Analysis
-
max time kernel
83s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 09:18
Behavioral task
behavioral1
Sample
6d13d147a209e3be044035f0c03b7bde.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6d13d147a209e3be044035f0c03b7bde.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
6d13d147a209e3be044035f0c03b7bde.exe
-
Size
47KB
-
MD5
6d13d147a209e3be044035f0c03b7bde
-
SHA1
1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
-
SHA256
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
-
SHA512
a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9
-
SSDEEP
768:IuyxNTAoZjRWUJd9bmo2qL2TJ4+3Qk8sna9lzPIaj9vtqb5HTKsvWy0oKCnX5Eev:IuyxNTAGL2Mk839lcaj9vIbJWsZoWFnt
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
94.232.249.111:6606
94.232.249.111:7707
94.232.249.111:8808
o6tEeoRxJb0n
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469
https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\zqbygv.exe family_stormkitty behavioral2/memory/4044-44-0x0000000000210000-0x0000000000242000-memory.dmp family_stormkitty C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe family_stormkitty behavioral2/memory/1444-210-0x00000000002D0000-0x0000000000302000-memory.dmp family_stormkitty -
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svchost.exe family_asyncrat C:\Users\Admin\AppData\Local\Temp\zqbygv.exe family_asyncrat C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe family_asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6d13d147a209e3be044035f0c03b7bde.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 6d13d147a209e3be044035f0c03b7bde.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exezqbygv.exetyhdxz.exepid process 4872 svchost.exe 4044 zqbygv.exe 1444 tyhdxz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 16 IoCs
Processes:
zqbygv.exetyhdxz.exedescription ioc process File created C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini zqbygv.exe File opened for modification C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini zqbygv.exe File created C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini zqbygv.exe File created C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini tyhdxz.exe File opened for modification C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini tyhdxz.exe File created C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini tyhdxz.exe File created C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini zqbygv.exe File opened for modification C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini tyhdxz.exe File created C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini tyhdxz.exe File opened for modification C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini zqbygv.exe File created C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini zqbygv.exe File created C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini zqbygv.exe File created C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini zqbygv.exe File created C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini tyhdxz.exe File created C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini tyhdxz.exe File created C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini tyhdxz.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Processes:
powershell.exepowershell.exepid process 3628 powershell.exe 4372 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
zqbygv.exetyhdxz.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 zqbygv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier zqbygv.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 tyhdxz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier tyhdxz.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2892 timeout.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6d13d147a209e3be044035f0c03b7bde.exepowershell.exesvchost.exezqbygv.exepowershell.exetyhdxz.exepid process 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 5020 6d13d147a209e3be044035f0c03b7bde.exe 3628 powershell.exe 3628 powershell.exe 4872 svchost.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4044 zqbygv.exe 4372 powershell.exe 4372 powershell.exe 4872 svchost.exe 1444 tyhdxz.exe 1444 tyhdxz.exe 1444 tyhdxz.exe 1444 tyhdxz.exe 1444 tyhdxz.exe 1444 tyhdxz.exe 1444 tyhdxz.exe 1444 tyhdxz.exe 1444 tyhdxz.exe 1444 tyhdxz.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
6d13d147a209e3be044035f0c03b7bde.exesvchost.exepowershell.exezqbygv.exepowershell.exetyhdxz.exeshutdown.exedescription pid process Token: SeDebugPrivilege 5020 6d13d147a209e3be044035f0c03b7bde.exe Token: SeDebugPrivilege 4872 svchost.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeDebugPrivilege 4044 zqbygv.exe Token: SeDebugPrivilege 4372 powershell.exe Token: SeDebugPrivilege 1444 tyhdxz.exe Token: SeShutdownPrivilege 4808 shutdown.exe Token: SeRemoteShutdownPrivilege 4808 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 1952 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6d13d147a209e3be044035f0c03b7bde.execmd.execmd.exesvchost.execmd.exepowershell.exezqbygv.execmd.execmd.execmd.exepowershell.exetyhdxz.execmd.exedescription pid process target process PID 5020 wrote to memory of 1944 5020 6d13d147a209e3be044035f0c03b7bde.exe cmd.exe PID 5020 wrote to memory of 1944 5020 6d13d147a209e3be044035f0c03b7bde.exe cmd.exe PID 5020 wrote to memory of 1944 5020 6d13d147a209e3be044035f0c03b7bde.exe cmd.exe PID 5020 wrote to memory of 1072 5020 6d13d147a209e3be044035f0c03b7bde.exe cmd.exe PID 5020 wrote to memory of 1072 5020 6d13d147a209e3be044035f0c03b7bde.exe cmd.exe PID 5020 wrote to memory of 1072 5020 6d13d147a209e3be044035f0c03b7bde.exe cmd.exe PID 1072 wrote to memory of 2892 1072 cmd.exe timeout.exe PID 1072 wrote to memory of 2892 1072 cmd.exe timeout.exe PID 1072 wrote to memory of 2892 1072 cmd.exe timeout.exe PID 1944 wrote to memory of 4572 1944 cmd.exe schtasks.exe PID 1944 wrote to memory of 4572 1944 cmd.exe schtasks.exe PID 1944 wrote to memory of 4572 1944 cmd.exe schtasks.exe PID 1072 wrote to memory of 4872 1072 cmd.exe svchost.exe PID 1072 wrote to memory of 4872 1072 cmd.exe svchost.exe PID 1072 wrote to memory of 4872 1072 cmd.exe svchost.exe PID 4872 wrote to memory of 3096 4872 svchost.exe cmd.exe PID 4872 wrote to memory of 3096 4872 svchost.exe cmd.exe PID 4872 wrote to memory of 3096 4872 svchost.exe cmd.exe PID 3096 wrote to memory of 3628 3096 cmd.exe powershell.exe PID 3096 wrote to memory of 3628 3096 cmd.exe powershell.exe PID 3096 wrote to memory of 3628 3096 cmd.exe powershell.exe PID 3628 wrote to memory of 4044 3628 powershell.exe zqbygv.exe PID 3628 wrote to memory of 4044 3628 powershell.exe zqbygv.exe PID 3628 wrote to memory of 4044 3628 powershell.exe zqbygv.exe PID 4044 wrote to memory of 4452 4044 zqbygv.exe cmd.exe PID 4044 wrote to memory of 4452 4044 zqbygv.exe cmd.exe PID 4044 wrote to memory of 4452 4044 zqbygv.exe cmd.exe PID 4452 wrote to memory of 2776 4452 cmd.exe chcp.com PID 4452 wrote to memory of 2776 4452 cmd.exe chcp.com PID 4452 wrote to memory of 2776 4452 cmd.exe chcp.com PID 4452 wrote to memory of 1844 4452 cmd.exe netsh.exe PID 4452 wrote to memory of 1844 4452 cmd.exe netsh.exe PID 4452 wrote to memory of 1844 4452 cmd.exe netsh.exe PID 4452 wrote to memory of 5020 4452 cmd.exe findstr.exe PID 4452 wrote to memory of 5020 4452 cmd.exe findstr.exe PID 4452 wrote to memory of 5020 4452 cmd.exe findstr.exe PID 4044 wrote to memory of 1604 4044 zqbygv.exe cmd.exe PID 4044 wrote to memory of 1604 4044 zqbygv.exe cmd.exe PID 4044 wrote to memory of 1604 4044 zqbygv.exe cmd.exe PID 1604 wrote to memory of 752 1604 cmd.exe chcp.com PID 1604 wrote to memory of 752 1604 cmd.exe chcp.com PID 1604 wrote to memory of 752 1604 cmd.exe chcp.com PID 1604 wrote to memory of 3840 1604 cmd.exe netsh.exe PID 1604 wrote to memory of 3840 1604 cmd.exe netsh.exe PID 1604 wrote to memory of 3840 1604 cmd.exe netsh.exe PID 4872 wrote to memory of 4000 4872 svchost.exe cmd.exe PID 4872 wrote to memory of 4000 4872 svchost.exe cmd.exe PID 4872 wrote to memory of 4000 4872 svchost.exe cmd.exe PID 4000 wrote to memory of 4372 4000 cmd.exe powershell.exe PID 4000 wrote to memory of 4372 4000 cmd.exe powershell.exe PID 4000 wrote to memory of 4372 4000 cmd.exe powershell.exe PID 4372 wrote to memory of 1444 4372 powershell.exe tyhdxz.exe PID 4372 wrote to memory of 1444 4372 powershell.exe tyhdxz.exe PID 4372 wrote to memory of 1444 4372 powershell.exe tyhdxz.exe PID 1444 wrote to memory of 2368 1444 tyhdxz.exe cmd.exe PID 1444 wrote to memory of 2368 1444 tyhdxz.exe cmd.exe PID 1444 wrote to memory of 2368 1444 tyhdxz.exe cmd.exe PID 2368 wrote to memory of 1424 2368 cmd.exe chcp.com PID 2368 wrote to memory of 1424 2368 cmd.exe chcp.com PID 2368 wrote to memory of 1424 2368 cmd.exe chcp.com PID 2368 wrote to memory of 736 2368 cmd.exe netsh.exe PID 2368 wrote to memory of 736 2368 cmd.exe netsh.exe PID 2368 wrote to memory of 736 2368 cmd.exe netsh.exe PID 2368 wrote to memory of 2568 2368 cmd.exe findstr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d13d147a209e3be044035f0c03b7bde.exe"C:\Users\Admin\AppData\Local\Temp\6d13d147a209e3be044035f0c03b7bde.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp81B3.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zqbygv.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zqbygv.exe"'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zqbygv.exe"C:\Users\Admin\AppData\Local\Temp\zqbygv.exe"6⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile8⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\findstr.exefindstr All8⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid8⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe"'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe"C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe"6⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile8⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\findstr.exefindstr All8⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid7⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid8⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 004⤵
-
C:\Windows\SysWOW64\shutdown.exeShutdown /s /f /t 005⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa399b855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\System\Process.txtFilesize
4KB
MD547b9080cf3b36ab1f368c91a41b3d82e
SHA1ac79537ca12aef72207b3bb198a28d673efd20fd
SHA25668ead6f5834e8ffb25f858b785b5e6343dc970621edebb9d4172ec82c41f8384
SHA512694baff9bb916969f11e323342b80db66379eb1a316f4e0007515997915f0f5ba5de186e1f0f19cc8a5d149b3edf917751fe1478d08a3a3251e140f0d096e6e5
-
C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\msgid.datFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD55315900105942deb090a358a315b06fe
SHA122fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA51277e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5681a67c52d39f65864d10b88d169a006
SHA1a492fd83f28dd136afcbd397607e130000f9e0ad
SHA25627e4865cc6709e4ba14e6a8d29e838e0a6643232acf0544179efafbed07712f0
SHA51279bbe58168c27530ec63eb75e03d2f410a7d1e9bff685ce02face30054a7baaf272bfe46f7a40fda1bfd2248357d51d68e3f7d88c07fa58416074f53919797ee
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpwe23z3.eas.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\places.rawFilesize
5.0MB
MD5b01182fd0bcfecd25f0378b6ddd50714
SHA1faf0abd8ccde904e4ec90d216f9dada2c3a046d3
SHA256921d4d81de816c9f7add02a5c5dc28209959a2ce1bdd64eff6675a5cdbd90a55
SHA512a409fe0c1fbbcc158d47f6f727446ddf754b99ec235715f5f03b66a4f0c91b93c8bbd9e7ab235ed65e9b0abdd4bf2899dd3e5ec4afa8f45822e6f3dbc9d1bd7d
-
C:\Users\Admin\AppData\Local\Temp\tmp81B3.tmp.batFilesize
151B
MD59c74606d9a3e368fa6adff06939ce1b7
SHA1dcde2bcc5a5a0b49e7ffab2c1882d453112d65a5
SHA256af18964e7cf7415c4c46a471aef9ce0d9893be82137b873997ef9d665e6b10f8
SHA51204d737ea503e1946a16940a6db13ceb3798dae845c5b73ee6ec540acfe1e021350b8ccd8b36ace1cc7608b4fb2ce9887708296a5b213bf995bb9910ceb82aded
-
C:\Users\Admin\AppData\Local\Temp\tmpF8A8.tmp.datFilesize
100KB
MD59df444e0de734921d4d96deeeac4b16e
SHA131542622ecf896b93d830e21595091aef8742901
SHA2561d324d34d58165aca7dbf057a7417457776b4e805d60182401a9275fb7920900
SHA5122de6a0ac09b7a1a21cda31e49c072b097ca1959814c535920a099a9df87e993ba2dfd6cebcb8ec2110efca385bb618f771258575a06736afcfd6cd40a8e1a957
-
C:\Users\Admin\AppData\Local\Temp\tmpF8AA.tmp.datFilesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
C:\Users\Admin\AppData\Local\Temp\tmpF8BD.tmp.datFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\tyhdxz.exeFilesize
175KB
MD5ff895d93516828450e0c0dd0e467e1d0
SHA1a19edaa4b1fbfb8b3c8fe61d4cac894beb921b39
SHA25624c4301e81d0f742d7470fdaae62499b9793265f2e78d77c71e8b84bf1718cca
SHA512c3758aa89990653619c4803122fd0761e1c2709fea0dd9b89317ac4627d4e73e54a15397f121716b1dd48fb180fbbd2ed4a3c7b799b11743b2f9079cd1b9f75e
-
C:\Users\Admin\AppData\Local\Temp\zqbygv.exeFilesize
175KB
MD5da34ea26ddfedfd7966e8aedf0bb93e6
SHA1ba30bde364d564268d175090364158cb66c165a9
SHA256817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20
SHA512fbf634fd22ec37a65540c6ad1968b53666308d4d31a151c26b1444e242de40c95c0f48f96010bc72e5e0e9a10982b4f56590e96aded12015de915d7d86af8dff
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
47KB
MD56d13d147a209e3be044035f0c03b7bde
SHA11eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
SHA2569c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
SHA512a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9
-
memory/1444-210-0x00000000002D0000-0x0000000000302000-memory.dmpFilesize
200KB
-
memory/1444-374-0x00000000065D0000-0x00000000065E2000-memory.dmpFilesize
72KB
-
memory/3628-23-0x00000000059E0000-0x0000000006008000-memory.dmpFilesize
6.2MB
-
memory/3628-40-0x0000000006DA0000-0x0000000006DC2000-memory.dmpFilesize
136KB
-
memory/3628-35-0x0000000006280000-0x00000000065D4000-memory.dmpFilesize
3.3MB
-
memory/3628-36-0x0000000006870000-0x000000000688E000-memory.dmpFilesize
120KB
-
memory/3628-37-0x00000000068A0000-0x00000000068EC000-memory.dmpFilesize
304KB
-
memory/3628-38-0x0000000007880000-0x0000000007916000-memory.dmpFilesize
600KB
-
memory/3628-39-0x0000000006D50000-0x0000000006D6A000-memory.dmpFilesize
104KB
-
memory/3628-24-0x00000000060D0000-0x00000000060F2000-memory.dmpFilesize
136KB
-
memory/3628-25-0x00000000061A0000-0x0000000006206000-memory.dmpFilesize
408KB
-
memory/3628-22-0x00000000052B0000-0x00000000052E6000-memory.dmpFilesize
216KB
-
memory/4044-44-0x0000000000210000-0x0000000000242000-memory.dmpFilesize
200KB
-
memory/4044-190-0x0000000005620000-0x00000000056B2000-memory.dmpFilesize
584KB
-
memory/4044-212-0x0000000005750000-0x000000000575A000-memory.dmpFilesize
40KB
-
memory/4372-207-0x0000000006670000-0x00000000066BC000-memory.dmpFilesize
304KB
-
memory/4372-205-0x0000000005D80000-0x00000000060D4000-memory.dmpFilesize
3.3MB
-
memory/4872-20-0x0000000007840000-0x000000000785E000-memory.dmpFilesize
120KB
-
memory/4872-397-0x0000000008590000-0x00000000085F2000-memory.dmpFilesize
392KB
-
memory/4872-19-0x00000000076E0000-0x0000000007742000-memory.dmpFilesize
392KB
-
memory/4872-18-0x0000000007760000-0x00000000077D6000-memory.dmpFilesize
472KB
-
memory/4872-17-0x0000000006370000-0x00000000063D6000-memory.dmpFilesize
408KB
-
memory/4872-213-0x0000000074FD0000-0x0000000075780000-memory.dmpFilesize
7.7MB
-
memory/4872-16-0x0000000006BB0000-0x0000000007154000-memory.dmpFilesize
5.6MB
-
memory/4872-13-0x0000000074FD0000-0x0000000075780000-memory.dmpFilesize
7.7MB
-
memory/4872-400-0x0000000074FD0000-0x0000000075780000-memory.dmpFilesize
7.7MB
-
memory/4872-399-0x0000000007F40000-0x0000000007FA4000-memory.dmpFilesize
400KB
-
memory/4872-398-0x0000000008D10000-0x0000000008D1A000-memory.dmpFilesize
40KB
-
memory/4872-368-0x0000000007A60000-0x0000000007AC8000-memory.dmpFilesize
416KB
-
memory/5020-1-0x0000000000520000-0x0000000000532000-memory.dmpFilesize
72KB
-
memory/5020-0-0x000000007508E000-0x000000007508F000-memory.dmpFilesize
4KB
-
memory/5020-2-0x0000000075080000-0x0000000075830000-memory.dmpFilesize
7.7MB
-
memory/5020-3-0x0000000004EE0000-0x0000000004F7C000-memory.dmpFilesize
624KB
-
memory/5020-8-0x0000000075080000-0x0000000075830000-memory.dmpFilesize
7.7MB