001ba9780.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_453b48365eba4dec800006bfcdc91a95.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_09425f7f2cd6496598d46c7a3fbd4a6f.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_fb636f0bf6304ffb8d8ed657729c7e0d.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_bc85376ff67c4710a4fd434eb29fcbb3.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_523410ced7924a6e88c7107c17a46507.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_18417d71dc3f495a949b9c149af45e1b.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_7d376c9bba724717ba2be60c05c64b0d.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_0c2dd0e143d5422280a69efbf4f87f1b.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_e3bc72d979be4591b683811f98343198.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_c22ca62f23db4cafa5d5d60fcd820a00.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_7291a0d2269c4599b01bd07d9cedf75b.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_d36713cc02f24b17aa8f57d2815c9ee6.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_ac12f9148f184e93a133c36fa797d3ac.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_b34284ff7401402d9bc3fef616a5ec8a.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_16a2e702ca0c4a48a8e410c40618c793.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_6273d48aeeda45a4a36b0f8c872f6c7c.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_a604433edfe44fa2a7b47718bb3ec972.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_89e65d3150d746e29e15caa8a6ca8ebf.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_774ade76be3c4ceba101fce5d811493b.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_b7df1b645584440e985567adf58a9618.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_9d01813226f142edafab6368ed01e583.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_7c71823c14cb492a852e74e654c5bc28.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_7c2c409aab6e457da2d6e686996aae02.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_a41c22e1e9514f0ebf4f855ca4529d7f.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_fff7dfbf2c27401786ba7cc017c1380e.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_5742e40db58f4e7f8475678536aa7d9b.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_58100e281718424f94432ac8ae3eec47.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_7a48793604f84e38a58ad5798576c3de.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_2fc73021a5fe4aa8b92474cc7faa4c2e.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_1a8c1900a7ca43bab21fe4efce80da10.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_79069c66a70c4207b960327c19dd700c.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_7357f233600f426f8d5f2f5653b32c8f.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_bd8226c6de9d46aaae2d6dab16b96463.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_b68d359b024b400880a626745bfe5ecc.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_c8e8f7a024734c6cafdbd33c7b4fa85a.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_d63d3a3096c5439eaad4f87400f29dc4.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_ace2f297f9c04598aca72e3ee807695e.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_4c583a481fdb43b8a34eb5ec9c508e38.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_234213bf65944d70a25413214aa3b243.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_81f5fdd255af46e28af618657dc97822.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_49d8cba67a684117be3588bda5759ce2.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_ab82b85f506147bb890abad67adbce1f.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_458cde0bed654dafb216341c12ebcd70.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_2970ac3bfc404c50831572fdea340fcc.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_f6568b00b5db42c6ba31dfa631c4e020.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_224b05633fc24a9fbcc18be1d4bce757.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_03ea083eff224af1bae2f8e3a286690c.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_80528de2da5c412495f2e862f9a3c926.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_c22cd86a85e2481ba41ea2a2964c1cb5.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_c61d8b2ec11847f9aad353d86058e92d.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_ed691397320c4b06a6058bb28782ef47.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_d05c8a0e448a49ab9f6dbac100b0d14c.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_302c3fffa21f4d78bcc19d4fd912cd84.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_156da3d2afa848c29abd54d0f42eff29.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_4507f600c1ae40638ad74ffa78f9d9b0.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_121832a16eea46bc96eac1bbf8b4ff14.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_f0db5b7ad7434a768b7032b47e0c21d8.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_ee9b69c9127c4703903d66bfc79ce6d2.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_cded9d5d3f5340579a2f5487cf9529f0.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_6558bb8d322a441d8c553346c26ef384.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_f771777121b743338f796de6a20b23a8.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_2ce57e8609ce43b284b3848f4f1101f0.lnk	LKMService.exe

Executes dropped EXE 5 IoCs

pid	Process
512	LKMService.exe
3968	GoogleUpdater.exe
4496	c86d3b2355674b36886dcbb5d6b481f6.exe
2952	JRhNrW3G6RE9VCsdraEcF3ls.exe
3720	2q3g7Z3He8F_YSmixVOmslma.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKMService_574092dbfbce4f8d9d8482dfa3c37b64 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EdgeUpdater\\LKMService.exe"	66fe13d56fd43_EdgeOUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKMService_b8527a08795d4da4811c4588af9bfd7b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EdgeUpdater\\GoogleUpdater.exe"	LKMService.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	iplogger.org
28	iplogger.org

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ipinfo.io
14	ipinfo.io
1	api.ipify.org
11	api64.ipify.org
12	api64.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4496 set thread context of 3832	4496	c86d3b2355674b36886dcbb5d6b481f6.exe	73
PID 3720 set thread context of 4264	3720	2q3g7Z3He8F_YSmixVOmslma.exe	79
PID 2952 set thread context of 1456	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4892	4496	WerFault.exe	72
1840	3720	WerFault.exe	77
1576	2952	WerFault.exe
3236	4264	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66fe13d56fd43_EdgeOUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JRhNrW3G6RE9VCsdraEcF3ls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2q3g7Z3He8F_YSmixVOmslma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LKMService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c86d3b2355674b36886dcbb5d6b481f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe
512	LKMService.exe
3968	GoogleUpdater.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	512	LKMService.exe
Token: SeDebugPrivilege	3968	GoogleUpdater.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 512	4240	66fe13d56fd43_EdgeOUpdater.exe	70
PID 4240 wrote to memory of 512	4240	66fe13d56fd43_EdgeOUpdater.exe	70
PID 4240 wrote to memory of 512	4240	66fe13d56fd43_EdgeOUpdater.exe	70
PID 512 wrote to memory of 3968	512	LKMService.exe	71
PID 512 wrote to memory of 3968	512	LKMService.exe	71
PID 512 wrote to memory of 3968	512	LKMService.exe	71
PID 512 wrote to memory of 4496	512	LKMService.exe	72
PID 512 wrote to memory of 4496	512	LKMService.exe	72
PID 512 wrote to memory of 4496	512	LKMService.exe	72
PID 4496 wrote to memory of 3832	4496	c86d3b2355674b36886dcbb5d6b481f6.exe	73
PID 4496 wrote to memory of 3832	4496	c86d3b2355674b36886dcbb5d6b481f6.exe	73
PID 4496 wrote to memory of 3832	4496	c86d3b2355674b36886dcbb5d6b481f6.exe	73
PID 4496 wrote to memory of 3832	4496	c86d3b2355674b36886dcbb5d6b481f6.exe	73
PID 4496 wrote to memory of 3832	4496	c86d3b2355674b36886dcbb5d6b481f6.exe	73
PID 4496 wrote to memory of 3832	4496	c86d3b2355674b36886dcbb5d6b481f6.exe	73
PID 4496 wrote to memory of 3832	4496	c86d3b2355674b36886dcbb5d6b481f6.exe	73
PID 4496 wrote to memory of 3832	4496	c86d3b2355674b36886dcbb5d6b481f6.exe	73
PID 4496 wrote to memory of 3832	4496	c86d3b2355674b36886dcbb5d6b481f6.exe	73
PID 4496 wrote to memory of 3832	4496	c86d3b2355674b36886dcbb5d6b481f6.exe	73
PID 3832 wrote to memory of 2952	3832	MSBuild.exe	76
PID 3832 wrote to memory of 2952	3832	MSBuild.exe	76
PID 3832 wrote to memory of 2952	3832	MSBuild.exe	76
PID 3832 wrote to memory of 3720	3832	MSBuild.exe	77
PID 3832 wrote to memory of 3720	3832	MSBuild.exe	77
PID 3832 wrote to memory of 3720	3832	MSBuild.exe	77
PID 3720 wrote to memory of 4264	3720	2q3g7Z3He8F_YSmixVOmslma.exe	79
PID 3720 wrote to memory of 4264	3720	2q3g7Z3He8F_YSmixVOmslma.exe	79
PID 3720 wrote to memory of 4264	3720	2q3g7Z3He8F_YSmixVOmslma.exe	79
PID 3720 wrote to memory of 4264	3720	2q3g7Z3He8F_YSmixVOmslma.exe	79
PID 3720 wrote to memory of 4264	3720	2q3g7Z3He8F_YSmixVOmslma.exe	79
PID 3720 wrote to memory of 4264	3720	2q3g7Z3He8F_YSmixVOmslma.exe	79
PID 3720 wrote to memory of 4264	3720	2q3g7Z3He8F_YSmixVOmslma.exe	79
PID 3720 wrote to memory of 4264	3720	2q3g7Z3He8F_YSmixVOmslma.exe	79
PID 3720 wrote to memory of 4264	3720	2q3g7Z3He8F_YSmixVOmslma.exe	79
PID 2952 wrote to memory of 3192	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	78
PID 2952 wrote to memory of 3192	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	78
PID 2952 wrote to memory of 3192	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	78
PID 2952 wrote to memory of 3176	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	80
PID 2952 wrote to memory of 3176	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	80
PID 2952 wrote to memory of 3176	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	80
PID 2952 wrote to memory of 1832	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	81
PID 2952 wrote to memory of 1832	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	81
PID 2952 wrote to memory of 1832	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	81
PID 2952 wrote to memory of 5064	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	83
PID 2952 wrote to memory of 5064	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	83
PID 2952 wrote to memory of 5064	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	83
PID 2952 wrote to memory of 1456	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	84
PID 2952 wrote to memory of 1456	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	84
PID 2952 wrote to memory of 1456	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	84
PID 2952 wrote to memory of 1456	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	84
PID 2952 wrote to memory of 1456	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	84
PID 2952 wrote to memory of 1456	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	84
PID 2952 wrote to memory of 1456	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	84
PID 2952 wrote to memory of 1456	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	84
PID 2952 wrote to memory of 1456	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	84
PID 2952 wrote to memory of 1456	2952	JRhNrW3G6RE9VCsdraEcF3ls.exe	84

C:\Users\Admin\AppData\Local\Temp\66fe13d56fd43_EdgeOUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\66fe13d56fd43_EdgeOUpdater.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\LKMService.exe
  "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\LKMService.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\GoogleUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\GoogleUpdater.exe" --checker
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\c86d3b2355674b36886dcbb5d6b481f6.exe
    "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\c86d3b2355674b36886dcbb5d6b481f6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3832
    - - C:\Users\Admin\Documents\iofolko5\JRhNrW3G6RE9VCsdraEcF3ls.exe
        
        C:\Users\Admin\Documents\iofolko5\JRhNrW3G6RE9VCsdraEcF3ls.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:3192
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:3176
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:1832
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:5064
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:1456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 276
        6⤵
        Program crash
        
        PID:1576
    - - C:\Users\Admin\Documents\iofolko5\2q3g7Z3He8F_YSmixVOmslma.exe
        
        C:\Users\Admin\Documents\iofolko5\2q3g7Z3He8F_YSmixVOmslma.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3720
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1128
        7⤵
        Program crash
        
        PID:3236
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 244
        6⤵
        Program crash
        
        PID:1840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 244
      4⤵
      Program crash
      PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\LKMService.exe

Filesize
26KB

MD5
cdb17e17bc4e4d51fde6a4620cec014c

SHA1
c184c6c58a66555685be713dcd2d11e6f0af7c37

SHA256
b10c9d5286c17c05f587660664ab7f5723817fc98343c02c6b91ccc562e1019f

SHA512
acde9cf8b3ee05efe99f5bd1e096e2016f0f6f7fc196f89f6a9592480ee0afe134d4ebdb2a5c6c8782290c5da31b07f9e58cc1722a9fe4bf70d9ca05e1b2417a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\c86d3b2355674b36886dcbb5d6b481f6.exe

Filesize
2.0MB

MD5
06fba6c386d7f07e237e6a6a498a8bc2

SHA1
4b066789f5c7746ef15a79f1449ec90a54252051

SHA256
59231c487319c53dfb105e6d4c54fb1dec8e5094e7525921e5a4ebd72d19eaf5

SHA512
c0bd8db4bad2b1f6d876af994690f292567f797c95268a97fdddf221388ae0e577dbb730734eab8005679fa568673e38a21c8495909114d5785f2b1138ca6e49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_0642a5478c514c15a484cd342f81dc99.lnk

Filesize
1KB

MD5
14eddb5023474911f7799b04d08a4d98

SHA1
7bf3be6145525ce49ccfa73c0f6c2a64edcfdb9e

SHA256
576284aeb9bf1bc1b100157b1092dd944adcacbeaad69a326ad42e0e88df30b7

SHA512
f4e0746c20ffd000495907f1aa872136d7164aed73820bf4fd581c7b8e73bacbf36f321e52982c94a184cef45c9eadab7223db971ffb4736d8f8cc33e2849fab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_311e17b439804fbea104017e2050ab56.lnk

Filesize
1KB

MD5
44be8098e5450f70b86b333d16063aa4

SHA1
8b3fd2446276e112cf59e6b2804f6ec88561c792

SHA256
d991e062e9060d70b6235de187243c26c94e1d0b4c535d65c5f6341c4cd778ba

SHA512
5e9f4a963e22c1892fcddd9af32c7859791354c71315cd7c16f9dff5db1959c82319127ae9ba915f811f0188b21af4eb46702e730ccca7930082aebe24cdf788

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_a1886a28f18b4814a3c2d8f18c2e073c.lnk

Filesize
1KB

MD5
7b71cef3add81b6cc851b3b66d7b281a

SHA1
77705014753fbcc95bddf0b0c5d8a1501db51e30

SHA256
6835eb358bacc75a2643d6031b37357f2d9f53ad197fc9e88f05d1a5b80e9b84

SHA512
04f3d3211e3222300d0c389682468aeb2a41014809ad0c6c9ce44007deb1d12e19eb447b99e7dc2ab0274b26a19d1b51e83ff793ec80829edfee72b1a150e92f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_c8e8f7a024734c6cafdbd33c7b4fa85a.lnk

Filesize
1KB

MD5
af98e26779210d7cb917f44b1b3e2dad

SHA1
449e487ee4a96b759720d3f9b0409a3c54596fd2

SHA256
c85a11762f88141dc1b13b8b6aac13b9b6daecaf82c86779d89f12d29962179c

SHA512
ec8f508300644b7ed57199e4dd5ae70e128c619dd8b970bd10ad846ca529e0aa9a9478a34eb775e7eae06847298a91b3ff115edd5d1bbf40edfba188e9439c1c

Download Submit
C:\Users\Admin\Documents\iofolko5\2q3g7Z3He8F_YSmixVOmslma.exe

Filesize
503KB

MD5
e56fabec4d4e56972f896e326b206e7a

SHA1
31b56104ea4446cc6348931f82f094800df0c720

SHA256
20175d2f268bff73e352a5a5b85d987b8a5958311b1032251f7341def5396f4b

SHA512
97b59a2f293f16af5c80c2c689c7eca42908faec51b69914597f5e90fdb3b420f6d2ba72ac01ba39a8c5822fcf36f2b509bf0a14328e11e61a969f4573c17390

Download Submit
C:\Users\Admin\Documents\iofolko5\JRhNrW3G6RE9VCsdraEcF3ls.exe

Filesize
580KB

MD5
dd44827a4ff7c9f0d3b4d94b8151144e

SHA1
6dacc2fcec01a0f34d27619c4cade3c25f3a6d52

SHA256
b830fb5d195f47d080d73af41060f8be9049d20d26453ca00107367ce2fd1d9a

SHA512
ade978c03223b23dba01c9119a17838d38d078270421857557ec9947f0e9fcc557bbc55253cb2f36ec47fbd4013301b1d40f1e51a9b0bb5ccda34ecf5c282dc3

Download Submit
memory/512-53-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/512-14-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/512-17-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/512-50-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/1456-196-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1456-206-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1456-194-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1456-220-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1456-217-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1456-210-0x000000001D3D0000-0x000000001D62F000-memory.dmp

Filesize
2.4MB

Download
memory/1456-205-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3832-161-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/3832-162-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/3832-44-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/3832-45-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/3832-184-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/3832-188-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/4240-13-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/4240-0-0x00000000731EE000-0x00000000731EF000-memory.dmp

Filesize
4KB

Download
memory/4240-4-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/4240-1-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/4264-191-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4264-192-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download