metasploit | 5a4181ad51b08e58df1353614fffd6898f1c45f2350b679dbf73f18a38fa3204

General

Target

Password_Recovery.doc
Size

161KB
MD5

21d18d229d6774e235ead04adf578217
SHA1

7c48f714185a73eb6f5f791bb5573e0bea4d13ad
SHA256

5a4181ad51b08e58df1353614fffd6898f1c45f2350b679dbf73f18a38fa3204
SHA512

eb44a7cab05f6c34ace776e29006d5556a6a125155c8be28386933a413fe56129dc5b34a82f60f4e291ee43f03cb15b43b5b6307eb1a11a8b8e2fea8a977da02

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

3.17.7.232:17405

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

604 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1560 cmd.exe
1560 cmd.exe

pid	process
604	svchost.exe

pid	process
1560	cmd.exe
1560	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\nBUOiUrUetKxT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vYxjhYcGK.vbs"	svchost.exe

Drops file in System32 directory 21 IoCs

Processes:

powershell.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5df55dd2-70de-464b-a063-8f427d57093c	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9bac7c35-ffad-4fae-a0b6-cfa33fe08a65	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8f9a594b-d232-44ec-9238-2876a085704e	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7ed40230-319c-40a0-985f-a4d97e6e68d0	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ba30c8fe-4ea9-47dd-bb69-ec9fdc1e0427	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_985f9388-4a1c-4e0d-8706-b38d511a8ff7	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_266cb6ac-a82f-43d1-a787-f5aff7323218	powershell.exe
File opened for modification	C:\Windows\system32\csvwvr.exe	cmd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_eecc82e5-f2ea-45ca-81b3-bcb7ceb32639	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7479a4b0-3992-413f-90dd-9be4453c1641	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d08d477f-1519-44cf-b1bd-19b2686bfdb6	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fc15c89-c8f3-4ef0-8bd3-9642364a0fed	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a0283a92-232a-4ec4-81ef-d8a6085fbc0c	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c6b713d7-72b2-4007-af21-6faa758ecf08	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6744f1f8-8095-42ce-9964-db35471b75f5	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6b218b08-911b-4871-9158-f78e1830e08c	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_be73a89f-7e35-48e1-8024-f87369fe62a6	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5ea39c10-8a7e-4ffa-8f6c-33b15bed8393	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d9916baa-9dc5-4042-b312-9a9f550f335f	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ebf3fc7-0bec-4124-a1a6-672d3391c0e9	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

240 ipconfig.exe
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXEEQNEDT32.EXE

pid process

1708 EQNEDT32.EXE
1636 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
240	ipconfig.exe

pid	process
1708	EQNEDT32.EXE
1636	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Modifies data under HKEY_USERS 4 IoCs

Processes:

powershell.execalc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e07893ac77cdd601	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Calc	calc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Calc\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4b0000004b0000006b030000a3020000	calc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

548 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1080 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

944 powershell.exe
944 powershell.exe
332 powershell.exe

pid	process
548	PING.EXE

pid	process
1080	WINWORD.EXE

pid	process
944	powershell.exe
944	powershell.exe
332	powershell.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

svchost.exepowershell.exepowershell.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	604	svchost.exe
Token: SeAuditPrivilege	604	svchost.exe
Token: SeBackupPrivilege	604	svchost.exe
Token: SeChangeNotifyPrivilege	604	svchost.exe
Token: SeCreateGlobalPrivilege	604	svchost.exe
Token: SeCreatePagefilePrivilege	604	svchost.exe
Token: SeCreatePermanentPrivilege	604	svchost.exe
Token: 35	604	svchost.exe
Token: SeCreateTokenPrivilege	604	svchost.exe
Token: SeDebugPrivilege	604	svchost.exe
Token: SeEnableDelegationPrivilege	604	svchost.exe
Token: SeImpersonatePrivilege	604	svchost.exe
Token: SeIncBasePriorityPrivilege	604	svchost.exe
Token: SeIncreaseQuotaPrivilege	604	svchost.exe
Token: 33	604	svchost.exe
Token: SeLoadDriverPrivilege	604	svchost.exe
Token: SeLockMemoryPrivilege	604	svchost.exe
Token: SeMachineAccountPrivilege	604	svchost.exe
Token: SeManageVolumePrivilege	604	svchost.exe
Token: SeProfSingleProcessPrivilege	604	svchost.exe
Token: 32	604	svchost.exe
Token: SeRemoteShutdownPrivilege	604	svchost.exe
Token: SeRestorePrivilege	604	svchost.exe
Token: SeSecurityPrivilege	604	svchost.exe
Token: SeShutdownPrivilege	604	svchost.exe
Token: SeSyncAgentPrivilege	604	svchost.exe
Token: SeSystemEnvironmentPrivilege	604	svchost.exe
Token: SeSystemProfilePrivilege	604	svchost.exe
Token: SeSystemtimePrivilege	604	svchost.exe
Token: SeTakeOwnershipPrivilege	604	svchost.exe
Token: SeTcbPrivilege	604	svchost.exe
Token: 34	604	svchost.exe
Token: 31	604	svchost.exe
Token: SeUndockPrivilege	604	svchost.exe
Token: 0	604	svchost.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1080 WINWORD.EXE
1080 WINWORD.EXE

pid	process
1080	WINWORD.EXE
1080	WINWORD.EXE

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

EQNEDT32.EXEcmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1636 wrote to memory of 1560	1636	EQNEDT32.EXE	cmd.exe
PID 1636 wrote to memory of 1560	1636	EQNEDT32.EXE	cmd.exe
PID 1636 wrote to memory of 1560	1636	EQNEDT32.EXE	cmd.exe
PID 1636 wrote to memory of 1560	1636	EQNEDT32.EXE	cmd.exe
PID 1560 wrote to memory of 604	1560	cmd.exe	svchost.exe
PID 1560 wrote to memory of 604	1560	cmd.exe	svchost.exe
PID 1560 wrote to memory of 604	1560	cmd.exe	svchost.exe
PID 1560 wrote to memory of 604	1560	cmd.exe	svchost.exe
PID 268 wrote to memory of 944	268	cmd.exe	powershell.exe
PID 268 wrote to memory of 944	268	cmd.exe	powershell.exe
PID 268 wrote to memory of 944	268	cmd.exe	powershell.exe
PID 1840 wrote to memory of 1988	1840	cmd.exe	svchost.exe
PID 1840 wrote to memory of 1988	1840	cmd.exe	svchost.exe
PID 1840 wrote to memory of 1988	1840	cmd.exe	svchost.exe
PID 896 wrote to memory of 548	896	cmd.exe	PING.EXE
PID 896 wrote to memory of 548	896	cmd.exe	PING.EXE
PID 896 wrote to memory of 548	896	cmd.exe	PING.EXE
PID 896 wrote to memory of 240	896	cmd.exe	ipconfig.exe
PID 896 wrote to memory of 240	896	cmd.exe	ipconfig.exe
PID 896 wrote to memory of 240	896	cmd.exe	ipconfig.exe
PID 896 wrote to memory of 1392	896	cmd.exe	reg.exe
PID 896 wrote to memory of 1392	896	cmd.exe	reg.exe
PID 896 wrote to memory of 1392	896	cmd.exe	reg.exe
PID 896 wrote to memory of 960	896	cmd.exe	reg.exe
PID 896 wrote to memory of 960	896	cmd.exe	reg.exe
PID 896 wrote to memory of 960	896	cmd.exe	reg.exe
PID 896 wrote to memory of 1000	896	cmd.exe	reg.exe
PID 896 wrote to memory of 1000	896	cmd.exe	reg.exe
PID 896 wrote to memory of 1000	896	cmd.exe	reg.exe
PID 896 wrote to memory of 1636	896	cmd.exe	conhost.exe
PID 896 wrote to memory of 1636	896	cmd.exe	conhost.exe
PID 896 wrote to memory of 1636	896	cmd.exe	conhost.exe
PID 896 wrote to memory of 332	896	cmd.exe	powershell.exe
PID 896 wrote to memory of 332	896	cmd.exe	powershell.exe
PID 896 wrote to memory of 332	896	cmd.exe	powershell.exe
PID 896 wrote to memory of 1948	896	cmd.exe	svchost.exe
PID 896 wrote to memory of 1948	896	cmd.exe	svchost.exe
PID 896 wrote to memory of 1948	896	cmd.exe	svchost.exe
PID 896 wrote to memory of 1692	896	cmd.exe	calc.exe
PID 896 wrote to memory of 1692	896	cmd.exe	calc.exe
PID 896 wrote to memory of 1692	896	cmd.exe	calc.exe
PID 1584 wrote to memory of 1744	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1744	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1744	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1752	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1752	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1752	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1076	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1076	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1076	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 240	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 240	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 240	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1576	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1576	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1576	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 916	1584	cmd.exe	runas.exe
PID 1584 wrote to memory of 916	1584	cmd.exe	runas.exe
PID 1584 wrote to memory of 916	1584	cmd.exe	runas.exe
PID 1584 wrote to memory of 1796	1584	cmd.exe	runas.exe
PID 1584 wrote to memory of 1796	1584	cmd.exe	runas.exe
PID 1584 wrote to memory of 1796	1584	cmd.exe	runas.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Password_Recovery.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:1708

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c%tmp%\svchost.exe AC
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe AC
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
5⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\svchost.exe
svchost.exe
5⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\system32\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:548

C:\Windows\system32\ipconfig.exe
ipconfig
5⤵
- Gathers network information
PID:240

C:\Windows\system32\reg.exe
reg
5⤵
PID:1392

C:\Windows\system32\reg.exe
reg /?
5⤵
PID:960

C:\Windows\system32\reg.exe
REG DELETE *.*
5⤵
PID:1000

C:\Windows\system32\conhost.exe
conhost.exe
5⤵
PID:1636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\svchost.exe
svchost.exe
5⤵
PID:1948

C:\Windows\system32\calc.exe
calc.exe
5⤵
- Modifies data under HKEY_USERS
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\cmd.exe
cmd.exe
5⤵
PID:1744

C:\Windows\system32\cmd.exe
cmd.exe
5⤵
PID:1752

C:\Windows\system32\cmd.exe
cmd.exe
5⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K test.bat
5⤵
PID:240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K test.bat
5⤵
PID:1576

C:\Windows\system32\runas.exe
runas /h
5⤵
PID:916

C:\Windows\system32\runas.exe
runas cmd.exe
5⤵
PID:1796

C:\Windows\system32\cmd.exe
cmd.exe /c echo gecizp > \\.\pipe\gecizp
1⤵
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
f028af90d27f82513bca2ca140435b2a

SHA1
d3725f56a5b3c02db8100e315319ca35b6f200cc

SHA256
22cf28f589cbc3b2a381906a5d162b6e2b4f43ae5decc1c248dba444e1b65e62

SHA512
0ff38a544510ff23cbab0caedf051a8466d6f06f851a76e72dca6d83a6b5e0f8b49e8cd6d6a434f9b28932b052bce7ecafeb05abd9d1b898df432473bc742454

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
f028af90d27f82513bca2ca140435b2a

SHA1
d3725f56a5b3c02db8100e315319ca35b6f200cc

SHA256
22cf28f589cbc3b2a381906a5d162b6e2b4f43ae5decc1c248dba444e1b65e62

SHA512
0ff38a544510ff23cbab0caedf051a8466d6f06f851a76e72dca6d83a6b5e0f8b49e8cd6d6a434f9b28932b052bce7ecafeb05abd9d1b898df432473bc742454

Download Submit
C:\Users\Admin\Desktop\test.bat
MD5
afc3ba125d6a73ebd49f62b4100ae9db

SHA1
f5721c6b88eb4e38645f0abaaa6f9ebb2b3ab93c

SHA256
0c2ec8ec3a1f9ead9b2b50c6d2884a0f84b5d538ea1c72e20d08793213c4bbb3

SHA512
7980afcc1d4835b3c78470a688c31ed633b46fe5e2c8793ef3f713c15e2b9be7c7ccfd811ccb442119482b0920cfa6fb447753d9e27493cd0d7d225dd8f2d395

Download Submit
C:\test.bat
MD5
6db0c623da97ebd70852685cbf988a0c

SHA1
8d400ed92604507d295ad11634043ea0647a4765

SHA256
32ac0564956ac33bf66fdd9ca143ff71d72a2dc57393f1b1486549d6ec48f872

SHA512
70e24f8f2270aed29ea4fdbdefbf25a1188eda77937f2582fb5cff27bb03c8bda4496f878e501152516880e1347c84aa07c0831c24ef720b7b328c4ca4d2974e

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
f028af90d27f82513bca2ca140435b2a

SHA1
d3725f56a5b3c02db8100e315319ca35b6f200cc

SHA256
22cf28f589cbc3b2a381906a5d162b6e2b4f43ae5decc1c248dba444e1b65e62

SHA512
0ff38a544510ff23cbab0caedf051a8466d6f06f851a76e72dca6d83a6b5e0f8b49e8cd6d6a434f9b28932b052bce7ecafeb05abd9d1b898df432473bc742454

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
f028af90d27f82513bca2ca140435b2a

SHA1
d3725f56a5b3c02db8100e315319ca35b6f200cc

SHA256
22cf28f589cbc3b2a381906a5d162b6e2b4f43ae5decc1c248dba444e1b65e62

SHA512
0ff38a544510ff23cbab0caedf051a8466d6f06f851a76e72dca6d83a6b5e0f8b49e8cd6d6a434f9b28932b052bce7ecafeb05abd9d1b898df432473bc742454

Download Submit
memory/240-18-0x0000000000000000-mapping.dmp

Download
memory/240-84-0x0000000000000000-mapping.dmp

Download
memory/240-83-0x0000000000000000-mapping.dmp

Download
memory/332-56-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/332-41-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/332-57-0x000000001A910000-0x000000001A911000-memory.dmp

Filesize
4KB

Download
memory/332-38-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/332-49-0x000000001B690000-0x000000001B691000-memory.dmp

Filesize
4KB

Download
memory/332-72-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/332-48-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/332-71-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/332-40-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/332-39-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/332-23-0x0000000000000000-mapping.dmp

Download
memory/332-24-0x0000000000000000-mapping.dmp

Download
memory/332-25-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/332-32-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/332-37-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/548-17-0x0000000000000000-mapping.dmp

Download
memory/604-6-0x0000000000000000-mapping.dmp

Download
memory/916-89-0x0000000000000000-mapping.dmp

Download
memory/944-12-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/944-10-0x0000000000000000-mapping.dmp

Download
memory/944-15-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/944-14-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/944-13-0x000000001ABB0000-0x000000001ABB1000-memory.dmp

Filesize
4KB

Download
memory/944-11-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/960-20-0x0000000000000000-mapping.dmp

Download
memory/1000-21-0x0000000000000000-mapping.dmp

Download
memory/1076-82-0x0000000000000000-mapping.dmp

Download
memory/1076-81-0x0000000000000000-mapping.dmp

Download
memory/1392-19-0x0000000000000000-mapping.dmp

Download
memory/1560-2-0x0000000000000000-mapping.dmp

Download
memory/1576-86-0x0000000000000000-mapping.dmp

Download
memory/1576-87-0x0000000000000000-mapping.dmp

Download
memory/1636-22-0x0000000000000000-mapping.dmp

Download
memory/1692-76-0x0000000000000000-mapping.dmp

Download
memory/1692-75-0x0000000000000000-mapping.dmp

Download
memory/1744-78-0x0000000000000000-mapping.dmp

Download
memory/1744-77-0x0000000000000000-mapping.dmp

Download
memory/1752-79-0x0000000000000000-mapping.dmp

Download
memory/1752-80-0x0000000000000000-mapping.dmp

Download
memory/1796-90-0x0000000000000000-mapping.dmp

Download
memory/1948-73-0x0000000000000000-mapping.dmp

Download
memory/1948-74-0x0000000000000000-mapping.dmp

Download
memory/1988-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads