stealc | b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe
Size

8.6MB
MD5

54e6bcf9be550a5b8e5cd7b83318942d
SHA1

0c9084c04d5dd833867a60376c0809e8276fd869
SHA256

b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2
SHA512

afed87e898d00a146c42f4c81b86fe5c243c205fabb3296d757915bc427bfa8fe91d7cad48a4d36f427168b90011d8ce05e8b3003ccf47f0a3e3ab5151eefd1f
SSDEEP

196608:CkQm7e7eIqv9n2vYLIRQ6SSQCpX67SfUDTsmpfCcXe+8BvSk:CkQm7e7eIqvF2vRCApXVwTsmpfCcL8g

Score

10^/10

stealc vidar b3f4e62dbdd6721134cbcb95ba248e90 default7_doz credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

11.1

Botnet

b3f4e62dbdd6721134cbcb95ba248e90

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default7_doz

http://62.204.41.176

Attributes

url_path
/edd20096ecef326d.php

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/2264-176-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2264-178-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2264-173-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2264-171-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2264-169-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
2588	32QW25IPW7f09a8t4S33uGov.exe
2552	biB8ADrFY224lzyS8mldehVH.exe
2224	YX7Y5HGHh6J8osYFStrBpt0e.exe
1324	is-MHG6M.tmp
2260	middlemediaplayer.exe
2264	YX7Y5HGHh6J8osYFStrBpt0e.exe
2500	32QW25IPW7f09a8t4S33uGov.exe

Loads dropped DLL 23 IoCs

pid	Process
2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe
2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe
2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe
2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe
2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe
2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe
2552	biB8ADrFY224lzyS8mldehVH.exe
1324	is-MHG6M.tmp
1324	is-MHG6M.tmp
1324	is-MHG6M.tmp
1324	is-MHG6M.tmp
2224	YX7Y5HGHh6J8osYFStrBpt0e.exe
2588	32QW25IPW7f09a8t4S33uGov.exe
3004	WerFault.exe
3004	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
1712	WerFault.exe
2264	YX7Y5HGHh6J8osYFStrBpt0e.exe
2264	YX7Y5HGHh6J8osYFStrBpt0e.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2588 set thread context of 2500	2588	32QW25IPW7f09a8t4S33uGov.exe	39

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3004	2224	WerFault.exe	33
1712	2588	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biB8ADrFY224lzyS8mldehVH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-MHG6M.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	middlemediaplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YX7Y5HGHh6J8osYFStrBpt0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32QW25IPW7f09a8t4S33uGov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32QW25IPW7f09a8t4S33uGov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YX7Y5HGHh6J8osYFStrBpt0e.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YX7Y5HGHh6J8osYFStrBpt0e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	YX7Y5HGHh6J8osYFStrBpt0e.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1564	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	YX7Y5HGHh6J8osYFStrBpt0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	YX7Y5HGHh6J8osYFStrBpt0e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	YX7Y5HGHh6J8osYFStrBpt0e.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe
2264	YX7Y5HGHh6J8osYFStrBpt0e.exe
2264	YX7Y5HGHh6J8osYFStrBpt0e.exe
2264	YX7Y5HGHh6J8osYFStrBpt0e.exe
2264	YX7Y5HGHh6J8osYFStrBpt0e.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2588	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	31
PID 2336 wrote to memory of 2588	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	31
PID 2336 wrote to memory of 2588	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	31
PID 2336 wrote to memory of 2588	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	31
PID 2336 wrote to memory of 2552	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	32
PID 2336 wrote to memory of 2552	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	32
PID 2336 wrote to memory of 2552	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	32
PID 2336 wrote to memory of 2552	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	32
PID 2336 wrote to memory of 2552	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	32
PID 2336 wrote to memory of 2552	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	32
PID 2336 wrote to memory of 2552	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	32
PID 2336 wrote to memory of 2224	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	33
PID 2336 wrote to memory of 2224	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	33
PID 2336 wrote to memory of 2224	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	33
PID 2336 wrote to memory of 2224	2336	b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe	33
PID 2552 wrote to memory of 1324	2552	biB8ADrFY224lzyS8mldehVH.exe	35
PID 2552 wrote to memory of 1324	2552	biB8ADrFY224lzyS8mldehVH.exe	35
PID 2552 wrote to memory of 1324	2552	biB8ADrFY224lzyS8mldehVH.exe	35
PID 2552 wrote to memory of 1324	2552	biB8ADrFY224lzyS8mldehVH.exe	35
PID 2552 wrote to memory of 1324	2552	biB8ADrFY224lzyS8mldehVH.exe	35
PID 2552 wrote to memory of 1324	2552	biB8ADrFY224lzyS8mldehVH.exe	35
PID 2552 wrote to memory of 1324	2552	biB8ADrFY224lzyS8mldehVH.exe	35
PID 1324 wrote to memory of 2260	1324	is-MHG6M.tmp	36
PID 1324 wrote to memory of 2260	1324	is-MHG6M.tmp	36
PID 1324 wrote to memory of 2260	1324	is-MHG6M.tmp	36
PID 1324 wrote to memory of 2260	1324	is-MHG6M.tmp	36
PID 2224 wrote to memory of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2224 wrote to memory of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2224 wrote to memory of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2224 wrote to memory of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2224 wrote to memory of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2224 wrote to memory of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2224 wrote to memory of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2224 wrote to memory of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2224 wrote to memory of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2224 wrote to memory of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2224 wrote to memory of 2264	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	37
PID 2224 wrote to memory of 3004	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	38
PID 2224 wrote to memory of 3004	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	38
PID 2224 wrote to memory of 3004	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	38
PID 2224 wrote to memory of 3004	2224	YX7Y5HGHh6J8osYFStrBpt0e.exe	38
PID 2588 wrote to memory of 2500	2588	32QW25IPW7f09a8t4S33uGov.exe	39
PID 2588 wrote to memory of 2500	2588	32QW25IPW7f09a8t4S33uGov.exe	39
PID 2588 wrote to memory of 2500	2588	32QW25IPW7f09a8t4S33uGov.exe	39
PID 2588 wrote to memory of 2500	2588	32QW25IPW7f09a8t4S33uGov.exe	39
PID 2588 wrote to memory of 2500	2588	32QW25IPW7f09a8t4S33uGov.exe	39
PID 2588 wrote to memory of 2500	2588	32QW25IPW7f09a8t4S33uGov.exe	39
PID 2588 wrote to memory of 2500	2588	32QW25IPW7f09a8t4S33uGov.exe	39
PID 2588 wrote to memory of 2500	2588	32QW25IPW7f09a8t4S33uGov.exe	39
PID 2588 wrote to memory of 2500	2588	32QW25IPW7f09a8t4S33uGov.exe	39
PID 2588 wrote to memory of 2500	2588	32QW25IPW7f09a8t4S33uGov.exe	39
PID 2588 wrote to memory of 1712	2588	32QW25IPW7f09a8t4S33uGov.exe	40
PID 2588 wrote to memory of 1712	2588	32QW25IPW7f09a8t4S33uGov.exe	40
PID 2588 wrote to memory of 1712	2588	32QW25IPW7f09a8t4S33uGov.exe	40
PID 2588 wrote to memory of 1712	2588	32QW25IPW7f09a8t4S33uGov.exe	40
PID 2264 wrote to memory of 1928	2264	YX7Y5HGHh6J8osYFStrBpt0e.exe	43
PID 2264 wrote to memory of 1928	2264	YX7Y5HGHh6J8osYFStrBpt0e.exe	43
PID 2264 wrote to memory of 1928	2264	YX7Y5HGHh6J8osYFStrBpt0e.exe	43
PID 2264 wrote to memory of 1928	2264	YX7Y5HGHh6J8osYFStrBpt0e.exe	43
PID 1928 wrote to memory of 1564	1928	cmd.exe	45
PID 1928 wrote to memory of 1564	1928	cmd.exe	45
PID 1928 wrote to memory of 1564	1928	cmd.exe	45
PID 1928 wrote to memory of 1564	1928	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe
"C:\Users\Admin\AppData\Local\Temp\b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\32QW25IPW7f09a8t4S33uGov.exe
  C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\32QW25IPW7f09a8t4S33uGov.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\32QW25IPW7f09a8t4S33uGov.exe
    "C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\32QW25IPW7f09a8t4S33uGov.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 52
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1712
- C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\biB8ADrFY224lzyS8mldehVH.exe
  C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\biB8ADrFY224lzyS8mldehVH.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\is-G1GN2.tmp\is-MHG6M.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-G1GN2.tmp\is-MHG6M.tmp" /SL4 $50150 "C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\biB8ADrFY224lzyS8mldehVH.exe" 3960739 52224
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Users\Admin\AppData\Local\Middle Media Player\middlemediaplayer.exe
      "C:\Users\Admin\AppData\Local\Middle Media Player\middlemediaplayer.exe" -i
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2260
- C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\YX7Y5HGHh6J8osYFStrBpt0e.exe
  C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\YX7Y5HGHh6J8osYFStrBpt0e.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\YX7Y5HGHh6J8osYFStrBpt0e.exe
    "C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\YX7Y5HGHh6J8osYFStrBpt0e.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFIIJJJDGCBA" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 52
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3004
- C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\eThugku4x4eIXEN4tlhouyU8.exe
  C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\eThugku4x4eIXEN4tlhouyU8.exe
  2⤵
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab22AF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar22D1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\biB8ADrFY224lzyS8mldehVH.exe

Filesize
4.0MB

MD5
882f0efe9d2215736da375b3542e1575

SHA1
b8f47bc05c2a0d7d336f7c201fc09e6af3b93a41

SHA256
1bda055af670cb8e8f37d4860197b58cea1464c16dfaa31fadf42a9eedee8b25

SHA512
e385accd0c6300c38abe7f8f55ef9fcb5938cbc5baf69f858a43eb36b36d892888ba6a388643dda1bc09cefffcdbda55549d95edf62dcd35b4b0420da109e888

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Middle Media Player\middlemediaplayer.exe

Filesize
3.8MB

MD5
b18bc890142dafafa5b2d6bd9f578af4

SHA1
2001995e693cedcf7c6ddbed64fcea2eec2bd6bc

SHA256
87d1a53293dd226a27620cf479bc41d457f8bbc7da775a69c4426de7e22eead6

SHA512
e398b96d6b1315dfa823f90ad6eb4fcaab825c83e0ea0c0c94974eedf235b0bd53bb1fd36b0e5f62a858313d30e0da62c306728d3a7c793692f450fe951cf106

Download Submit
\Users\Admin\AppData\Local\Temp\is-G1GN2.tmp\is-MHG6M.tmp

Filesize
647KB

MD5
321dc40b1028537e9da09d6cad16b524

SHA1
419dc3963cfe7cdf66a1e23718c52d4dc1623d51

SHA256
95acf4477c6c852bc972eb835ce3d99356c7c1298d9533bc7ab005566d89996f

SHA512
d11dd58068937d67bb0cfca5ed3ab952c796d7579462a9090ec7c8fa7f5da66c30a9ed42d620b4e7be29eb1654a68aadb9a741e1542a6555297d537f7ee4d177

Download Submit
\Users\Admin\AppData\Local\Temp\is-THHQJ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-THHQJ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\32QW25IPW7f09a8t4S33uGov.exe

Filesize
533KB

MD5
01ea063ff2c35efcca794de6981b977f

SHA1
71c74c1b8cdc2fa4b95c0fe04eb5efacbd25d6bc

SHA256
8552a4433857d671b15e01f281fadb73f67f5d1303d343781793cdb25f3bbb1d

SHA512
a10a282d3badf3f1222843964082c168a13f16b52deaa9ac39aaffbed17f33aae74b04daa0ee89ab5fe064b1b254692946169f74ae08a6bf1c5c8b1ee60e9ce6

Download Submit
\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\YX7Y5HGHh6J8osYFStrBpt0e.exe

Filesize
609KB

MD5
bddfad2067b3daa7ecb92b74ff555739

SHA1
db7742aa14e0a28e873f293e56bda0dea82a6828

SHA256
69cfbf86caf4cd8410808b03c6ecb70b7aafeef038c6dec61ac9c3d56fa938b0

SHA512
741e53d7891418558d24eb686baa0cb0fa5db305f9c1982fda5209c7587c6225403f234d4662d0ea5fa4735db704ff83244d6e3f677e102cf59e901f575c5eb8

Download Submit
\Users\Admin\AppData\Local\Temp\o2aiKuWhZYmGE1Ql1G18\eThugku4x4eIXEN4tlhouyU8.exe

Filesize
521KB

MD5
9f48a0d46a463b93a0efd1ac4a216bf1

SHA1
981f2cdffe9c3c2a542ccf104c2259da5567edb0

SHA256
dae7cff094c60bbf767bb82c04b68fc02e79d6201e3bda014c79088a767c94c9

SHA512
02ce6a1d0e496f09edebef4d8fc159537b201cc0ccd015a3a6c619a5218707e4c67f3186df28d48005820dd7ae7b062e6eec733df6dbdc4908554b2ffc214f69

Download Submit
memory/1324-311-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1324-728-0x0000000005930000-0x0000000005CFC000-memory.dmp

Filesize
3.8MB

Download
memory/1324-158-0x0000000005930000-0x0000000005CFC000-memory.dmp

Filesize
3.8MB

Download
memory/1324-93-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2224-333-0x00000000012EE000-0x00000000012EF000-memory.dmp

Filesize
4KB

Download
memory/2224-160-0x00000000012EE000-0x00000000012EF000-memory.dmp

Filesize
4KB

Download
memory/2260-159-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/2260-729-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/2264-173-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2264-176-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2264-163-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2264-165-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2264-167-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2264-169-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2264-171-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2264-178-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2264-175-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2336-4-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2336-40-0x0000000000C38000-0x00000000012A2000-memory.dmp

Filesize
6.4MB

Download
memory/2336-5-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2336-7-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2336-9-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2336-10-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2336-12-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2336-2-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2336-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2336-34-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2336-32-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2336-29-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2336-27-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2336-24-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2336-22-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2336-19-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2336-14-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2336-35-0x0000000000C38000-0x00000000012A2000-memory.dmp

Filesize
6.4MB

Download
memory/2336-76-0x0000000000B60000-0x0000000001B46000-memory.dmp

Filesize
15.9MB

Download
memory/2336-77-0x0000000000C38000-0x00000000012A2000-memory.dmp

Filesize
6.4MB

Download
memory/2336-17-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2336-36-0x0000000000B60000-0x0000000001B46000-memory.dmp

Filesize
15.9MB

Download
memory/2336-41-0x0000000000B60000-0x0000000001B46000-memory.dmp

Filesize
15.9MB

Download
memory/2500-184-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2500-186-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2500-188-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2500-190-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2500-192-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2552-72-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2552-67-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2588-183-0x000000000016B000-0x000000000016C000-memory.dmp

Filesize
4KB

Download