Analysis
-
max time kernel
749s -
max time network
725s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 10:51
General
-
Target
https://storageinstance.oss-ap-southeast-1.aliyuncs.com/secrator.txt
Malware Config
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
-
Drops file in Windows directory 16 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://storageinstance.oss-ap-southeast-1.aliyuncs.com/secrator.txt1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8adf46f8,0x7ffc8adf4708,0x7ffc8adf47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2120 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5584 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,18068342891371486941,8797753100779147729,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4716 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb89c2f7bhd0ach432dh99b0hdf81a7c0e55d1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc8adf46f8,0x7ffc8adf4708,0x7ffc8adf47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15828043982245244336,17187745819732787675,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15828043982245244336,17187745819732787675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd2c7e3abh3b3ah41e2hb573hfc01ce2094791⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc8adf46f8,0x7ffc8adf4708,0x7ffc8adf47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7993232057728845212,6345747636677445097,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,7993232057728845212,6345747636677445097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:32⤵
-
-
C:\Windows\system32\osk.exe"C:\Windows\system32\osk.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x344 0x3cc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\secrator.cmd" "1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\secrator.cmd" "1⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\secrator.ps1"1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Downloads\secrator.ps1'"1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Extracted3\RomanticCopyright.exe"C:\Users\Admin\AppData\Roaming\Extracted3\RomanticCopyright.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Uni Uni.cmd & Uni.cmd3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7969894⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "SigConsumptionDisciplinesSong" Envelope4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Wan + ..\Module + ..\Is + ..\Read + ..\Bibliography + ..\Match + ..\Qld I4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\796989\Dept.comDept.com I4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 16045⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Extracted3\RomanticCopyright.exe"C:\Users\Admin\AppData\Roaming\Extracted3\RomanticCopyright.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Uni Uni.cmd & Uni.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7969893⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Wan + ..\Module + ..\Is + ..\Read + ..\Bibliography + ..\Match + ..\Qld I3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\796989\Dept.comDept.com I3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3172 -ip 31721⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD527fd880b462c0db528c3fa935998e092
SHA13a3fa7d6779810c4fbc233fa24617fc17b5e05cd
SHA256103ae0ecddfda19a9ec0982f28bbd2ee111140ada3ab7bfa5a0049df4a5e19ca
SHA512bdff522714046c759919be644948ea7ceda09f14d14fdd1b4dde97d82b5064a60bed8c7a53440471ce74b9a748972b42f95ff7c798ac60e5784edc96cce8bdcf
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
5KB
MD5f3c320469a4667daa212bf56507f7392
SHA13fc46de5e6f037a2d9f8519dfef6f093b5cb6033
SHA25682941951135b0f4722ba949740303daea814c8d55b130617b9fd2be29f90f7d3
SHA512e706823c39ee111d4c65e79236bc0f10828bbc7b6efbfebe663af67975125a26d699f7cc6b968ebe44dd5e5b8da264b39f861387d54d29038e5661b7b1c67262
-
Filesize
6KB
MD530c1f2da17c758759eba2f6a342040e9
SHA1d9afca05fc067245c25f3dcf8cbcb74ed7007047
SHA256aa3a83158aa22e92683f76c1c58c604b665c5002bf39f10bf177183eb6cc702a
SHA51296453c6d3b7dd7342eae435e1b0ba196b5899ae25ed5845b53fbf1f010f79eb9b295623dee52167b9391c239dd1f2c483c0508707bbf4a2ee442e8d981ff8a6d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5e14ac95d1385d990798029aa6c983b36
SHA1fd4f760fe0247ae77f1208c4b3dbef5177fae55b
SHA256d86c78bd851a592451996f2fbca46b96fe1b5bb52384ecc712612d00b47e3822
SHA51257c68201b0eaf78d204b68157bdfeb8cf52300de5b630715f37742a14e445485a9be9745aa9515b4b28d424e8015ca40cd4ebbd12b444b03c5eb6946a0d773f6
-
Filesize
10KB
MD589b13d02b93e11fc382f0446978b7d95
SHA1f99f9fc7c0f369ad1c544c590a5b49996a91b2a4
SHA2565ffb44a3db997e6fa2c9e22f7824d7ea2d9a859ba5ebafb4c9343bb1d355ad1a
SHA5125b2d0babaf18edee4c5a30bb753487acf23987fa9dbe5569f0a27b3e1cf28088662129bf62ddba4c981dc9ae77dec3e124301d95ee8cc008da39b9ba3bd000f1
-
Filesize
11KB
MD58415c041fa5342ad509c80bf2436f493
SHA15c0f2ae1ac0e14ff1b646ee36b4655d557ab488a
SHA256b9278a0f43e488d0b5f79cabdc3b55a01385bebdb6ac9dc119b84d824c061ede
SHA5128eb52a491693684469097fcc8388e0cfaa82cb8f7b54061803c19786c919bf7ae22b160e92ab93da71d3ed82591a3100aa67940f5d5f5f33d41e0a39af5e0b86
-
Filesize
10KB
MD55210e63ba3b0b50f34b57c1bea5b34e7
SHA1905707ff7f7c5df382d2868a85b499a7305be3d2
SHA256d718b30f4dc049c78a5ee6d9520aa28a953b45cf9f74e16a2a5b0de9b8406a67
SHA512361aba90f7a51d815f0d5a0f8f76204254610030de2626ca2595bd012e0852e8a391838de2191f95e8e72a2613e4767220cdcc0bc4576b4440487b051304cc20
-
Filesize
10KB
MD52e192424deedfac3c950ab11e42f19d9
SHA15a01decf4d4c066f9a14a1f35ebc6e990cd23604
SHA256fb88b724c759c93c7b6713011e6b9fb67ec069ac50c532a529c07e18fc0f40bf
SHA5128cd2bcc25982d91eb3065bf3570272af34f71eeb16405053619a0d60a0953ab39006d352dcfa501bf18b6a061f5285ce27f5ec2a309cb8a9edba0762157777a8
-
Filesize
10KB
MD5af3fb761a47b0181629c207eec547bca
SHA1184340b6d394663f00bd93fb18c9d7d233cc6cc7
SHA256b6c0f0446207ca69a0c3c2dcab7d3d16ba318ee80e6627bda4305fd164f91977
SHA512d22b280e9c1934e4bff24a1af86232f5c44daf2984a9fdfcb826ab9cade418603b9a5b727e62bd871abda1ca92a83ce2ef9ba618ed52c4d7e495257f8cc1a962
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
489KB
MD535431b1f719e5f8edd3ee4c56d590bc9
SHA1c4667dc8990f03e9d3410e636957d5e9c73773c7
SHA256427536f6a144672b8c5cd873d89c0374dab2c6383256347eef80b291729b99b0
SHA512358ea29b484c7e7d493fec6270a7d3a6147852ba68f1c1f5fd9dc277e65dc24239b3718fb1ca986f354b5ebc954dae51f1e478db9d034a6f3417f6564d967fbd
-
Filesize
91KB
MD50124e182e6ab32c597551f987c8efc9e
SHA15b1504b161a4748cfdff1463b4a370b7ee6caf14
SHA2566484dd9a145b3178a2534dd802441a7b8d08a679c3241c11395c22bfa6ba6826
SHA51270e76a19d9f3382e14463e9f79dee0db404482e714f1ca9b0330ad144c055b6c6464d9be6bbb94e7e05048925b8f2dd1049276b4982722b7e8a2d8fe7e2dd010
-
Filesize
1KB
MD5930b977ce8cf5c68e617c0cc083b6915
SHA107ab167616b479dd68ea9cfdad2c51d180757596
SHA256cd56fdf1345808d2c8d7a099dabc0d8667581b2888fa973eba477509f7875f3e
SHA512a823ba03f129037c1feb58f7f5408070f512dc0d4044cbaa5aa28295a1e7d952b4172119a1609c271273e8b31ec6aed5d4b3a570cfc5bbc3846821eb1f791814
-
Filesize
56KB
MD584df1af81b44c0e9ac087f6b724dbfe1
SHA1c2604b423fa3a1dfd0d41fd05364f390db94e0f0
SHA256649f01b11633d4f45165010db7e1150d9ddf533fb2906cc7f26ebf4d3807d2c4
SHA512b69aca208184bac03392a91a04cb737772576a2e29ad8a9549d1917c88e86d2fe12e22d9d1a9d01dd08eb1fefa27c13c26a14c41a0551e75dc72f3d64ce97403
-
Filesize
81KB
MD5cce2e35fcd13802b894592bfa8bc4832
SHA1e4b2ebbcea783891bae927d45a5d20a99b0d2c57
SHA25649c9f0a08d446ac52e26ec0a79578d6e8cd0363adce44af727c537c2c127f278
SHA5121f2ac58895ebf1a4c3989a5d76ffac39012fe511030508bfef1c164e0d8301f5f7ce2b87381604b1fa1a0443b5f6ca59948061f7a2f7634d6cdfa0880dc33798
-
Filesize
86KB
MD5c3a23aa50702baadcffdb632c0781eaf
SHA126adb4b06851eb66a2fc3a4b2dc29055e6291e91
SHA256e27aec3fc7086af2906fbf8d5a1a17e3f6871651f2663f8e5a3f5b44dd1e7d61
SHA512545aefc06ba554d32183d8e96f3eafc6204e609d95c4bc8e8bbede315ccc78605d916533fabe995dd9e50b3a0ea63d12e64445e3346dafe24267281b8ca23284
-
Filesize
39KB
MD547b8c8360718381beb75b78cad9989d4
SHA1b1c9ed94b846670c0fbb0322b607b3e5affce120
SHA2560d7c733985efc3042c41b2b26c32b7b8ce65ff9071ebdd872c3d0520a18351ed
SHA512724d7030e1fab1adc5a9798e18cf75c11159cce1e57ab493a4595bdb14b68129c46a518616c427131963a7fd06e741965faca545fc5f007ab120cf28c1fe4d98
-
Filesize
62KB
MD5b09b69ffbbb1c92beb55c7fd798c8c66
SHA1a648e5a9721d8623dd6fca06d5295d1f07b13519
SHA2564b54975d3405ea89c477daa9802d93b4a56683a901039d31e8eb1218deb742fa
SHA51274d6cb22483b46a36887584c97060b16a1f8b6dcc280a8d9c7456d1c8c174b61487990af0bd7426b431ca7fde197ade2f5785784d27ab4371003feaecf2bb409
-
Filesize
919KB
MD54414fe8f2635b6344106903d0f52455d
SHA170f135830f92733b3f0bbdfa35b1f0e36e9e5746
SHA256578f765c46f2b2842f3455c37549326a9ea665aeedf5b86f6c3ff0be1a5f1244
SHA5123c818c29afc91ce177db19c91026017cb567e2e6b0727ba271d66cc5c4f107661a677abc4ea5d1c281c56b3de166ed8ceaf298fa2ecb8f50a08bc1fcb6a0c91f
-
Filesize
7KB
MD5df066c1e3038ff1c556a50a0782e0de1
SHA1ebad7031e3b7651898e3d916d0aa0cb09397d03a
SHA256cb4ca6cf393c39f6fffab51f095518826e38d4eff4fb0f42aa1fb9a4d7ef0b3a
SHA512649874ac78af57207d1d06059e9e5eac3814c13910d08e9325cb500434ad4cb553cdab659db3291839523d0ae636251ac925224db04ea29dde8be41e1d8cb194
-
Filesize
74KB
MD5cf96668f1c4973c8b43a72d90221e4d3
SHA13b512b9979650f556936a5b0866387820d112745
SHA256720160bb915923d8cf54be5d580ac5c13e67a261daf3ae65f972435dd716cd07
SHA5121d9c6299cce257f780252fe4805836f4f27914a816ef89d81119e2553008083754bdb16f25f895f85e35ccb5daa5c5f79fcff2d203b40c5444c88f9fc76b276e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.0MB
MD5a737e94c53a284ae8c712eb7b2a2d209
SHA1a5d4113415f38413b5bcc2698e4aaf573cf8217c
SHA256677b2f7ea578826adb9c0f359c6436c364f712803080b38d81ecc1f25e5b97f5
SHA512ab87ef25549d4860269015d279aaf90a35bfd4c26457271a84cacf64c0a0c97d0e4c435136fb9defd2c64307d1bc1e9596ee278c868e101f6a2c657f87bd80b6
-
Filesize
493B
MD57cc08429b87f9aba8606e95114957b82
SHA12ba425be1fe0f12fa419bc93c22e7a2079b0c6b7
SHA256856be8a4d18a57d625d371054956b9ff1b9824e05894530bcf843629dce33cac
SHA51291bf2f2c4090505e0606802aa64c1220729f08f1f3087cd5d4d81923d4d838a8459686a33fa60c2291398560aa47b19f697a29d067bd4cfbc4ff018c909bc4c9
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB