cryptbot | 0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
Size

666.5MB
MD5

4db8683f70b080f0b4788262d56a3992
SHA1

14c2cd15e18dad176decc3aa6a91ebd227d8746b
SHA256

0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b
SHA512

e98b7e868e64660bd335c8de4ee1ab9b605baf281731bcde4827cbcc48cf0f9f025e38837c63795bbc0099eb5555b0347b0d40d465e782ee9e1c2c8dc04d154b
SSDEEP

49152:sh+ZkldoPK8Yac12Eat4dwyYHZQe8BySO:92cPK8NEakTYHG9y

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Executes dropped EXE 1 IoCs

pid	Process
2784	Sokolevu.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sokolevu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1364	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	30
PID 2092 wrote to memory of 1364	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	30
PID 2092 wrote to memory of 1364	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	30
PID 2092 wrote to memory of 1364	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	30
PID 2092 wrote to memory of 2920	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	33
PID 2092 wrote to memory of 2920	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	33
PID 2092 wrote to memory of 2920	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	33
PID 2092 wrote to memory of 2920	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	33
PID 2092 wrote to memory of 2072	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	35
PID 2092 wrote to memory of 2072	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	35
PID 2092 wrote to memory of 2072	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	35
PID 2092 wrote to memory of 2072	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	35
PID 2092 wrote to memory of 2704	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	37
PID 2092 wrote to memory of 2704	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	37
PID 2092 wrote to memory of 2704	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	37
PID 2092 wrote to memory of 2704	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	37
PID 2092 wrote to memory of 2748	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	39
PID 2092 wrote to memory of 2748	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	39
PID 2092 wrote to memory of 2748	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	39
PID 2092 wrote to memory of 2748	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	39
PID 2092 wrote to memory of 2900	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	41
PID 2092 wrote to memory of 2900	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	41
PID 2092 wrote to memory of 2900	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	41
PID 2092 wrote to memory of 2900	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	41
PID 2092 wrote to memory of 2612	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	43
PID 2092 wrote to memory of 2612	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	43
PID 2092 wrote to memory of 2612	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	43
PID 2092 wrote to memory of 2612	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	43
PID 2092 wrote to memory of 2716	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	45
PID 2092 wrote to memory of 2716	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	45
PID 2092 wrote to memory of 2716	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	45
PID 2092 wrote to memory of 2716	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	45
PID 2092 wrote to memory of 2892	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	47
PID 2092 wrote to memory of 2892	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	47
PID 2092 wrote to memory of 2892	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	47
PID 2092 wrote to memory of 2892	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	47
PID 2092 wrote to memory of 2316	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	49
PID 2092 wrote to memory of 2316	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	49
PID 2092 wrote to memory of 2316	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	49
PID 2092 wrote to memory of 2316	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	49
PID 2092 wrote to memory of 2772	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	51
PID 2092 wrote to memory of 2772	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	51
PID 2092 wrote to memory of 2772	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	51
PID 2092 wrote to memory of 2772	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	51
PID 2092 wrote to memory of 1744	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	53
PID 2092 wrote to memory of 1744	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	53
PID 2092 wrote to memory of 1744	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	53
PID 2092 wrote to memory of 1744	2092	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	53
PID 1744 wrote to memory of 2936	1744	cmd.exe	55
PID 1744 wrote to memory of 2936	1744	cmd.exe	55
PID 1744 wrote to memory of 2936	1744	cmd.exe	55
PID 1744 wrote to memory of 2936	1744	cmd.exe	55
PID 1744 wrote to memory of 3024	1744	cmd.exe	56
PID 1744 wrote to memory of 3024	1744	cmd.exe	56
PID 1744 wrote to memory of 3024	1744	cmd.exe	56
PID 1744 wrote to memory of 3024	1744	cmd.exe	56
PID 1464 wrote to memory of 2784	1464	taskeng.exe	59
PID 1464 wrote to memory of 2784	1464	taskeng.exe	59
PID 1464 wrote to memory of 2784	1464	taskeng.exe	59
PID 1464 wrote to memory of 2784	1464	taskeng.exe	59

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\Desktop\*.txt" "C:\Users\Admin\AppData\Local\Temp\6509\_Files"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Web Data" "C:\Users\Admin\AppData\Local\Temp\6509\_Chrome\default_webdata.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\6509\_Chrome\default_logins.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Cookies" "C:\Users\Admin\AppData\Local\Temp\6509\_Chrome\default_cookies.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Network\Cookies" "C:\Users\Admin\AppData\Local\Temp\6509\_Chrome\default_cookies.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ytcgl2sn.Admin\formhistory.sqlite" "C:\Users\Admin\AppData\Local\Temp\6509\_Firefox\formhistory.sqlite"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ytcgl2sn.Admin\cookies.sqlite" "C:\Users\Admin\AppData\Local\Temp\6509\_Firefox\cookies.sqlite"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ytcgl2sn.Admin\signons.sqlite" "C:\Users\Admin\AppData\Local\Temp\6509\_Firefox\signons.sqlite"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ytcgl2sn.Admin\logins.json" "C:\Users\Admin\AppData\Local\Temp\6509\_Firefox\logins.json"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ytcgl2sn.Admin\key3.db" "C:\Users\Admin\AppData\Local\Temp\6509\_Firefox\key3.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ytcgl2sn.Admin\key4.db" "C:\Users\Admin\AppData\Local\Temp\6509\_Firefox\key4.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c expand.exe "C:\Users\Admin\AppData\Local\Temp\piDtn6m.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceGet" & schtasks /create /tn \Service\Diagnostic /tr """"C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.exe""" """C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.dat"""" /st 00:01 /du 9800:49 /sc once /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\piDtn6m.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceGet"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \Service\Diagnostic /tr """"C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.exe""" """C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.dat"""" /st 00:01 /du 9800:49 /sc once /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3024

C:\Windows\system32\taskeng.exe
taskeng.exe {6F915CE8-DEDE-481E-9947-535E97DD806B} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.exe
  C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.exe "C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.dat"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6509.zip

Filesize
6KB

MD5
d31fcf81a1beb387737c0ac82802a278

SHA1
be1266d9b8c643794bcd750629e7608cd6e52aab

SHA256
1c6a69fc99c42a4f97e94539f94ee8934b858c95c6de0e038b28a6f1090596e5

SHA512
270854d987011871b27490eac494fc181e1f80f01ba3994a30edb3432fd9649ffcdb6101ad0b33076f59f07006e1f3065da448a4ef93df6a58230a864c11f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\6509.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6509\_Chrome\default_cookies.db

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\6509\_Chrome\default_logins.db

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\6509\_Chrome\default_webdata.db

Filesize
92KB

MD5
0040f587d31c3c0be57da029997f9978

SHA1
d4729f8ed094797bd54ea8a9987aaa7058e7eaa2

SHA256
a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b

SHA512
3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

Download Submit
C:\Users\Admin\AppData\Local\Temp\piDtn6m.tmp

Filesize
416KB

MD5
8693120d43190390c7638a7602c9f8b1

SHA1
4f592cc16de398ab25d0005774610f2dfc5b3ce8

SHA256
b101aab1d1b820f04e39d7fac4e7993361fb5f7dc2543ecfa709bbaf04bfdcfa

SHA512
f5fb19e3c0614668a387fb8d3aba2e4badf587f34c3000dca109f065c75b3b24927cfbaa8a3b851d1d3d847b4b170bdc508a9d682cae79d0ffa77c20abb73ca4

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.dat

Filesize
133KB

MD5
5e83ae9c87fcf9e910d886142bf154ad

SHA1
e708d0ce5608b3e762f250cee7a58910a4534dd4

SHA256
043705792ba725ac805554f58b0badf4c6ad8b702ce4c3d768b1f6e665e14dec

SHA512
fdbfff8cf42aa244de5a9b3c93628870170c8dc065ca65445ffd0987cd3738be443120d78dbd589bfb7f5f7f069930fa5042a490e248c60314c843f621854fdc

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit