Analysis
-
max time kernel
136s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
03-11-2024 01:00
General
-
Target
c263ebdc90fdb0a75d6570f178156c0ba665ac9f846b8172d7835733e5c3de59.exe
-
Size
1.6MB
-
MD5
0f4af03d2ba59b5c68066c95b41bfad8
-
SHA1
ecbb98b5bde92b2679696715e49b2e35793f8f9f
-
SHA256
c263ebdc90fdb0a75d6570f178156c0ba665ac9f846b8172d7835733e5c3de59
-
SHA512
ea4de68e9eb4a9b69527a3924783b03b4b78bffc547c53a0ecd74d0bd0b315d312ae2f17313085acd317be1e0d6f9a63e0089a8a20bf9facc5157a9b8bea95a3
-
SSDEEP
24576:Wa0E71YwbX4e2F4fOfq444sMDF6XR5w5ZVcs5I0wzvZBjQB/CtNJb/zUJH++QLS0:vYwD4e2FkCq/yYB5alxUNJLzyiegcIZ
Malware Config
Extracted
vidar
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Signatures
-
Detect Vidar Stealer 17 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 54 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\c263ebdc90fdb0a75d6570f178156c0ba665ac9f846b8172d7835733e5c3de59.exe"C:\Users\Admin\AppData\Local\Temp\c263ebdc90fdb0a75d6570f178156c0ba665ac9f846b8172d7835733e5c3de59.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Treat Treat.bat & Treat.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 6467514⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "AffiliateRobotsJoinedNewsletter" Purse4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Suitable + ..\Johnson + ..\July + ..\Firmware + ..\Invalid + ..\Baby + ..\Bar + ..\Continental + ..\Ruled + ..\Gay + ..\Hop + ..\Clearance + ..\Wisdom + ..\January + ..\Denmark + ..\Bull c4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\646751\Plates.pifPlates.pif c4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"5⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe55e9cc40,0x7ffe55e9cc4c,0x7ffe55e9cc586⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,17443829782091785230,3833729441351021308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:26⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,17443829782091785230,3833729441351021308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:36⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,17443829782091785230,3833729441351021308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,17443829782091785230,3833729441351021308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,17443829782091785230,3833729441351021308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,17443829782091785230,3833729441351021308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4476 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,17443829782091785230,3833729441351021308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,17443829782091785230,3833729441351021308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,17443829782091785230,3833729441351021308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4292 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,17443829782091785230,3833729441351021308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:86⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"5⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe55ea46f8,0x7ffe55ea4708,0x7ffe55ea47186⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2644 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3660 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,12812529685140288013,4730918011360906849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2468 /prefetch:26⤵
-
-
-
C:\ProgramData\IJEGHJECFC.exe"C:\ProgramData\IJEGHJECFC.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 2806⤵
- Program crash
-
-
-
C:\ProgramData\JEBKEHJJDA.exe"C:\ProgramData\JEBKEHJJDA.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2726⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ECFCBKJDBFIJ" & exit5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 106⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Enjoy" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Enjoy" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkySync.url" & echo URL="C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkySync.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2824 -ip 28241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4628 -ip 46281⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
761KB
MD58c66851a94f593031f78c4b0139aa0fe
SHA177d44ebb62b4acb59cbbab47151de0260fa77889
SHA256801f91b149ccc94aef57d7052af2a68663c9549d538ef47f9d657e68b556a207
SHA51272896b71f972dff1bd911662f4beb86fccfcc6882588b1559708e973f6295c778938eb264103fb6286145a2e7ecf08eeed928f4d83d73c39807323beb75a0f2f
-
Filesize
751KB
MD56a054f0935f2ece44e58f88353ad230d
SHA1ff8fd9fe483e9e8ee767e77f7ccab4f4207ff0f1
SHA2562751c72ca341d5a05b1f4b947ebba74bf1e679b388cf560a104918a71adbcc5b
SHA51285e5db38d7c2e179c9d6bc5e76d9666e4f40c331cb6eca37cd264b1cac7c87ed64a7d8981fa198d57cf0ab645b55e7598a305f2763899877be4c09fc9f52f0df
-
Filesize
676KB
MD5eda18948a989176f4eebb175ce806255
SHA1ff22a3d5f5fb705137f233c36622c79eab995897
SHA25681a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
649B
MD5e12e807fc1ac5a9e9db8f1a32096a129
SHA16486c55d1f8af36f226e2d6a71d221348671badb
SHA256d3c4d1b17345c7ad35cbd903a10d3a72830f363869a57a938a92ca14fb16e1f7
SHA512df1bd5fe7e978cd87629345fd6b961a7ee4fe16a6d23143426d5f4a4e0f1827c448549890ddfe394126c61cdabe11b34d392ee767af61218cb8918835cf9040d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
838KB
MD525fcdf5591c9a328c620b8af32cd2f20
SHA1ee45205e655d412ce88adcaefc1834e0460f0824
SHA256dbbdf81d3de4db2e126e21c1a4ffbcc8db413652fb10050bacb421b1c72c2e60
SHA512c4a0be7d4dfbdd32b7a547d3e8eb1a1ca0f00b0c2887b731d316527f6a8ba03e158ab47fcffe17ab216fb4619c2869c1019c257370777d61cd11842b116d79df
-
Filesize
826KB
MD599e609b5b15c404661b6bb0dd1e86310
SHA12426593e4913aaf07229e3a9214ae6551d03ead8
SHA256b9ee4427f66172bd0c42cd0177f4b21698ec212323486644e3c5c72c399e12e2
SHA51274e094589bc54969e8cfc6444620a730e56c2f4926790a44818704fbbe238a0fa865e9b48e5b77ce4fc77e5452a3f40e26a3b04ed6541258a3802756a82eaca9
-
Filesize
826KB
MD5c082ea7bf0d77f36d510ed86a54fd450
SHA122a6ca81f82140049091aa3d7e164a157857f734
SHA256c2ee7daf7c1db88528e0394d34d4ceee29520bf8145b9868030d4ed338ccf416
SHA5121d3de810722a37c26400516aa0480e27dd8912c7d45c9245ac027b76c78199e8072fb37d2887ac1091eeb09cd875b47c1c1fc0b949bbfda546551b5fb3eab382
-
Filesize
826KB
MD5184e41a8016fab0138bcbb3c9217ae73
SHA103f40c5636a989ff053ffe5755a462d6a31463ff
SHA25673413155a5b03b322771f068f636b1090ac33df34aa94f9b359a82471694ef2b
SHA512161c4c173cc1f76cfc1561fa787a17ff95697168738eebb000ec453ccd73c01271d5e9404b40dfeef1443b9fc89e003bd61b612da0398b598ea88f87cebcdb82
-
Filesize
838KB
MD5c8d40cf21a53d04ef160bb0d5cd94c52
SHA13673c97621c8fd10a155d241ce9b2c1b8c56ad88
SHA256f903b54d526817a237841a50dc240a9487295dc032a7ce6cca8b4f5044ae32b1
SHA512746ed06fecc6cafca953837f739bbfc05866eac20b4ba448d78ec6882e4b043202454981eede20680f81c9256efcd7db400cbe9e8c867e35fd68addd72c4a99e
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD58c317ec36ee0e507a779eff8c171bfdb
SHA174d3d7ca7e5f237abd0c20939d4a1a0ce3fd4418
SHA2560661842daf49cca59d950d22d5474f2290b137bb3b0f2dceac6bcffcd83be1f1
SHA512c5a94886516de41338ca2e935a278dfe75f4c67e0da2ba5f62dd4f7b0ad9ebc71368d4baab14f4fd9199bc8905b64fb6f7f3cb2896c3a7525a6423a3995ba561
-
Filesize
152B
MD5d5d27a64ba9aa3daee1f83d33538c94c
SHA1350057c75d08b8a902ccd6e3e9574d4cd9ce9181
SHA256573027ad0e1e5b18840d03197531ee293956cf1cfe6abdb202a99166838612b3
SHA512a373b84e7502b0a29beacb70e37e12fa40fd8b832b074e5c1d048d7a9a706b9ed9eb26d1c489b944e03ac5d04f6072f1e93d1bfa6bf08ee0cf706657d7a70824
-
Filesize
5KB
MD53c3c8480607ed696da9521e930eac7c7
SHA179293fd71f30c6c24a106fe9b09ca26c1845c1ca
SHA2560039cf9942b4c8398ee18816145f31cd19b2af150867f982f8968812dc41d1c3
SHA512164b96812eb4de7ca34e3d37cdaa30233edb5fba20269506e372ba3918a4e8994761862b428eec2afa79b9cdbbe2e3f3a402066817a6c63643be42751362e82f
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
1.1MB
MD5e9040d6e82ffa0f28cecfb9c4cedc0ea
SHA10c899a8a0b527e4f9d8542facfae9c73ff2c2595
SHA256cf1c104480409dea5f86c6f0323ef71232ab062b7e719a7a10e2b69a3412f1a5
SHA5129f5e8c989c2a0ba8ef133ad7c95a6b70a849bfe5ca5f7f46ea9e9dcdd568800f9393c884def0fde00dc60d26251f8a81e65eff826555b0b6102faeaf4f890933
-
Filesize
82KB
MD5ee7c47686d35a3e258c1f45053cc75ab
SHA172341f88c79d79cb44ef60fc33783b9f14ff1ee8
SHA256b199ba689f6b383644345854c758629b925f9cb853c0e4e1dcb4d0f891be5eba
SHA512f007c9c101650842dd7b57310d22a0c04fa1fa71f1388285f55fe9cc0b70dbe7a1964ace594793bd707db07c3ea4911bfd21c458993b1bec8fa155250dac2471
-
Filesize
61KB
MD5b01f3d096606e9762d0a6b305163c763
SHA195c3623ad2693cfff27bc1f2fa60e5fb3292f4d7
SHA256adacdc0798acbc5bec0377956876c8b94b52528f51bb998c1f7f1cd2f0db5088
SHA51299e4fb8914a35396395638eb1542fb096ff3cb9ce56258e89350fe49738344819e707a3aa4c9731f02a47da5432a6ec96c42c121b1e8a7113e8aaff250c27b58
-
Filesize
6KB
MD5bca7d728d907c651e17ce086fe7e56ff
SHA1b91db7b274cf33c643c33edc13ec122564d798de
SHA256f837e6522cf5992ed8c1f016c95f84948a83c891294e1aebf0688e3275d3c593
SHA51234ec6af89ebe2c3625dcfb4961df148bd57042084a252d352837663e6a1aaa097a82a7138211a73a046f3b2eea7c459faaa80b22cf9098805f46548926f3b8c3
-
Filesize
866KB
MD5c1f370ffaaea402a8c74c0987b2844dd
SHA1751f94ebcbea6a4d62bf382f18cf83156b57ba44
SHA2563ba807e13102e920b109e89933b2b7fcd0612778dad22f9fb3b0b70f680dc573
SHA51292dfac93bf8cc7f22f0043c4ee36be0e63057242584c238e6625666a24d4a38e736be1910be3eeef14ef3573154c16750bd99a9f5be933b25d757d6715c86456
-
Filesize
59KB
MD511bbe9e6529811962d78cab3d0ee1c43
SHA1f96714a4791c2f655c6abf7288474c07dd48bc84
SHA2567cb10878d4544e53ca4730ab78c244f2e46ed76a7d1329c5c0e01fef8204cca3
SHA512d6fd22a48a1f8d725d921a59ee4ddba149235a329d6ea70dde8e956c080823c38479d2702b7cba27a4c0e7fbb9d028c0e876ae2f0d2f6dced8ad8ec8e179baf8
-
Filesize
95KB
MD5ecf9598497596bde26d0ad70777d6d75
SHA15225aa0982dc031c7361b72cdeff4b7e373f983e
SHA256013836f48c6a0b07dcfba2e219d0e5e4733f6959b9c683f2c7ddf213c973b18b
SHA51226d8e83f6b215a15c87f1ea4355502964cc84c3e991c7c93b47c977b9bfaa17248d7d8a8a8122e80d0187c5b63c831fda65cd7bcf0ca2299a13a2663286183fe
-
Filesize
57KB
MD5006481206cbd4c83fa649632f7222ef1
SHA16e2a05cddac05ce304a77460c6bd7b3f890393f5
SHA25642390451e4799e041cf688fe02a9c33b6aa1b1d873f5b8c954b0ed8ba0af63a3
SHA512ee44850bc2b0390394080198be27e8b74b6ee46e6e379bb3f3f9a4ba53830ecfe955efab4b2beec341ed302a110824350071c716dee80b984d465a7d4419d69a
-
Filesize
95KB
MD54ac36f51637d82d4d2354108de385a58
SHA10c556b79cc52b6710dadcfde1044c1481d996f33
SHA2560efec48bed8c476258cfc1a5a9694d42837234134d0947a2f9c041752f7485e0
SHA512ef661c0c5457002d521c8790e37bd286344a77dea70a9ea0f7bf74a22e6f3722ad67f0546047c29166cd273c6f9415ba0dc7f68d2282ae2e4c7ebd38402afd9a
-
Filesize
99KB
MD5997016fd2fa51b13fdff955e76b66d21
SHA11190f5454bb69687440fbe9699b26bf1a7dc65de
SHA25606978fa33a74ef4c3b3d4971bbb2b8efff84dad1fe2f822dd8c3e179dd3bd880
SHA512d9ca616e7cdbc7f7376ca75a9ea1e75dd140fecacdf5744f3dd36ddb2c332d37649016e495179e0832f8545fb2579150c6664c7678cb08841f7add1148be2865
-
Filesize
78KB
MD5246993f804971aff1da64d44386bef26
SHA18d04fb03b432670ee3b207fcbc616231ec862285
SHA2560bc854aa1b688f84e401919b4c2308f31b88c24068cb64b18bc8f8531f7bcc2c
SHA5122a181d37404fff73f897164152a1076a47517beafa5fe4852544b2f826cc5e700ee5ed0a86ec89ac748a310e34e95a3c0ee8a0656bed283340e25d24346dd5f6
-
Filesize
78KB
MD5804f99fc8fef68f602b5be45a6008a88
SHA182c7298d0abf37dedb6cf5420eace6020e4b9ca2
SHA2568cb4e2b1e61169ab59989e55ebe8c8234dbc13c571b5c87ee90ea4c0dd3f04c1
SHA5129573e28719d68a50e2171f3d9eda5af01236011b16efab4e90f0597612f9dbfe35ba7f137da965a5016e19c2a31e8c68de700588062eea0dd206dae0641197ad
-
Filesize
65KB
MD506b437c07120c91c7f92ce0bc670ab1d
SHA117f58c591c6f8bcfd92e88022dbb16d14c860c18
SHA256cda405b2f101febc4d73784eb66a0fb6241a068448f1f59da50f94d6427d2491
SHA512f49a3f0c9b4e6aca1a3c07183cee4a17ae0b6deb1dd95bfd63b50c768a10243bd49a46fbac3afd626cce4cfb50f9dcc9fa3ebe287955042aab705e305f747095
-
Filesize
87KB
MD545fce45ac7ba97912a521f861fffda46
SHA1f8b2190331947ea12e4b01a575cffc336d0e1821
SHA25623dbd2c3962063f75956f209933f5bbfc5f20364e4bacc198d32b832f624a49c
SHA512099dc0f6a696c4186b046a23ef532aa893d437c59fdb820eaee085516fedf28f4123f0239708e8ebe36ee405e4fca358b6175edf5b09cde69006c16180e56031
-
Filesize
96KB
MD504cad2ab332f64c6161a3a4308db8fd7
SHA1016a65c178852632b151eb917ebf7623bb9dffc0
SHA2569c4a70cf8295104b4b13fe9f7f99af2690ae94760521055c0f492169c1377df2
SHA512bf597406dc401f26d91679ef3aa275f6fe1549a0ae5424acb6879a7b003e53c3936a3e290ccf228cc1d2aaa67fa2a8b78cccae929aaf7397d33e363df52dd243
-
Filesize
6KB
MD5ef125e0bf013c42de1651613d7ba0375
SHA18b50ccabd5f95d730b5744a2d6460afc5bf7e9c7
SHA25625ba04aa9001223300db69f53e972056137193689eb964862228707099e618ba
SHA51223d9cb80f032f61f403d4cd6090e9a4e3849ad4a1002213a9838b1dce4c12da2f7e8ee5e6a9e366527f972ef572b8341845d64d876f95164132fa4e231f8f76c
-
Filesize
85KB
MD5aa5c108559abe590bc4edf77e20e2f2d
SHA188d41d1d1dbd210226b353339e89fca3d1664fc1
SHA256bb324d7599d0862f7e788f941204d85e7b47dc921e3d38a9a48acf80fcd0d0d2
SHA512091519a9ef4bf0a08e02adf30d627c2220a2374b10880a4d7e0eea3e4f39fe293214da3ae9051aa9ad0c83c41419996f44d56b5e878f0bcb352d67a271af39ea
-
Filesize
67KB
MD59a86a061ac6f60588a603dab694901fb
SHA1542fa7abe87867d17de53c1b430f02b6baa6c97a
SHA256aefc1a30b5a9cae66fa5e1e51b0f73e7214c6b5a07d14819e9c50cadf925517e
SHA5123892e394720d527962b09b6fb03b6c3639cf8e458808d36a1c910823801e54a548690260421cef7d69e4b365fa4cd09778bc9958a20c898f70783ea53373fca8
-
Filesize
28KB
MD584e3f6bfcd653acdb026346c2e116ecc
SHA143947c2dc41318970cccef6cdde3da618af7895e
SHA25600a0c805738394dfed356aae5a33ce80d8f751c3b5d7e09293817c07fbaeb9fd
SHA512eeba8f5c0f9163bc38080ac7cfcc5babf9dfdf36b34b341416ca969b9f19cebb141f8b0d2e12e7c41d886eec36e23cf1525a7ce28785ad09154bc3db78ca0591
-
Filesize
52KB
MD55efee5d7edbe127050e3ea3d197120ab
SHA15fa5546f2890ea0298314d46ed7f0bec3819c3f6
SHA256ae4adae2962a4dfca41929164973d98217401cfa39264f3a367220e09dc87e8b
SHA5123644b60eaee9d35e9fe33db8571d0fbe19c61ced979a68098be93c3cdfaf2a82b3ef8329a015fc0644a48c19782a27864948c120744b2d01d6e0284803dcfc61
-
Filesize
376KB
-
Filesize
752KB
-
Filesize
6.1MB
-
Filesize
408KB
-
Filesize
936KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
2.4MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB