Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2025, 22:42
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe
-
Size
2.1MB
-
MD5
a1d0ba147423292206f74e6e69d8272a
-
SHA1
047289d7690ed9a1937a7eb30ec3529a9684c0d3
-
SHA256
89b7b060048934570d3352b2620d48243143352d7d44f9b1a1ee5b50f192c2b9
-
SHA512
3be6a95769262572fbd344749319f37d8bed82f7836ecd19ad5d3ea469b52fe8fff1689954905771c848bbdab31e2096aea3c1c9004ca0ba0eecc4b84576d059
-
SSDEEP
49152:SsCkh7S1HMBX6PC+Nn6JxMdDyzlp0+Y21AcH9v4BAdjGBQc3C:SAh7S1HM5t+VTuzle+YaH14BAdC
Malware Config
Extracted
phorphiex
http://185.156.72.39/
http://45.141.233.6/
TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx
ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX
CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1q9tgkga69k094n5v0pn7ewmpp2kn66sh9hu65gq
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
-
mutex
l9n7b5f2r
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Extracted
phorphiex
http://185.156.72.39
185.156.72.39
Signatures
-
Phorphiex family
-
Phorphiex payload 1 IoCs
resource yara_rule behavioral1/files/0x00090000000241b8-15.dat family_phorphiex -
Xmrig family
-
XMRig Miner payload 20 IoCs
resource yara_rule behavioral1/memory/1408-95-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1408-94-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1408-98-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1408-97-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1408-99-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1408-100-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1408-101-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1408-106-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3672-123-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3672-124-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3672-125-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3672-126-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3672-127-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/3672-128-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2352-157-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2352-158-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2352-156-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2352-154-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2352-155-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2352-160-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 3 IoCs
flow pid Process 38 1224 79C4.exe 4 2872 2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe 89 4564 1080920398.exe -
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation 1523829134.exe Key value queried \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation 1321212298.exe Key value queried \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation 2359731308.exe -
Executes dropped EXE 30 IoCs
pid Process 1224 79C4.exe 4104 191651837.exe 3908 syscrondvr.exe 2004 syscrondvr.exe 4868 1523829134.exe 4564 1080920398.exe 4716 1451411713.exe 940 830810174.exe 2984 1321212298.exe 1244 3241129746.exe 1488 sysmtdrav.exe 2108 sysmtdrav.exe 2708 659025094.exe 3340 syscrondvr.exe 4968 syscrondvr.exe 4844 sysmtdrav.exe 4552 sysmtdrav.exe 4040 2359731308.exe 2328 sysmtdrav.exe 4284 sysmtdrav.exe 1596 sysmtdrav.exe 544 2730322623.exe 2164 sysmtdrav.exe 4272 44334389.exe 4564 sysmtdrav.exe 1996 sysmtdrav.exe 2892 147893154.exe 4612 sysmtdrav.exe 3904 sysmtdrav.exe 1972 sysmtdrav.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syscrondvr.exe" 191651837.exe Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\syscrondvr.exe" 659025094.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 1488 set thread context of 4472 1488 sysmtdrav.exe 134 PID 1488 set thread context of 1408 1488 sysmtdrav.exe 135 PID 2108 set thread context of 3672 2108 sysmtdrav.exe 137 PID 4844 set thread context of 2352 4844 sysmtdrav.exe 144 PID 4552 set thread context of 1744 4552 sysmtdrav.exe 146 PID 2328 set thread context of 4584 2328 sysmtdrav.exe 153 PID 4284 set thread context of 3060 4284 sysmtdrav.exe 155 PID 1596 set thread context of 2288 1596 sysmtdrav.exe 157 PID 2164 set thread context of 4600 2164 sysmtdrav.exe 160 PID 4564 set thread context of 372 4564 sysmtdrav.exe 163 PID 1996 set thread context of 4736 1996 sysmtdrav.exe 165 PID 4612 set thread context of 2776 4612 sysmtdrav.exe 168 PID 3904 set thread context of 820 3904 sysmtdrav.exe 170 PID 1972 set thread context of 4400 1972 sysmtdrav.exe 172 -
resource yara_rule behavioral1/memory/1408-89-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-91-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-93-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-95-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-94-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-98-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-97-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-92-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-90-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-99-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-100-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-101-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1408-106-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3672-123-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3672-124-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3672-125-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3672-126-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3672-127-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/3672-128-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2352-157-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2352-158-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2352-156-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2352-154-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2352-155-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2352-160-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\syscrondvr.exe 191651837.exe File opened for modification C:\Windows\syscrondvr.exe 191651837.exe File created C:\Windows\syscrondvr.exe 659025094.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5116 sc.exe 2028 sc.exe 1628 sc.exe 4504 sc.exe 2480 sc.exe 3840 sc.exe 1436 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79C4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 191651837.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language syscrondvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 659025094.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language syscrondvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 147893154.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1080920398.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1451411713.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 830810174.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2730322623.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44334389.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2872 2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe 2872 2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe 2872 2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe 2872 2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe 4868 1523829134.exe 2984 1321212298.exe 1244 3241129746.exe 1244 3241129746.exe 1244 3241129746.exe 1244 3241129746.exe 1488 sysmtdrav.exe 1488 sysmtdrav.exe 4472 conhost.exe 2108 sysmtdrav.exe 4472 conhost.exe 4844 sysmtdrav.exe 4472 conhost.exe 4552 sysmtdrav.exe 4040 2359731308.exe 4472 conhost.exe 2328 sysmtdrav.exe 4472 conhost.exe 4284 sysmtdrav.exe 4472 conhost.exe 1596 sysmtdrav.exe 4472 conhost.exe 2164 sysmtdrav.exe 4472 conhost.exe 4564 sysmtdrav.exe 4472 conhost.exe 1996 sysmtdrav.exe 4472 conhost.exe 4612 sysmtdrav.exe 4472 conhost.exe 3904 sysmtdrav.exe 4472 conhost.exe 1972 sysmtdrav.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4868 1523829134.exe Token: SeDebugPrivilege 2984 1321212298.exe Token: SeLockMemoryPrivilege 1408 dwm.exe Token: SeLockMemoryPrivilege 3672 dwm.exe Token: SeLockMemoryPrivilege 2352 dwm.exe Token: SeLockMemoryPrivilege 1744 dwm.exe Token: SeDebugPrivilege 4040 2359731308.exe Token: SeLockMemoryPrivilege 4584 dwm.exe Token: SeLockMemoryPrivilege 3060 dwm.exe Token: SeLockMemoryPrivilege 2288 dwm.exe Token: SeLockMemoryPrivilege 4600 dwm.exe Token: SeLockMemoryPrivilege 372 dwm.exe Token: SeLockMemoryPrivilege 4736 dwm.exe Token: SeLockMemoryPrivilege 2776 dwm.exe Token: SeLockMemoryPrivilege 820 dwm.exe Token: SeLockMemoryPrivilege 4400 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 1224 2872 2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe 85 PID 2872 wrote to memory of 1224 2872 2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe 85 PID 2872 wrote to memory of 1224 2872 2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe 85 PID 1224 wrote to memory of 4104 1224 79C4.exe 98 PID 1224 wrote to memory of 4104 1224 79C4.exe 98 PID 1224 wrote to memory of 4104 1224 79C4.exe 98 PID 4104 wrote to memory of 3908 4104 191651837.exe 100 PID 4104 wrote to memory of 3908 4104 191651837.exe 100 PID 4104 wrote to memory of 3908 4104 191651837.exe 100 PID 3496 wrote to memory of 2004 3496 cmd.exe 102 PID 3496 wrote to memory of 2004 3496 cmd.exe 102 PID 3496 wrote to memory of 2004 3496 cmd.exe 102 PID 3908 wrote to memory of 4868 3908 syscrondvr.exe 104 PID 3908 wrote to memory of 4868 3908 syscrondvr.exe 104 PID 4868 wrote to memory of 4304 4868 1523829134.exe 105 PID 4868 wrote to memory of 4304 4868 1523829134.exe 105 PID 4304 wrote to memory of 2480 4304 cmd.exe 107 PID 4304 wrote to memory of 2480 4304 cmd.exe 107 PID 4304 wrote to memory of 1216 4304 cmd.exe 108 PID 4304 wrote to memory of 1216 4304 cmd.exe 108 PID 3908 wrote to memory of 4564 3908 syscrondvr.exe 115 PID 3908 wrote to memory of 4564 3908 syscrondvr.exe 115 PID 3908 wrote to memory of 4564 3908 syscrondvr.exe 115 PID 3908 wrote to memory of 4716 3908 syscrondvr.exe 116 PID 3908 wrote to memory of 4716 3908 syscrondvr.exe 116 PID 3908 wrote to memory of 4716 3908 syscrondvr.exe 116 PID 3908 wrote to memory of 940 3908 syscrondvr.exe 117 PID 3908 wrote to memory of 940 3908 syscrondvr.exe 117 PID 3908 wrote to memory of 940 3908 syscrondvr.exe 117 PID 3908 wrote to memory of 2984 3908 syscrondvr.exe 119 PID 3908 wrote to memory of 2984 3908 syscrondvr.exe 119 PID 2984 wrote to memory of 4584 2984 1321212298.exe 120 PID 2984 wrote to memory of 4584 2984 1321212298.exe 120 PID 4584 wrote to memory of 3840 4584 cmd.exe 122 PID 4584 wrote to memory of 3840 4584 cmd.exe 122 PID 4584 wrote to memory of 2016 4584 cmd.exe 123 PID 4584 wrote to memory of 2016 4584 cmd.exe 123 PID 4564 wrote to memory of 1244 4564 1080920398.exe 124 PID 4564 wrote to memory of 1244 4564 1080920398.exe 124 PID 1488 wrote to memory of 4472 1488 sysmtdrav.exe 134 PID 1488 wrote to memory of 4472 1488 sysmtdrav.exe 134 PID 1488 wrote to memory of 4472 1488 sysmtdrav.exe 134 PID 1488 wrote to memory of 4472 1488 sysmtdrav.exe 134 PID 1488 wrote to memory of 4472 1488 sysmtdrav.exe 134 PID 1488 wrote to memory of 4472 1488 sysmtdrav.exe 134 PID 1488 wrote to memory of 4472 1488 sysmtdrav.exe 134 PID 1488 wrote to memory of 4472 1488 sysmtdrav.exe 134 PID 1488 wrote to memory of 4472 1488 sysmtdrav.exe 134 PID 1488 wrote to memory of 1408 1488 sysmtdrav.exe 135 PID 1488 wrote to memory of 1408 1488 sysmtdrav.exe 135 PID 1488 wrote to memory of 1408 1488 sysmtdrav.exe 135 PID 1488 wrote to memory of 1408 1488 sysmtdrav.exe 135 PID 1488 wrote to memory of 1408 1488 sysmtdrav.exe 135 PID 2108 wrote to memory of 3672 2108 sysmtdrav.exe 137 PID 2108 wrote to memory of 3672 2108 sysmtdrav.exe 137 PID 2108 wrote to memory of 3672 2108 sysmtdrav.exe 137 PID 2108 wrote to memory of 3672 2108 sysmtdrav.exe 137 PID 2108 wrote to memory of 3672 2108 sysmtdrav.exe 137 PID 3908 wrote to memory of 2708 3908 syscrondvr.exe 138 PID 3908 wrote to memory of 2708 3908 syscrondvr.exe 138 PID 3908 wrote to memory of 2708 3908 syscrondvr.exe 138 PID 2708 wrote to memory of 3340 2708 659025094.exe 140 PID 2708 wrote to memory of 3340 2708 659025094.exe 140 PID 2708 wrote to memory of 3340 2708 659025094.exe 140
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-14_a1d0ba147423292206f74e6e69d8272a_black-basta_darkgate_elex_luca-stealer_mespinoza.exe"1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\79C4.exe"C:\Users\Admin\AppData\Local\Temp\79C4.exe"2⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\191651837.exeC:\Users\Admin\AppData\Local\Temp\191651837.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\syscrondvr.exeC:\Windows\syscrondvr.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\1523829134.exeC:\Users\Admin\AppData\Local\Temp\1523829134.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "DrvTcfgsvc" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\DrvTcfgsvc" /f6⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\sc.exesc delete "DrvTcfgsvc"7⤵
- Launches sc.exe
PID:2480
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\DrvTcfgsvc" /f7⤵PID:1216
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1080920398.exeC:\Users\Admin\AppData\Local\Temp\1080920398.exe5⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\3241129746.exeC:\Users\Admin\AppData\Local\Temp\3241129746.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1244 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "MgrSrvdrvcs"7⤵
- Launches sc.exe
PID:1436
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "MgrSrvdrvcs" binpath= "C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe" start= "auto"7⤵
- Launches sc.exe
PID:5116
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog7⤵
- Launches sc.exe
PID:2028
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "MgrSrvdrvcs"7⤵
- Launches sc.exe
PID:1628
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1451411713.exeC:\Users\Admin\AppData\Local\Temp\1451411713.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4716
-
-
C:\Users\Admin\AppData\Local\Temp\830810174.exeC:\Users\Admin\AppData\Local\Temp\830810174.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:940
-
-
C:\Users\Admin\AppData\Local\Temp\1321212298.exeC:\Users\Admin\AppData\Local\Temp\1321212298.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "DrvCfgSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\DrvCfgSvcs" /f6⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\system32\sc.exesc delete "DrvCfgSvcs"7⤵
- Launches sc.exe
PID:3840
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\DrvCfgSvcs" /f7⤵PID:2016
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\659025094.exeC:\Users\Admin\AppData\Local\Temp\659025094.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\syscrondvr.exeC:\Users\Admin\syscrondvr.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\2359731308.exeC:\Users\Admin\AppData\Local\Temp\2359731308.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "DrvTcfgsvc" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\DrvTcfgsvc" /f8⤵PID:2016
-
C:\Windows\system32\sc.exesc delete "DrvTcfgsvc"9⤵
- Launches sc.exe
PID:4504
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\DrvTcfgsvc" /f9⤵PID:2752
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2730322623.exeC:\Users\Admin\AppData\Local\Temp\2730322623.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:544
-
-
C:\Users\Admin\AppData\Local\Temp\44334389.exeC:\Users\Admin\AppData\Local\Temp\44334389.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4272
-
-
C:\Users\Admin\AppData\Local\Temp\147893154.exeC:\Users\Admin\AppData\Local\Temp\147893154.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\syscrondvr.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\syscrondvr.exeC:\Windows\syscrondvr.exe2⤵
- Executes dropped EXE
PID:2004
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exeC:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4472 -
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4844 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4552 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2328 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4284 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1596 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4564 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1996 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4612 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3904 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
-
C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"C:\ProgramData\MgrSrvdrvcs\sysmtdrav.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1972 -
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
-
-
C:\Windows\system32\dwm.exedwm.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\syscrondvr.exe1⤵PID:3108
-
C:\Users\Admin\syscrondvr.exeC:\Users\Admin\syscrondvr.exe2⤵
- Executes dropped EXE
PID:4968
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
Filesize
10KB
MD5c08cfa523c9377d3ae24fdb373b3ae13
SHA15289219770ad28b0fa4f0bdd91817f76bd6be222
SHA256326c70a965d4e642275c26cd913e268b1db89edd59b31a86ee600a7a9c664eb0
SHA512c91acd580ac832d5fed363a9a2b98b724a255d82e4fdda6eca62133feb5e60dd79a8caca36597a52bfbfa907a44208c48b15142e2e6020db219d14e970c3f57c
-
Filesize
8KB
MD50cd27d2aa3bc58e4fc3c6639f4797e55
SHA11224947928cbdb0634d3aa7b374825552fe20fde
SHA256559dfe706ff2f2ce820748d25a91173972c89f6bb9510fba52f40815f018621c
SHA5129a595bfaa5ed85d895337a488969d75a00f33a6dd4e8759b95179428ea44922cccbef6189f08579ff806fe030e9833506c0aa8fedd1108622ffed3d0815d7d62
-
Filesize
20KB
MD5680f371f2918acd9c01ebd9b2624e191
SHA12f6d2bc41d8ec3c2cdddeb894f8af082a51acfa9
SHA2565cf738edd0028523f23a77d7dc02087e6f99cf1110f5b51766bf79f00bff6d09
SHA512df251b794acf1ede346f0b01bca3fe576b0d36d127f33e4942e8093625a40d6b74ec26fc51111ebba705a1e9c37d923069de98d2658b416d1f7410846f873e40
-
Filesize
8KB
MD5c2252ee01d47f885c466fea46d77b337
SHA10e5e5e21dfdd47632831935e98d46fb4c4bf9168
SHA2567563681ee1464143363b1b7b6d59cef4c2a3b9a431c94feae043465cc7d23be0
SHA5128e0fdf90fc8c1c014b6c183dafa58ccf18251a3ea2e279c671a35ff702b60a5be3058c2eceac7a00e4b747796b1e1ed10a64abf95f26bd288980592db4e690d7
-
Filesize
80KB
MD5f30fdbf3448f67cbc3566f31729cb7a6
SHA1fbf005c38f4a1c2e86817a2cb70406fc241f2c90
SHA25681783b558904becc5b86553faba9525070de5f43339766eb1c025bcfbfe1eef8
SHA512b428df2c8f8b4a002c8d7e1bfd9926e5cf95ee998688a2c360b8551e80be5bfbfa17ef210bea35f247da4a5c8a940fb5dba49f4786da9a74e5d001b771c8e9a8
-
Filesize
10KB
MD523576c32ea5c1925c8a6bfecbe3d6f0a
SHA11ca83777a5a782134a516dbb4c1c9ab6f156b4ef
SHA2568a191f6fe99beb784be59410d10d13d13bc1930fb9959b03ff0a7d0539d007bc
SHA512b3f414d4c92a564367eef2d83d0f7646cd627fc3b20415ed9b0abadfdd613aff07735cd215e8b5816dcc8c49812c391180e7edf7a991c90d43724fa6c8040159
-
Filesize
2.5MB
MD50000638ebbfe0d620abe6ca32abb1b58
SHA1ae908681544765eb238e92b4ff7df26884692aa0
SHA256267ec6176c1111d9ffcf32fcfa6aa65917e64d1556dcbbd8989ee6bbebc2e72f
SHA5121522ed6c96d0a6699aaf5c1e6e3956742f26e8b46f2c795c0b6cfd3c02421aa6101134ded49c6b97e4085a789056cfb2d0fa09630c1c8796c7fc8d49aef66212
-
Filesize
20KB
MD5b1cf906941494f4e6050b2c73ef27314
SHA1fc8436f66e7d1456e7908f73bce7e3335e7ba58f
SHA25643379aff5a53efd0becc06ffd1ca8e1d10d1cfbdc6db87bf403797ea4af7de8e
SHA5121ae90dcab869f727d683ba032164c26b954340bd2f30d3666b2c11b4dbedba2ad0518e533f5c4090452906db4fc7dcb6b9a09e42707dd4b4de06466350b7ef34
-
Filesize
10KB
MD50ec46393976eb51f307cc11d80bae845
SHA169d4cb168f3a1b97c37a0ba1519d0adb1ff7e245
SHA256252171bdaa35d19f872c165e861b03d347a4afb85d7a03d02f8eae09d191038d
SHA512803351760e3c422e4825103235e13085004b3418b483a2c646aafaef62b7212a1ba4ed28469134a236c5b6121e6a748ba958bbae2dbe4afe9f9f45704928d31f
-
Filesize
51KB
MD5588e67994dd9e1084cbe989ee0d7eecd
SHA11a9e7f30d4b14b2054c6947ec7b25024dac5c50e
SHA256d6a96251f4bd75df5e68bbc2ce0cea37e0c5fadf1bace5b035245832930a4d2c
SHA512ad9f235b9c03c391d2cd10f1fc0d07d748b305a254dc310da0ad6e1b27160f65a811a1586a632c4f331c5660a2cb77dec8f06b163c6c226f6a2c39b0d13af25e
-
Filesize
189B
MD54902cdbef8a11f5c853d5ec5e340a1b9
SHA1d2d2a02764021b6eef2764e9f0d8d286dcb9e75b
SHA25681d0891bdcde89f69d4621b8ff7618518562e3e0c984881b07549c03278cf6a0
SHA512e6513c975d799ddc6974ecd7dba7b19e5618245742e5f175de4ab49ea7173edca1a4396671fdfef1bb46e6c85123b08f3e86e0e0318bc394fc7bc7d511f8efa0
-
Filesize
285B
MD5a690bb166290b53e7cc3c5cfd6aa9bc2
SHA1c5f05ee9e303ab56638a890e7da812df3d9d2d68
SHA256076c85721cf22b0bbe1697387f2e021a4b2921adaf514fd8abf167559c7e7ef2
SHA5122b7034eec20cd657356fa40c9b2290e33a5b7e39f11cef9ef75f91e047e9960873493a6c033c0de9d0e5e6d303c17f780252bee5d9ca03ec26cbd54a39ba388b
-
Filesize
4KB
MD5ffc4e0c3e7c57560aada7ddad2c7c599
SHA14fe9aae26a6ed9754e3f66bf0eecb4b0953634d4
SHA2561002d7f5f86cc29156db3870e5262e0517023431fd526408d0cd275f982c5e55
SHA5128ea264d52c315e60ad38004d60705fe636238e95c711abae1a646badb62f39d6e273534ae676448e11c05e63c258305b3139649b66f67c1f90da9650fc63c99b
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d