Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-12-2024 05:21
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://moutheventushz.shop/api
https://respectabosiz.shop/api
https://bakedstusteeb.shop/api
https://conceszustyb.shop/api
https://nightybinybz.shop/api
https://standartedby.shop/api
https://mutterissuen.shop/api
https://worddosofrm.shop/api
Extracted
quasar
1.4.1
botnet
165.227.31.192:22069
193.161.193.99:64425
193.161.193.99:60470
713051d4-4ad4-4ad0-b2ed-4ddd8fe2349d
-
encryption_key
684009117DF150EF232A2EE8AE172085964C1CF0
-
install_name
System.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Office
-
subdirectory
Winrar
Extracted
risepro
118.194.235.187:50500
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/RpncwxSs
Extracted
remcos
RemoteHost
192.210.150.26:8787
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-R1T905
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
discordrat
-
discord_token
MTAyOTM3NzcyMzcxNTU1OTQ2NA.G7rtDA.iVKPgXW9sMwRqiFimO_Rdc0nXAigNycwugkM4k
-
server_id
696661218521251871
Extracted
xworm
5.0
188.190.10.161:4444
TSXTkO0pNBdN2KNw
-
install_file
USB.exe
Extracted
quasar
1.4.0.0
Office
82.117.243.110:5173
edH11NGQWIdCwvLx00
-
encryption_key
aGPuRaDerdUDJPrAfXtB
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Framework
-
subdirectory
SubDir
Extracted
lumma
https://immureprech.biz/api
Signatures
-
Detect Xworm Payload 3 IoCs
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Phorphiex family
-
Phorphiex payload 1 IoCs
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 4 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Risepro family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
XMRig Miner payload 2 IoCs
-
Xmrig family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 28 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 2 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of FindShellTrayWindow 47 IoCs
-
Suspicious use of SendNotifyMessage 45 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\3yh8gdte.exe"C:\Users\Admin\AppData\Local\Temp\Files\3yh8gdte.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ScreenUpdateSync.exe"C:\Users\Admin\AppData\Local\Temp\Files\ScreenUpdateSync.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 14444⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\System.exe"C:\Users\Admin\AppData\Local\Temp\Files\System.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Winrar\System.exe"C:\Users\Admin\AppData\Roaming\Winrar\System.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted_c360a5b7.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted_c360a5b7.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\xmbld.exe"C:\Users\Admin\AppData\Local\Temp\Files\xmbld.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\r.exe"C:\Users\Admin\AppData\Local\Temp\Files\r.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysnldcvmr.exeC:\Windows\sysnldcvmr.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2742320387.exeC:\Users\Admin\AppData\Local\Temp\2742320387.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"; Add-MpPreference -ExclusionProcess "softina.exe"; exit"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\factura.exe"C:\Users\Admin\AppData\Local\Temp\Files\factura.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Sancerre\nonhazardousness.exe"C:\Users\Admin\AppData\Local\Temp\Files\factura.exe"4⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe"C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Files\rstxdhuj.exe"C:\Users\Admin\AppData\Local\Temp\Files\rstxdhuj.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Files\random.exe"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe"C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\ProgramData\wvtynvwe\AutoIt3.exe"C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\hbfgjhhesfd.exe"C:\Users\Admin\AppData\Local\Temp\Files\hbfgjhhesfd.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\hbfgjhhesfd.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe"C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe"C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 11204⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\gU8ND0g.exe"C:\Users\Admin\AppData\Local\Temp\Files\gU8ND0g.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe4⤵
- Views/modifies file attributes
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe4⤵
- Views/modifies file attributes
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del gU8ND0g.exe4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\explorer.exe"C:\Users\Admin\AppData\Local\Temp\Files\explorer.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3320 -ip 33201⤵
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2572 -ip 25721⤵
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240B
MD570bddb718d5e8fb8b8a571cfe1cbc757
SHA1451f250192e6042273ddf5c63e170407291896de
SHA2565891b579564855c1e4300a4551c134e402093cef5c4ca430942fadf40cc1002f
SHA5126af1594431b232f1303eaced5519f690016dcb30c974e017f7a41063fb7fd4c465c699805cc2fbe7f3ba0730bc73bf8a93473efb8aa08488749b41f62a379662
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
244KB
MD50f310d0dd203531155edb3816d108f7b
SHA15bb3eed68d98fe1d6b58593a9f94dd836910141b
SHA25649eb3055447db8ce038e572ff2a8b48234e14590064efb9857bbf4779bccbcc0
SHA512be820a8350304b355253b854b911ac5ecd6a6a544d3f71fe1093316214bdf2de40de38e8910499733423983f61de2c64e95fef5099c0852a68ac7d08994954fb
-
Filesize
607KB
MD5160f088e0c2cfc575144baf3c6490757
SHA1ba3b72efa7ac73bc530b512103fc4f35b78b5d9d
SHA2560d65174f3d8e4d8bc12fad4110930c1eb4e711285366cb68a703684b0325d5e3
SHA512aa1acc4f9b8ade2fa821607c09bc61b539551ad87f9ce2180a84fd80fbc8e48d7669de35516a40d2609f9972a27816fbfbb983efbe7e8eb8519913bb437cc468
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5fd98baf5a9c30d41317663898985593b
SHA1ea300b99f723d2429d75a6c40e0838bf60f17aad
SHA2569d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96
SHA512bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0
-
Filesize
944B
MD554522d22658e4f8f87ecb947b71b8feb
SHA16a6144bdf9c445099f52211b6122a2ecf72b77e9
SHA256af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a
SHA51255f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba
-
Filesize
18KB
MD5d325701745ad295935ffa40a00f48420
SHA11e9cdfcbd1a0df329453a9cfacf2112e8c3aa892
SHA2564a901a4d69c734015600c7d4b40b5966adbf430616a3c566a3f824f42ffcda4b
SHA5124b02bfe5e3f2aff24abaabc4f82380f5bab4181239543e1210b5f21a83ac7d91ad52979d379ee1c248fb5177abd3b8593d5e0ad1378cdbc8f81a3da7c3a35b53
-
Filesize
18KB
MD51393662332cede8805e2b3fc4c9a9304
SHA1f828767a827af62c9b24ccbf2ba66c0d9e27705a
SHA256b751f49b75c13d85dc847c66e894f2b17e80eaf6d8994463da5152fa4cc41a73
SHA5128f528b892258c24c1b5027e746ec28c2f5eca2285521083cdec7bfad4e38ee28c7a6bf2254fcbf33ab438bcc4c9466ebbc631ab52490362b9939f9a3a865376d
-
Filesize
18KB
MD5c6929a1ca3d0df33a46b21d174669c36
SHA1e43492c523162b0a19c3b9323f1a47ef522e7533
SHA256c36d22775c97e57556af3599a10e55cedf86f88de405514d44326790a21a9824
SHA512ea349d966ba9d5794d68b3a688eab7369217a998c8f29682597f1ed0f14bda698fdaeeec32141cbc06601b1b75e6b4597a61120e86e157f61ee7ca40832815c2
-
Filesize
944B
MD5da5c82b0e070047f7377042d08093ff4
SHA189d05987cd60828cca516c5c40c18935c35e8bd3
SHA25677a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA5127360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b
-
Filesize
53KB
MD584897ca8c1aa06b33248956ac25ec20a
SHA1544d5d5652069b3c5e7e29a1ca3eea46b227bbfe
SHA256023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1
SHA512c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95
-
Filesize
6.9MB
MD5da27820d0637d449d66bb36634e01891
SHA124a0bde8401a05a0eae3d76f9f77cd32e4bbdf18
SHA25625e4f9e539d7e0461c55d4b4fa178c1cbb06760139e360da65648d777f118ca0
SHA5128764f8b7761a16cc35c25ab38a1bdf4e2df9afe73189ceb1ae4d6287c38fbe2234fd83ee5274d582609815180315214cd2d87792062de6f9c47e731fa8363bd8
-
Filesize
78KB
MD5256b65a54c99a55e023149571779e054
SHA13a5c1ad1bb94f25504efca596d95521d732d9fc9
SHA25673a943a4f26f9812166fe0d7c1d8de28eb507a2aeff97a5c110da8479cd3e37f
SHA51238b64b0c202d8b3fec41c9aabdc5bb94c3bef23feea0956f246c8d86ed68fb5d5e2e118d3b3d537ed882301c5e6d73c2986aeac36191226a76422c224046ec1b
-
Filesize
3.3MB
MD57aed36391d90c5d9fe10fd84316b3792
SHA1986d854d0f65a05a13a6f40a183fde23294766a6
SHA256606294151ec0d40f67298b3fb2b2ab9e47459ab27852188e7ee124f9addd3197
SHA512a9a1c60dccc94f484a9598c53c5469dfc58b77efdf9a98fd58c102ff07830da2eba8f72ddc702cef68fa00dc74eac8a44448c56bff6213f199e56b7329a30d45
-
Filesize
1.3MB
MD5ca817109712a3e97bf8026cdc810743d
SHA1961478cdfe1976d5cc30ceca7db9b3552b8aaf09
SHA2566badd865383f71c6d26322fcf3b6b94a5a511981fcb04c8452ff20c8528e0059
SHA512de1c67f87a14f7f3c1416c253a117970974c82e87f94a3b176980edfef0164f2dd4621d81ca0cae95d794a2998e325137ce76ebccc5121ab005ca391efcbec3e
-
Filesize
353KB
MD5d88e2431abac06bdf0cd03c034b3e5e3
SHA14a2095690ba8f1325dd10167318728447d12058a
SHA2564d37939b6c9b1e9deb33fe59b95efac6d3b454adf56e9ee88136a543692ea928
SHA5127aa5317dcdf4343f1789e462f4b5d3d23f58e28b97c8c55fc4b3295bf0c26cfb5349b0a3543b05d6af8fa2bc77f488a5ece5eaaceaf5211fa98230ea9b7f49a7
-
Filesize
3.1MB
MD5e80f9a2d968a10ce2bbd655666befe8c
SHA1d56125da872bda98b592df56baf7fbfdeff94b6d
SHA25695f172a69bb9e7310bf636d76e310ec9603601e488473f2bdfe3c0e7dd2b9667
SHA5129bd6e745142143509f64c0239c9e535985c53d5e28ce4fb328f1e4b354c52f081c0545fe80549754a54857338e9b32ac2dfcab5379bca70f05907a55ae10d04c
-
Filesize
68KB
MD5dc09aad6c4769d9368f8fa4122091f6c
SHA1f39bd3c6bc1ff8d46f8abc9dd8f1205e52162448
SHA256dd084eace8def7ec82b68be818d0ddaba7ba14752679dbbdc5d8af4c1fc9d948
SHA51209d868e0d08e38d1d69e4e43d53f0ebf5e86a9f95528b095a32234e99b12135fa831919eae37ce17a671c02ea6665ff6187e1b560e0291d094fabbb4df782021
-
Filesize
2.4MB
MD5e10f94c9f1f1bb7724a9f0d7186f657e
SHA14417303705591c675e4fed5544021624f1dc4b8c
SHA256f8cbaeb306d1b88f79680d5abaa871541cdaecbe8f28fe6e7b4d1c6e808a97de
SHA512a5e0f0b57757328fd1207998f33c43e8d7f58dd90344808b10f2299f7e9371d41bd0ef3dbff5f86c2b9955dd5999682e907a7b9ec2f523cbb285529c1759105f
-
Filesize
5.7MB
MD531a4da11164220233871e95edce2df23
SHA1e39e2b5ab3556488f0312994b89eaa79e4f6f98d
SHA256ea35a69bc4904317fe315cebc036d5495210de7f1e79b8c891b6cbabade07dbd
SHA512520b6d600497942cedea56c2232d0d7df7598598922b27d9b133ab05f1f8af8f397be5b88b89a7e12b2d83ba5c714cc9918946571379decc1ced099b4f0f7b30
-
Filesize
856KB
MD5f3c6c680b66ef4a132e3a9b61b83622d
SHA1c720cc4ff63d365458e9be977ed692263108dc87
SHA256e51f50b3f520e3de0f0916e0291ad093aa0c50f6c81010001ce5aa2aee88f7b0
SHA512331daf042e405db03632781216131b5495af8ad3f024623757f56b45957bcb0cabc5fa8d08252aa613b03f0e07a685ae60cb260deaa6eae11745f8283750f5a2
-
Filesize
2.2MB
MD54c64aec6c5d6a5c50d80decb119b3c78
SHA1bc97a13e661537be68863667480829e12187a1d7
SHA25675c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253
SHA5129054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76
-
Filesize
288KB
MD52b3a191ee1f6d3b21d03ee54aa40b604
SHA18ecae557c2735105cc573d86820e81fcff0139c4
SHA256f0d45f8340cd203ee98c7765267175576d8017df5166f425f8a7483cb35a91c8
SHA51231f621fd96bf2964529607ae64a173c4a99f3976a91283a3609edc3799d98f59de80da6266ca10c26e5c8733644f1764aab00c7ba3e4dc5456573b9b20b6a393
-
Filesize
392KB
MD5a896758e32aa41a6b5f04ed92fe87a6c
SHA1e44b9c7bfd9bab712984c887913a01fbddf86933
SHA2567664288e924fecf085d750dbd40c405bd0dbc9d1ed662c5ecf79c636976e867c
SHA512e6ca9818c394fd3cbbb4f21141c40d5cab3c16a82c96435ea1133eabbb44cc954d022dc6cbd13200d08d5ce8d905c3b933b3edf52eeacca858dfd3d6a3866021
-
Filesize
3.5MB
MD5c07c4c8dc27333c31f6ffda237ff2481
SHA19dbdaefef6386a38ffb486acacee9cce27a4c6cd
SHA2563a3df1d607cadb94dcaf342fa87335095cff02b5a8e6ebe8c4bcad59771c8b11
SHA51229eada3df10a3e60d6d9dfc673825aa8d4f1ec3c8b12137ea10cd8ff3a80ec4f3b1ad6e2a4a80d75fa9b74d5022ccdfb343091e9ac693a972873852dcb5cff02
-
Filesize
79KB
MD50c883b1d66afce606d9830f48d69d74b
SHA1fe431fe73a4749722496f19b3b3ca0b629b50131
SHA256d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
SHA512c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5
-
Filesize
4.2MB
MD5dc32e216fad1206bcd28be4ec18b288b
SHA16bfdd776b26c12c56bb91a21b5fd5dbe84090d03
SHA256fa88e9d84316d5019ca53c5f070fd9a4fce81d2457fa71512c510eeea0a3ee1e
SHA5125f12d135e1474c3630b6e8ea8ca0290471e2e0216333828af5dda431dcf2f5c44895199b9f8cf82fb05655e9306f78c7ab1f0a579459db57b742cdf980fcc395
-
Filesize
963KB
MD51ef39c8bc5799aa381fe093a1f2d532a
SHA157eabb02a7c43c9682988227dd470734cc75edb2
SHA2560cced5b50789fca3ad4b2c151b798363d712da04c377bd704dcef4898e66b2b4
SHA51213a9c267c4ceb2bd176f1339faa035ffeb08936deeeb4e38252ea43cfe487ea1c1876e4cc2a965548e767af02805a1da62885e6538da056be0c6fae33b637682
-
Filesize
125KB
MD51ec718ada22e61a5bbbc2407a842b95b
SHA1c3cb7876db3734c686b64a7bf83984bf61a2a9ef
SHA2562e3bc4c6b0789469f9b7fe876adbc47b5b22f6b15ec7dff70ad588d838937677
SHA512ccc2b06edd4b724eba92f251bc62df424c61ea0668c06b06080a1206021889b5791855672f422ecfe889aba6d8b4f8fccf6ba23eddf358e7d84056a549e5fb8f
-
Filesize
4.8MB
MD5deec0a7c5e6af53603b0171a0d7d5174
SHA115600a4e91ad83e4351c7a6a87e9102bb5998459
SHA256df22795e42488daabc77eeb96f724ea6df453ed2ebcae81db03993b560ed5ab3
SHA512e2809515a7ab66461144bcb746d16004df682cc93c92ee6874b876bc1307d62056ce780468ed179c782cf20027bfba4ca3867a04da6785e399eee0cbabeaf40a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
481KB
MD55da0e2a6af58f3c61e2a9d03160b0be6
SHA1077b3fb750beb67eb8615c3101ceb91e2c9f8ca1
SHA2566412b25824b53394b1b61f6dad679d0701f99dd9daa27a3fd1893ab0d5883fd8
SHA512166ea3de661e775bc46ebdcdeb70337d1692a73beb8450d3251c327c3364d70ced003467e3574a874fba599a834bd5bd07697adf3e6f78b52dd410988c64b90b
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
128KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
3.3MB
-
Filesize
14.6MB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
1.8MB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
1.8MB
-
Filesize
96KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
216KB
-
Filesize
600KB
-
Filesize
32KB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
200KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.1MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
1024KB
-
Filesize
4.2MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
96KB
-
Filesize
80KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
136KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
992KB
-
Filesize
952KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
336KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
5.6MB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
304KB
-
Filesize
416KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
6.9MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
184KB
-
Filesize
312KB
-
Filesize
40KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
416KB