infinitylock | cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

Resubmissions

16-12-2024 05:27

241216-f5kx6awmh1 10

14-12-2024 20:23

14-12-2024 20:22

14-12-2024 20:13

14-12-2024 13:14

14-12-2024 13:12

12-12-2024 18:19

12-12-2024 18:16

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

infinitylock lumma phorphiex quasar stealc svhost voov1 discovery loader persistence ransomware spyware stealer trojan vmprotect worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
753f85d83d
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

stealc

Botnet

Voov1

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

quasar

Version

1.4.0

Botnet

svhost

151.177.61.79:4782

Mutex

a148a6d8-1253-4e62-bc5f-c0242dd62e69

Attributes

encryption_key
5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968
install_name
svhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
svhost

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

Extracted

Family

lumma

https://immureprech.biz/api

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock
Infinitylock family
infinitylock
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4bd-83.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4ef-3280.dat	family_quasar
behavioral1/memory/2912-3285-0x0000000000B90000-0x0000000000C14000-memory.dmp	family_quasar
behavioral1/memory/2880-3347-0x0000000000B10000-0x0000000000B94000-memory.dmp	family_quasar

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
2712	%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe
1252	npp.exe
3012	33418802.exe
2128	sysnldcvmr.exe
2120	897110930.exe
2200	InfinityCrypt.exe
2600	krgawdtyjawd.exe
1100	ScreenUpdateSync.exe
2912	svhost.exe
2900	r.exe
2880	svhost.exe
2640	CFXBypass.exe
2576	s.exe

Loads dropped DLL 19 IoCs

pid	Process
2300	4363463463464363463463463.exe
2300	4363463463464363463463463.exe
1252	npp.exe
1252	npp.exe
2128	sysnldcvmr.exe
2300	4363463463464363463463463.exe
2300	4363463463464363463463463.exe
2300	4363463463464363463463463.exe
2300	4363463463464363463463463.exe
1100	ScreenUpdateSync.exe
1100	ScreenUpdateSync.exe
1100	ScreenUpdateSync.exe
2300	4363463463464363463463463.exe
2300	4363463463464363463463463.exe
2300	4363463463464363463463463.exe
2300	4363463463464363463463463.exe
2640	CFXBypass.exe
2300	4363463463464363463463463.exe
2300	4363463463464363463463463.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000d000000019608-61.dat	vmprotect
behavioral1/memory/2712-69-0x0000000000400000-0x0000000000D3C000-memory.dmp	vmprotect
behavioral1/memory/2712-66-0x0000000000400000-0x0000000000D3C000-memory.dmp	vmprotect
behavioral1/memory/2712-71-0x0000000000400000-0x0000000000D3C000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	33418802.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
37	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2712	%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnOL.dll.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS11.POC.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21413_.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186002.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292982.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299171.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\macroprogress.gif.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR49F.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183290.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ALERT.ICO.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00235_.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21481_.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TWCUTCHR.DLL.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Blog.dotx.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME21.CSS.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD98.POC.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.XML.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Premium.gif.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.POC.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\MSB1ARFR.ITS.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00820_.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0305493.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46B.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_id.dll.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00042_.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Generic.css.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ORG97.SAM.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15272_.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XIMAGE3B.DLL.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR29F.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBSBR.DPV.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.INF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285360.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297551.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay.css.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.Infopath.dll.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106958.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\Hierarchy.js.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01157_.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0287005.WMF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14982_.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019	InfinityCrypt.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	33418802.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	33418802.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33418802.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenUpdateSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CFXBypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2264	schtasks.exe
2428	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1100	ScreenUpdateSync.exe
1100	ScreenUpdateSync.exe
1100	ScreenUpdateSync.exe
1100	ScreenUpdateSync.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	4363463463464363463463463.exe
Token: SeSystemtimePrivilege	2712	%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe
Token: SeDebugPrivilege	2912	svhost.exe
Token: SeDebugPrivilege	2880	svhost.exe
Token: SeDebugPrivilege	2200	InfinityCrypt.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2712	%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe
2712	%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe
2712	%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2712	2300	4363463463464363463463463.exe	31
PID 2300 wrote to memory of 2712	2300	4363463463464363463463463.exe	31
PID 2300 wrote to memory of 2712	2300	4363463463464363463463463.exe	31
PID 2300 wrote to memory of 2712	2300	4363463463464363463463463.exe	31
PID 2300 wrote to memory of 1252	2300	4363463463464363463463463.exe	32
PID 2300 wrote to memory of 1252	2300	4363463463464363463463463.exe	32
PID 2300 wrote to memory of 1252	2300	4363463463464363463463463.exe	32
PID 2300 wrote to memory of 1252	2300	4363463463464363463463463.exe	32
PID 1252 wrote to memory of 3012	1252	npp.exe	33
PID 1252 wrote to memory of 3012	1252	npp.exe	33
PID 1252 wrote to memory of 3012	1252	npp.exe	33
PID 1252 wrote to memory of 3012	1252	npp.exe	33
PID 3012 wrote to memory of 2128	3012	33418802.exe	35
PID 3012 wrote to memory of 2128	3012	33418802.exe	35
PID 3012 wrote to memory of 2128	3012	33418802.exe	35
PID 3012 wrote to memory of 2128	3012	33418802.exe	35
PID 2128 wrote to memory of 2120	2128	sysnldcvmr.exe	37
PID 2128 wrote to memory of 2120	2128	sysnldcvmr.exe	37
PID 2128 wrote to memory of 2120	2128	sysnldcvmr.exe	37
PID 2128 wrote to memory of 2120	2128	sysnldcvmr.exe	37
PID 2300 wrote to memory of 2200	2300	4363463463464363463463463.exe	38
PID 2300 wrote to memory of 2200	2300	4363463463464363463463463.exe	38
PID 2300 wrote to memory of 2200	2300	4363463463464363463463463.exe	38
PID 2300 wrote to memory of 2200	2300	4363463463464363463463463.exe	38
PID 2300 wrote to memory of 2600	2300	4363463463464363463463463.exe	39
PID 2300 wrote to memory of 2600	2300	4363463463464363463463463.exe	39
PID 2300 wrote to memory of 2600	2300	4363463463464363463463463.exe	39
PID 2300 wrote to memory of 2600	2300	4363463463464363463463463.exe	39
PID 2300 wrote to memory of 1100	2300	4363463463464363463463463.exe	40
PID 2300 wrote to memory of 1100	2300	4363463463464363463463463.exe	40
PID 2300 wrote to memory of 1100	2300	4363463463464363463463463.exe	40
PID 2300 wrote to memory of 1100	2300	4363463463464363463463463.exe	40
PID 2300 wrote to memory of 1100	2300	4363463463464363463463463.exe	40
PID 2300 wrote to memory of 1100	2300	4363463463464363463463463.exe	40
PID 2300 wrote to memory of 1100	2300	4363463463464363463463463.exe	40
PID 2300 wrote to memory of 2912	2300	4363463463464363463463463.exe	41
PID 2300 wrote to memory of 2912	2300	4363463463464363463463463.exe	41
PID 2300 wrote to memory of 2912	2300	4363463463464363463463463.exe	41
PID 2300 wrote to memory of 2912	2300	4363463463464363463463463.exe	41
PID 2300 wrote to memory of 2900	2300	4363463463464363463463463.exe	42
PID 2300 wrote to memory of 2900	2300	4363463463464363463463463.exe	42
PID 2300 wrote to memory of 2900	2300	4363463463464363463463463.exe	42
PID 2300 wrote to memory of 2900	2300	4363463463464363463463463.exe	42
PID 2912 wrote to memory of 2428	2912	svhost.exe	44
PID 2912 wrote to memory of 2428	2912	svhost.exe	44
PID 2912 wrote to memory of 2428	2912	svhost.exe	44
PID 2912 wrote to memory of 2880	2912	svhost.exe	46
PID 2912 wrote to memory of 2880	2912	svhost.exe	46
PID 2912 wrote to memory of 2880	2912	svhost.exe	46
PID 2880 wrote to memory of 2264	2880	svhost.exe	47
PID 2880 wrote to memory of 2264	2880	svhost.exe	47
PID 2880 wrote to memory of 2264	2880	svhost.exe	47
PID 2300 wrote to memory of 2640	2300	4363463463464363463463463.exe	50
PID 2300 wrote to memory of 2640	2300	4363463463464363463463463.exe	50
PID 2300 wrote to memory of 2640	2300	4363463463464363463463463.exe	50
PID 2300 wrote to memory of 2640	2300	4363463463464363463463463.exe	50
PID 2300 wrote to memory of 2576	2300	4363463463464363463463463.exe	52
PID 2300 wrote to memory of 2576	2300	4363463463464363463463463.exe	52
PID 2300 wrote to memory of 2576	2300	4363463463464363463463463.exe	52
PID 2300 wrote to memory of 2576	2300	4363463463464363463463463.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\33418802.exe
    C:\Users\Admin\AppData\Local\Temp\33418802.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Users\Admin\AppData\Local\Temp\897110930.exe
        
        C:\Users\Admin\AppData\Local\Temp\897110930.exe
        5⤵
        Executes dropped EXE
        
        PID:2120
- C:\Users\Admin\AppData\Local\Temp\Files\InfinityCrypt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\InfinityCrypt.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\Files\krgawdtyjawd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\krgawdtyjawd.exe"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\Files\ScreenUpdateSync.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ScreenUpdateSync.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2428
- - C:\Users\Admin\AppData\Roaming\svhost\svhost.exe
    "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2264
- C:\Users\Admin\AppData\Local\Temp\Files\r.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\r.exe"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\Files\CFXBypass.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\CFXBypass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\Files\s.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
  2⤵
  - Executes dropped EXE
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019

Filesize
352B

MD5
d88e9e00e44f888860eebe91459baaab

SHA1
ba28943efe4d1587196550fba3675b08275462a4

SHA256
1fdaca90895ac1f3505531a80190b2669478ddee3901b059f9f8d38e762a03e5

SHA512
b8ec801e64ad72abe293e6f5213eb0f3266f15a926357eede65bd505b1f97a488ef76ba219f477e5a3d953c63010d620727313f6e8f0065b67bb7705369fb952

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019

Filesize
224B

MD5
910fe444970b41fe34b7cf90b34e0363

SHA1
c88eb8a8696e67d8752df8888949e8debe436aa2

SHA256
7de3ca6c18109c5d86539e9593c6fd6d8391ce570bab303f79490831a61e6681

SHA512
71a50e4d0023f50d5439effab49bace75736a4afc5069fb6ec202b9d1eef56c96f536cf9a6797ad28019b6de6abc78028ddc06013cf459d7f5eb7cd3c4e24912

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019

Filesize
128B

MD5
760352c980af1c60a8fec2815a17653f

SHA1
0169c05279b48d09a3ed24b2e0569ec76000b0c0

SHA256
10abaab5fcda657d5b47e5a60df9c2b8a047e826ecfb394a229f21db0410e7b0

SHA512
dec353a2b1f868119a7d1bc1f1d2d92a2d07edfe8d7962c470609f1c5d0a9f946947de577526fb40664df992dee12df600e50de8e6d2974b64d26c6fb4947028

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019

Filesize
128B

MD5
d3ddd8b4c77ed1e02dc871ed8297cbe3

SHA1
35229ab39dd063e17c25a7099a449a6ace3e7aed

SHA256
b0a220940f6a9d2bdd62b49d0b853e73d2011e359053f321e6680a9dfc095c96

SHA512
d48abf777ada4ddde3dc95833761914aeefc1b48133472f06cde69a0638a2d737fc2d06c37c6e8d80a17b7db2139ed585f4a003b4ee7468241486c907057a1f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019

Filesize
192B

MD5
e92cf7dfedb20b88ffe699d4af790408

SHA1
6a1bf2e6d984876b721834a050e88492ede02043

SHA256
80479140ad7872118a1984003205f68e6e4b1c5af699cbfb10bc0f2d9a4480e9

SHA512
6d8031ce28313fd190c04afa75697eb1d4c576d95bb51bf85aeb8f923df9573fc81f717e20dae6e05e466cc4d5e9eceeaff2a3397e1f15056a91afa9dc930d2d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019

Filesize
512B

MD5
f9f8939fae3c216754767a684fcf5778

SHA1
4914f17ecb14d80f0446f0d1362ab252f1e83221

SHA256
e20482981d36eb621750c18c26f48a7dac4664cffd48b574d837eac26f3d46e0

SHA512
684d1aa904a97ed1b794aa467b364517dd5eba6539d074588e7c29f6633d964c0679804664fdf29054516b2ff902adbd12848ee63dd82bdc4aba493655185602

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019

Filesize
1KB

MD5
c71453e9416a6c105f46c051898da464

SHA1
d8acd7ba490f79269f3ce9931c83f1a888cf6c26

SHA256
f86984dcd83ed4be805e690d91eb02b44e3e464d4e5bde6917c548c310127c22

SHA512
3ce2f0af6fd82b0573e85b718220d2dff5fd83bbed083f1e4494f878ae7d0958ac60a0ce88affab182644b1c1ee1c62dd4fe178ef97a8e0c6cda9d7dccf65842

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019

Filesize
816B

MD5
d1e2dd2a9995ef32fa8fd3ab904f41eb

SHA1
f47defab191b9f4b5c95e2718232acf3cf7d38dd

SHA256
4bf45241da4ec17f59fe6a2591e93d3b052251be3cb931935cdcb7439282438a

SHA512
c94779af4c1a2d968162ce5c7f158d4e669cbb95328f64ad7f1009be5c8f62db8603b8d8e880ed78dfc635a1f4c74551cc6ff9a67a83651ae586faa7a2d71b78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0225aea7620f804c8c27490a0d645a5b

SHA1
f77071ac030d1a3758b9615e2afe08ab767af735

SHA256
2ea0bc2b9b5033cc2b6ed67679c4f8700c471b11fd6c10a53e16b5902e172b6f

SHA512
dc5cc137dbb3d351cfd507717c419b4d420d894b516c184f82c8f2bd0d1c50eb26b022fdd8f88f91e4e4321380093aaef0145ee44dda614b45982b3487307fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD3D5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\krgawdtyjawd.exe

Filesize
239KB

MD5
d4a8ad6479e437edc9771c114a1dc3ac

SHA1
6e6970fdcefd428dfe7fbd08c3923f69e21e7105

SHA256
a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b

SHA512
de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD3E7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\TestInstall.xlsx.EDBA62549B7D70769AA75BB090B2D8BC9AA93C7C160CF6E35C24EB4E063D6019

Filesize
11KB

MD5
d8b597130c0f4b382351db986db5167c

SHA1
039263bb47f0918e909cec1e38114fec0195adae

SHA256
0f77f074a3d143e405b5a15fda7910f7df092912ca0ae627e764977dc0b8a542

SHA512
3592d4fc69c673219318e627e424330a389232a14f07fce575a9e2cc9b3640a185423bbcb7a89a3e4b730c05ae5f3c2fa10420357890c1716c98d2da5e5546ca

Download Submit
\Users\Admin\AppData\Local\Temp\33418802.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
\Users\Admin\AppData\Local\Temp\897110930.exe

Filesize
53KB

MD5
84897ca8c1aa06b33248956ac25ec20a

SHA1
544d5d5652069b3c5e7e29a1ca3eea46b227bbfe

SHA256
023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1

SHA512
c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95

Download Submit
\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe

Filesize
4.5MB

MD5
f95ad9a1d6fdc49adf5889ea2538ac75

SHA1
b5587ce26e0e18d30e40ec5d1eb5812d55885514

SHA256
f092bdb33d071d405d89a1d98752b7f31b64f81494d9d78603cd795cc094766c

SHA512
e382738a606ab208570f40703aa06188c6a269537616f1dad86c499189b0d1bddf38ea85e14b0e446c6277e736ff70f7e9cc030042538d98f9e9e9f9cbac566e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\CFXBypass.exe

Filesize
686KB

MD5
b6ffc5ab3d9c3d132b0cdb490ed800d2

SHA1
69f55a57d6353649c3f709163bb7d440a3a7eb7f

SHA256
138671f56898c4504a02588c6f9c4de6a3961ce015bb147d579bd54bc454ded1

SHA512
4163a1537f80ef49a9ec9dd17b7bfb442be57afb24519d753ee2e2ba99c443e555b69570218aa1ee3a0e7b6419eb2432089d69f8c9f5771ada0115f2965f0f5d

Download Submit
\Users\Admin\AppData\Local\Temp\Files\InfinityCrypt.exe

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
\Users\Admin\AppData\Local\Temp\Files\ScreenUpdateSync.exe

Filesize
353KB

MD5
d88e2431abac06bdf0cd03c034b3e5e3

SHA1
4a2095690ba8f1325dd10167318728447d12058a

SHA256
4d37939b6c9b1e9deb33fe59b95efac6d3b454adf56e9ee88136a543692ea928

SHA512
7aa5317dcdf4343f1789e462f4b5d3d23f58e28b97c8c55fc4b3295bf0c26cfb5349b0a3543b05d6af8fa2bc77f488a5ece5eaaceaf5211fa98230ea9b7f49a7

Download Submit
\Users\Admin\AppData\Local\Temp\Files\npp.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
\Users\Admin\AppData\Local\Temp\Files\svhost.exe

Filesize
502KB

MD5
e3cfe28100238a1001c8cca4af39c574

SHA1
9b80ea180a8f4cec6f787b6b57e51dc10e740f75

SHA256
78f9c811e589ff1f25d363080ce8d338fa68f6d2a220b1dd0360e799bbc17a12

SHA512
511e8a150d6539f555470367933e5f35b00d129d3ed3e97954da57f402d18711dfc86c93acc26f5c2b1b18bd554b8ea4af1ad541cd2564b793acc65251757324

Download Submit
\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
439KB

MD5
eadcfd7c84686da06b4fc381bfc96c72

SHA1
0b7d9f3daf6162d0c710ba51614279b8057b5aa9

SHA256
abb95c10ae4b1ff0aa36895d5001d3259f91dfd1bc5c6dfe77f6194be1b41d4b

SHA512
2d7aeaf802e451ab5d611db82eb1ba2241be6f7c91ed7b732d1784d27dbd6c1e701dc2d9b3c622ddee1299cea688c2f5a128f4af06281d3c3fbe41f926fa90d0

Download Submit
memory/1100-3927-0x0000000002110000-0x0000000002130000-memory.dmp

Filesize
128KB

Download
memory/1100-3925-0x0000000002110000-0x0000000002130000-memory.dmp

Filesize
128KB

Download
memory/1100-4788-0x0000000000400000-0x0000000000831000-memory.dmp

Filesize
4.2MB

Download
memory/2200-211-0x0000000000D30000-0x0000000000D6C000-memory.dmp

Filesize
240KB

Download
memory/2300-3240-0x0000000006B00000-0x0000000006D50000-memory.dmp

Filesize
2.3MB

Download
memory/2300-0-0x000000007416E000-0x000000007416F000-memory.dmp

Filesize
4KB

Download
memory/2300-1-0x0000000001270000-0x0000000001278000-memory.dmp

Filesize
32KB

Download
memory/2300-57-0x000000007416E000-0x000000007416F000-memory.dmp

Filesize
4KB

Download
memory/2300-3239-0x0000000006B00000-0x0000000006D50000-memory.dmp

Filesize
2.3MB

Download
memory/2300-2-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-58-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-70-0x0000000007060000-0x000000000799C000-memory.dmp

Filesize
9.2MB

Download
memory/2300-65-0x0000000007060000-0x000000000799C000-memory.dmp

Filesize
9.2MB

Download
memory/2600-3238-0x0000000000330000-0x0000000000580000-memory.dmp

Filesize
2.3MB

Download
memory/2640-5615-0x0000000000E30000-0x0000000000EE4000-memory.dmp

Filesize
720KB

Download
memory/2640-5616-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2712-69-0x0000000000400000-0x0000000000D3C000-memory.dmp

Filesize
9.2MB

Download
memory/2712-66-0x0000000000400000-0x0000000000D3C000-memory.dmp

Filesize
9.2MB

Download
memory/2712-71-0x0000000000400000-0x0000000000D3C000-memory.dmp

Filesize
9.2MB

Download
memory/2880-3347-0x0000000000B10000-0x0000000000B94000-memory.dmp

Filesize
528KB

Download
memory/2912-3285-0x0000000000B90000-0x0000000000C14000-memory.dmp

Filesize
528KB

Download