88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
Size

80KB
MD5

40060de425545a1307eb02e2521c4b53
SHA1

686a4365ea6719d80d44a3514b821549527f4018
SHA256

88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d
SHA512

c4c66735f7b935d4f8d88fe8e8e31ed4c2a129b6f35a15d8fe1df12d9e98c2a7bbac3763b0c0daae065747b80f21649c67af560a85e988e25d7773896bbea36f
SSDEEP

1536:ev128ZrmB+RdtK4QjXvquct+beug5VSM8E0kVva3DKD:y2OgTjg5VS5ko3DKD

Score

10^/10

collection discovery execution

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 224 created 3460	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	56
PID 4900 created 3460	4900	stilkript.exe	56
PID 1696 created 3460	1696	STUB3kript.exe	56
PID 316 created 3460	316	Yziybyoeyth.exe	56

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
64	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eras.vbs	stilkript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fallback.vbs	STUB3kript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs	Yziybyoeyth.exe

Executes dropped EXE 3 IoCs

pid	Process
4900	stilkript.exe
316	Yziybyoeyth.exe
1696	STUB3kript.exe

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 224 set thread context of 3552	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	86
PID 4900 set thread context of 412	4900	stilkript.exe	89
PID 1696 set thread context of 1708	1696	STUB3kript.exe	100
PID 316 set thread context of 5088	316	Yziybyoeyth.exe	104

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stilkript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yziybyoeyth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1360	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1360	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
4900	stilkript.exe
316	Yziybyoeyth.exe
316	Yziybyoeyth.exe
316	Yziybyoeyth.exe
1696	STUB3kript.exe
64	powershell.exe
64	powershell.exe
316	Yziybyoeyth.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
Token: SeDebugPrivilege	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
Token: SeDebugPrivilege	4900	stilkript.exe
Token: SeDebugPrivilege	3552	InstallUtil.exe
Token: SeDebugPrivilege	4900	stilkript.exe
Token: SeDebugPrivilege	412	InstallUtil.exe
Token: SeDebugPrivilege	316	Yziybyoeyth.exe
Token: SeDebugPrivilege	1696	STUB3kript.exe
Token: SeDebugPrivilege	1696	STUB3kript.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	316	Yziybyoeyth.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4900	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 224 wrote to memory of 4900	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 224 wrote to memory of 4900	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 224 wrote to memory of 3552	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	86
PID 224 wrote to memory of 3552	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	86
PID 224 wrote to memory of 3552	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	86
PID 224 wrote to memory of 3552	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	86
PID 224 wrote to memory of 3552	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	86
PID 224 wrote to memory of 3552	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	86
PID 224 wrote to memory of 3552	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	86
PID 224 wrote to memory of 3552	224	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	86
PID 4900 wrote to memory of 412	4900	stilkript.exe	89
PID 4900 wrote to memory of 412	4900	stilkript.exe	89
PID 4900 wrote to memory of 412	4900	stilkript.exe	89
PID 4900 wrote to memory of 412	4900	stilkript.exe	89
PID 4900 wrote to memory of 412	4900	stilkript.exe	89
PID 4900 wrote to memory of 412	4900	stilkript.exe	89
PID 4900 wrote to memory of 412	4900	stilkript.exe	89
PID 4900 wrote to memory of 412	4900	stilkript.exe	89
PID 412 wrote to memory of 316	412	InstallUtil.exe	94
PID 412 wrote to memory of 316	412	InstallUtil.exe	94
PID 412 wrote to memory of 316	412	InstallUtil.exe	94
PID 3552 wrote to memory of 512	3552	InstallUtil.exe	95
PID 3552 wrote to memory of 512	3552	InstallUtil.exe	95
PID 3552 wrote to memory of 512	3552	InstallUtil.exe	95
PID 512 wrote to memory of 5840	512	cmd.exe	97
PID 512 wrote to memory of 5840	512	cmd.exe	97
PID 512 wrote to memory of 5840	512	cmd.exe	97
PID 512 wrote to memory of 1360	512	cmd.exe	98
PID 512 wrote to memory of 1360	512	cmd.exe	98
PID 512 wrote to memory of 1360	512	cmd.exe	98
PID 512 wrote to memory of 1696	512	cmd.exe	99
PID 512 wrote to memory of 1696	512	cmd.exe	99
PID 1696 wrote to memory of 1708	1696	STUB3kript.exe	100
PID 1696 wrote to memory of 1708	1696	STUB3kript.exe	100
PID 1696 wrote to memory of 1708	1696	STUB3kript.exe	100
PID 1696 wrote to memory of 1708	1696	STUB3kript.exe	100
PID 1696 wrote to memory of 1708	1696	STUB3kript.exe	100
PID 1696 wrote to memory of 1708	1696	STUB3kript.exe	100
PID 1696 wrote to memory of 1708	1696	STUB3kript.exe	100
PID 1696 wrote to memory of 1708	1696	STUB3kript.exe	100
PID 1696 wrote to memory of 1708	1696	STUB3kript.exe	100
PID 1696 wrote to memory of 1708	1696	STUB3kript.exe	100
PID 1708 wrote to memory of 3516	1708	InstallUtil.exe	101
PID 1708 wrote to memory of 3516	1708	InstallUtil.exe	101
PID 3516 wrote to memory of 64	3516	cmd.exe	103
PID 3516 wrote to memory of 64	3516	cmd.exe	103
PID 316 wrote to memory of 5088	316	Yziybyoeyth.exe	104
PID 316 wrote to memory of 5088	316	Yziybyoeyth.exe	104
PID 316 wrote to memory of 5088	316	Yziybyoeyth.exe	104
PID 316 wrote to memory of 5088	316	Yziybyoeyth.exe	104
PID 316 wrote to memory of 5088	316	Yziybyoeyth.exe	104
PID 316 wrote to memory of 5088	316	Yziybyoeyth.exe	104
PID 316 wrote to memory of 5088	316	Yziybyoeyth.exe	104
PID 316 wrote to memory of 5088	316	Yziybyoeyth.exe	104

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
  "C:\Users\Admin\AppData\Local\Temp\88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\stilkript.exe
    "C:\Users\Admin\AppData\Local\Temp\stilkript.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uVzPdZf9RJAc.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:5840
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1360
  - - C:\Users\Admin\AppData\Roaming\STUB3kript.exe
      "C:\Users\Admin\AppData\Roaming\STUB3kript.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:412
- - C:\Users\Admin\AppData\Local\Temp\Yziybyoeyth.exe
    "C:\Users\Admin\AppData\Local\Temp\Yziybyoeyth.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Folder1'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Folder1'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:64
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
1KB

MD5
9a0ef0e3ffe71dbbe73bbc2a73213cea

SHA1
3015608c23afb25470d2449819f415355db2397c

SHA256
b51d5b2511f7918e82b13c32902466ca2be7bd6a3e025b81324a7aa570444612

SHA512
400805b48dee34b01f2cddb9409e6cae988e692acce15e727223e8386c28bbbe0b5fa7c5015e0fcc71223a5a592fe31f9cb04d78d8bc0f0fb5ddf8722a4214d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yziybyoeyth.exe

Filesize
182KB

MD5
5d2e9f2a0aedf4232747174b665c0971

SHA1
66ed9454b15f09a3f73c3e330bb97085e10f67b3

SHA256
59d0075f53e1644a2128421155c9b368a15922f420f71e10431e28bd04c46086

SHA512
54be9e4fbe34dcfba6daddd20c934c37172ae1de3505357bb2c4191e686fe52ac02efee66f545d7645a57923e2936219a706cfd0fcec1af707b3eb91e2af99ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oeg0ik2c.nmm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\stilkript.exe

Filesize
79KB

MD5
13bbcfdfa76727df3566d9b279407b4b

SHA1
8f042048de38fd1d4b411a18e041812cf9ea4d62

SHA256
8c65351a7b2c2f1d3f314e30cf1619d4fb4bd9e9792514cfa6fb15761a38332d

SHA512
b3dfb5e75ba4351334d1e26dfa61e1bda7b84c5b8644e0ba8fd1ebb68f7d34fa104f0db3acccde8bf4663a13228fe4b75a4b84ba6a3467c7a3af0d1e28da8b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVzPdZf9RJAc.bat

Filesize
173B

MD5
5893e5fd6a1b0450cbcbc73c06dbc627

SHA1
ec1a8b20a803fb19ad8cecb403c74743192b37e8

SHA256
3eeb39cbd2a1be2e19a017600af00763aaa5803883a4d8f4b6ce60b2148a4ad0

SHA512
d0fb54307c46feee69aa019dd6e29fab75c85912d5d40f23892c215f0966aac6f8685632b5210e27246596c46b9d39c9ea54136e4733fb9306d038cad7f893dc

Download Submit
C:\Users\Admin\AppData\Roaming\STUB3kript.exe

Filesize
2.4MB

MD5
c1892b00f069a675d70ff0f98fbf2442

SHA1
a21d4baff0f02f8a1b365c9d4e73c01a86336d26

SHA256
1dcf6e44bd8dce0aea1fa0195cb66d82130d2188a5c71a20eeb6fa66b2512b00

SHA512
f948c36eba9b841e09ab8d2c4f3a97c9142be5ec87a1271b6918d73841cdd0cfc8a76e9cbb1567ff65122092696c20e44b3e2dec3e58670e3da88630cf77880e

Download Submit
memory/64-12454-0x000001E4ED9C0000-0x000001E4ED9E2000-memory.dmp

Filesize
136KB

Download
memory/224-1158-0x0000000006AD0000-0x0000000006B1C000-memory.dmp

Filesize
304KB

Download
memory/224-1181-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/224-49-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-69-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-67-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-65-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-63-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-61-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-59-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-57-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-55-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-53-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-51-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-47-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-44-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-39-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-1172-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/224-36-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-33-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-31-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-29-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-27-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-25-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-23-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-1177-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/224-19-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-17-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-15-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-13-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-11-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-9-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-7-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-1156-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/224-1157-0x0000000006B80000-0x0000000006C2E000-memory.dmp

Filesize
696KB

Download
memory/224-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/224-41-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-1171-0x0000000007580000-0x00000000075D4000-memory.dmp

Filesize
336KB

Download
memory/224-1-0x0000000000AD0000-0x0000000000AEA000-memory.dmp

Filesize
104KB

Download
memory/224-37-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-45-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-21-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/224-2-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/224-1180-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/224-1185-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/224-3-0x0000000006750000-0x0000000006890000-memory.dmp

Filesize
1.2MB

Download
memory/224-1187-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/224-4-0x0000000006E70000-0x0000000007414000-memory.dmp

Filesize
5.6MB

Download
memory/224-5-0x00000000069C0000-0x0000000006A52000-memory.dmp

Filesize
584KB

Download
memory/224-6-0x0000000006750000-0x0000000006889000-memory.dmp

Filesize
1.2MB

Download
memory/316-12468-0x00000000022F0000-0x0000000002344000-memory.dmp

Filesize
336KB

Download
memory/316-11361-0x00000000064E0000-0x0000000006586000-memory.dmp

Filesize
664KB

Download
memory/316-10286-0x0000000006170000-0x00000000062A2000-memory.dmp

Filesize
1.2MB

Download
memory/316-10280-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/412-5252-0x0000000005320000-0x0000000005412000-memory.dmp

Filesize
968KB

Download
memory/412-10274-0x0000000005E90000-0x0000000005EA2000-memory.dmp

Filesize
72KB

Download
memory/412-2351-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/412-2352-0x0000000004DA0000-0x0000000004E3C000-memory.dmp

Filesize
624KB

Download
memory/412-10275-0x00000000066C0000-0x0000000006710000-memory.dmp

Filesize
320KB

Download
memory/412-5249-0x0000000004ED0000-0x0000000004EFC000-memory.dmp

Filesize
176KB

Download
memory/1696-11368-0x000001A60AD10000-0x000001A60AF82000-memory.dmp

Filesize
2.4MB

Download
memory/1696-11370-0x000001A625690000-0x000001A625798000-memory.dmp

Filesize
1.0MB

Download
memory/1696-12445-0x000001A6254F0000-0x000001A62556C000-memory.dmp

Filesize
496KB

Download
memory/1696-11369-0x000001A625580000-0x000001A625692000-memory.dmp

Filesize
1.1MB

Download
memory/3552-9141-0x0000000006A20000-0x0000000006B14000-memory.dmp

Filesize
976KB

Download
memory/3552-1191-0x0000000005670000-0x0000000005C88000-memory.dmp

Filesize
6.1MB

Download
memory/3552-5250-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/3552-4449-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/3552-1190-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/3552-1189-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/3552-1186-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3552-1188-0x0000000004F10000-0x0000000004FCE000-memory.dmp

Filesize
760KB

Download
memory/3552-5251-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4900-1192-0x0000000006760000-0x00000000068AA000-memory.dmp

Filesize
1.3MB

Download
memory/4900-2343-0x0000000006BB0000-0x0000000006C6A000-memory.dmp

Filesize
744KB

Download
memory/4900-2353-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4900-1175-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4900-1183-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4900-1170-0x0000000000C20000-0x0000000000C3A000-memory.dmp

Filesize
104KB

Download
memory/5088-12473-0x0000000000810000-0x000000000086E000-memory.dmp

Filesize
376KB

Download
memory/5088-12474-0x0000000004C80000-0x0000000004D3C000-memory.dmp

Filesize
752KB

Download