Overview
overview
10Static
static
3♡☞Satup#.rar
windows11-21h2-x64
10♡☞Satu...re.dll
windows11-21h2-x64
1♡☞Satu...rk.dll
windows11-21h2-x64
1♡☞Satu...up.exe
windows11-21h2-x64
10♡☞Satu...64.dll
windows11-21h2-x64
1♡☞Satu...64.dll
windows11-21h2-x64
1♡☞Satu...40.dll
windows11-21h2-x64
1♡☞Satu..._1.dll
windows11-21h2-x64
1♡☞Satu...64.exe
windows11-21h2-x64
1♡☞Satup#/qqwggw
windows11-21h2-x64
1♡☞Satu...64.dll
windows11-21h2-x64
1♡☞Satu...40.dll
windows11-21h2-x64
1♡☞Satu..._1.dll
windows11-21h2-x64
1♡☞Satup#/wabxvfx
windows11-21h2-x64
1♡☞Satu...64.dll
windows11-21h2-x64
1♡☞Satu...ts.dll
windows11-21h2-x64
1Analysis
-
max time kernel
299s -
max time network
279s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/10/2024, 08:17
Static task
static1
Behavioral task
behavioral1
Sample
♡☞Satup#.rar
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
♡☞Satup#/Qt5Core.dll
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
♡☞Satup#/Qt5Network.dll
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
♡☞Satup#/Setup.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
♡☞Satup#/libcrypto-1_1-x64.dll
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
♡☞Satup#/libssl-1_1-x64.dll
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
♡☞Satup#/msvcp140.dll
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
♡☞Satup#/msvcp140_1.dll
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
♡☞Satup#/opengl64.exe
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
♡☞Satup#/qqwggw
Resource
win11-20241007-en
Behavioral task
behavioral11
Sample
♡☞Satup#/steam_api64.dll
Resource
win11-20241007-en
Behavioral task
behavioral12
Sample
♡☞Satup#/vcruntime140.dll
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
♡☞Satup#/vcruntime140_1.dll
Resource
win11-20241007-en
Behavioral task
behavioral14
Sample
♡☞Satup#/wabxvfx
Resource
win11-20241007-en
Behavioral task
behavioral15
Sample
♡☞Satup#/x64/trading_api64.dll
Resource
win11-20240802-en
Behavioral task
behavioral16
Sample
♡☞Satup#/x64/tradingnetworkingsockets.dll
Resource
win11-20241007-en
General
-
Target
♡☞Satup#/Setup.exe
-
Size
5.4MB
-
MD5
ad2735f096925010a53450cb4178c89e
-
SHA1
c6d65163c6315a642664f4eaec0fae9528549bfe
-
SHA256
4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e
-
SHA512
1868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9
-
SSDEEP
98304:o/zx+riUDpJowboU+XEsumY2XW6jBYeZ1ER:2x+riUDwUj12X1tY5
Malware Config
Extracted
lumma
https://snailyeductyi.sbs
https://ferrycheatyk.sbs
https://deepymouthi.sbs
https://wrigglesight.sbs
https://captaitwik.sbs
https://sidercotay.sbs
https://heroicmint.sbs
https://monstourtu.sbs
Extracted
amadey
5.03
41da8a
http://sportszone-financefocus.com
http://sportszone-financefocus2.com
http://sportszone-financefocus3.com
-
strings_key
d7c1288e89ebe71872174bb1aa9f53de
-
url_paths
/8vjeh73hdjrFs/index.php
/KFdjj3Cajf4/index.php
/t7hdh39vjhs/index.php
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3608 StrCmp.exe 4104 3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe 4048 GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe -
Loads dropped DLL 1 IoCs
pid Process 3804 AutoIt3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2072 set thread context of 2724 2072 Setup.exe 78 PID 4104 set thread context of 3676 4104 3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe 84 PID 4048 set thread context of 2720 4048 GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe 86 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\Acronis Scheduler Service.job more.com File created C:\Windows\Tasks\Window Manager.job more.com -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StrCmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Ebx\\VSBXXPUYIRU\\StrCmp.exe" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32 StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Ebx\\VSBXXPUYIRU" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32 StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25} StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32 StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward\ = "{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D} StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0 StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6} StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791} StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Ebx\\VSBXXPUYIRU\\StrCmp.exe" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32 StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 StrCmp.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2072 Setup.exe 2072 Setup.exe 2724 more.com 2724 more.com 3804 AutoIt3.exe 3804 AutoIt3.exe 3804 AutoIt3.exe 3804 AutoIt3.exe 4104 3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe 4104 3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe 4048 GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe 4048 GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe 3676 more.com 3676 more.com 2720 more.com 2720 more.com -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2072 Setup.exe 2724 more.com 4104 3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe 4048 GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe 3676 more.com 2720 more.com -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3608 StrCmp.exe 4104 3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe 4048 GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2072 wrote to memory of 3608 2072 Setup.exe 77 PID 2072 wrote to memory of 3608 2072 Setup.exe 77 PID 2072 wrote to memory of 3608 2072 Setup.exe 77 PID 2072 wrote to memory of 2724 2072 Setup.exe 78 PID 2072 wrote to memory of 2724 2072 Setup.exe 78 PID 2072 wrote to memory of 2724 2072 Setup.exe 78 PID 2072 wrote to memory of 2724 2072 Setup.exe 78 PID 2724 wrote to memory of 3804 2724 more.com 80 PID 2724 wrote to memory of 3804 2724 more.com 80 PID 2724 wrote to memory of 3804 2724 more.com 80 PID 2724 wrote to memory of 3804 2724 more.com 80 PID 2724 wrote to memory of 3804 2724 more.com 80 PID 3804 wrote to memory of 4104 3804 AutoIt3.exe 82 PID 3804 wrote to memory of 4104 3804 AutoIt3.exe 82 PID 3804 wrote to memory of 4104 3804 AutoIt3.exe 82 PID 3804 wrote to memory of 4048 3804 AutoIt3.exe 83 PID 3804 wrote to memory of 4048 3804 AutoIt3.exe 83 PID 3804 wrote to memory of 4048 3804 AutoIt3.exe 83 PID 4104 wrote to memory of 3676 4104 3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe 84 PID 4104 wrote to memory of 3676 4104 3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe 84 PID 4104 wrote to memory of 3676 4104 3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe 84 PID 4048 wrote to memory of 2720 4048 GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe 86 PID 4048 wrote to memory of 2720 4048 GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe 86 PID 4048 wrote to memory of 2720 4048 GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe 86 PID 4104 wrote to memory of 3676 4104 3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe 84 PID 4048 wrote to memory of 2720 4048 GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe 86 PID 3676 wrote to memory of 4100 3676 more.com 90 PID 3676 wrote to memory of 4100 3676 more.com 90 PID 3676 wrote to memory of 4100 3676 more.com 90 PID 2720 wrote to memory of 2984 2720 more.com 91 PID 2720 wrote to memory of 2984 2720 more.com 91 PID 2720 wrote to memory of 2984 2720 more.com 91 PID 3676 wrote to memory of 4100 3676 more.com 90 PID 2720 wrote to memory of 2984 2720 more.com 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\Setup.exe"C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exeC:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3608
-
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exeC:\Users\Admin\AppData\Local\Temp\AutoIt3.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe"C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
PID:4100
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe"C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
PID:2984
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD5f1490558dbea9dc33d06d9e1398e9972
SHA1abf0043310f4d0ff5d01f9b7006d386fb3600ab5
SHA256ab955a896dd88530e200c6af4978c8e259e6b47abe43ae3cd8b725a816cd55ee
SHA5120f40e13b901961881bf3f2aad4ab1048b779074277dc6714d5985fd5a817f2be6bb63aa4ad6e88148ea98c62c2dd25215a9e4712d7f61e095c621448d4068fae
-
Filesize
2.1MB
MD568cf885c86d64d0fb592b91ab5486718
SHA166215ee186427dce5b468ad87f81afba210bffde
SHA256d1554cea4d5d2a1bbc9a87f36e6700ee0335c0710fd42da30257e65d35bc6d44
SHA5127934582b26972bd02e9658d7a4845eb9c6285133fa8f76e93e74a5664d5114990bd5ea53fadb78a485a1dbf4ec1405492a3aba83b9c7054105eef6783371ebdc
-
Filesize
6.4MB
MD50a16f7b2376eb7f30db869d416d170a0
SHA19086aa5d7e6d5a90f86c10c2c2f99706838efc13
SHA256bfec0f9a55ee2532c8c94c54a4f544be68d02be3c13a08eec279404f4352877c
SHA512ce7d52365b262cca62b2c8f635dfbb923459c997e7226c0d4726cc8dde7a32cd8f2100625ebf0f4d91b5f96a7b9a7d9ffd9aa0e98b0514f81c3cfd1af1cd4f57
-
Filesize
1.1MB
MD523bb6aa658769a7acfd8b299cf9a4267
SHA10003390b4c0e16d2585716eb556dca51337e74b9
SHA256afd46becb1249c696a4ef7657389fc19c2e32e2972daef8dd4a57313178a790c
SHA512cbdd8f6269a07c5516935566493cb9ab816a30f1ad95632911c98d7dad638af74f73ca70d2648c541a7907d6a6ec519c3453a543bd3263b47779a273bb1a50f8
-
Filesize
1.1MB
MD5d9cdee993821347477038d87c0d0e976
SHA1420bde3ec149bc06fb2b8ed07a24cca7cd0629a2
SHA256eecaaa565cc0495e223b31caafd211e08d68997c025d71f9bde98bf4a88bdc08
SHA51230a9abe407fde348ea9bf3ef59f24dd845072dcb718867a60b8bb65bd04ded9138448d7e9f807a19aa3eeed222bbbe42c043befb729507dce06dde53b43b8876
-
Filesize
13.2MB
MD5c13aa2a232a5023b77dfaa4772409b0f
SHA1f00b458bf0899de09f688c04c21fbff8a5fc147c
SHA256190ecfadbb3b3bb9400f9f27f2db55c0978cb51ef9569f1cd6636e5523acb4ae
SHA51267605e2b6ff63a33d1133e1972a93dcae1303f1afaf704c14d73ec9a5b58525cb860ce55de9f3995cfbd58be7fcbb7adf7eca45678c11f80768666e88a2368a7
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634
-
Filesize
9.1MB
MD5de559fd217e239c23c2c6da8a73ba3de
SHA1e499ff1ae6da50e17723bcd0d90b2f8fc663a709
SHA256102dc63d733c2b78c2a4a72c6709675bd62121cfd38460be6805bca60b5eaa69
SHA5121824012ca5e17765256a4834ac229a04eda74f1d954ecbc89ae4d1fe2ab79d2d3d7d0328030734a5f703c51b14e51e710d4804300f42c5dfb8caf02d4b99def7
-
Filesize
47KB
MD5916d7425a559aaa77f640710a65f9182
SHA123d25052aef9ba71ddeef7cfa86ee43d5ba1ea13
SHA256118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35
SHA512d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc