63390e4e08966692a6abface224e660cb3708addc00a570e185cafe73368b524

Analysis

max time kernel
137s
max time network
126s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lv.exe.1.exe
Size

5.2MB
MD5

84920b4d07d67e5a19e63fd881121945
SHA1

453625e1c1638fa1b687f203b46ff00225d5217d
SHA256

63390e4e08966692a6abface224e660cb3708addc00a570e185cafe73368b524
SHA512

09118e3a49863561ca34be4bb8128bd17106ebad5113ce076c6637abd8258743d164b5244cf389df21ded3f1e2a3e88105b3e1a986fc7cf13fa020bb730933ca

Score

9^/10

discovery evasion spyware upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

25 548 RUNDLL32.EXE
31 1828 WScript.exe
33 1828 WScript.exe
35 1828 WScript.exe
37 1828 WScript.exe
Executes dropped EXE 5 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exekxgcofgdb.exe

pid process

3144 4_ico.exe
3784 6_ico.exe
3156 vpn_ico.exe
504 SmartClock.exe
3228 kxgcofgdb.exe

flow	pid	process
25	548	RUNDLL32.EXE
31	1828	WScript.exe
33	1828	WScript.exe
35	1828	WScript.exe
37	1828	WScript.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exe	upx
C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exe	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4_ico.exe

Drops startup file 1 IoCs

Processes:

4_ico.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4_ico.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4_ico.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6_ico.exe4_ico.exevpn_ico.exeSmartClock.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	6_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	4_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	vpn_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	SmartClock.exe

Loads dropped DLL 3 IoCs

Processes:

lv.exe.1.exerundll32.exeRUNDLL32.EXE

pid process

60 lv.exe.1.exe
2780 rundll32.exe
548 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

4_ico.exevpn_ico.exe6_ico.exeSmartClock.exe

pid process

3144 4_ico.exe
3156 vpn_ico.exe
3784 6_ico.exe
504 SmartClock.exe

pid	process
60	lv.exe.1.exe
2780	rundll32.exe
548	RUNDLL32.EXE

flow	ioc
11	ip-api.com

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vpn_ico.exeRUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn_ico.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn_ico.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3116 timeout.exe
2820 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn_ico.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings vpn_ico.exe

pid	process
3116	timeout.exe
2820	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	vpn_ico.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

504 SmartClock.exe

pid	process
504	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3144	4_ico.exe
3144	4_ico.exe
3784	6_ico.exe
3784	6_ico.exe
3156	vpn_ico.exe
3156	vpn_ico.exe
504	SmartClock.exe
504	SmartClock.exe
4048	powershell.exe
4048	powershell.exe
4048	powershell.exe
548	RUNDLL32.EXE
548	RUNDLL32.EXE
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2780	rundll32.exe
Token: SeDebugPrivilege	548	RUNDLL32.EXE
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

548 RUNDLL32.EXE

pid	process
548	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

lv.exe.1.exe4_ico.exevpn_ico.exe6_ico.execmd.execmd.exekxgcofgdb.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 60 wrote to memory of 3144	60	lv.exe.1.exe	4_ico.exe
PID 60 wrote to memory of 3144	60	lv.exe.1.exe	4_ico.exe
PID 60 wrote to memory of 3144	60	lv.exe.1.exe	4_ico.exe
PID 60 wrote to memory of 3784	60	lv.exe.1.exe	6_ico.exe
PID 60 wrote to memory of 3784	60	lv.exe.1.exe	6_ico.exe
PID 60 wrote to memory of 3784	60	lv.exe.1.exe	6_ico.exe
PID 60 wrote to memory of 3156	60	lv.exe.1.exe	vpn_ico.exe
PID 60 wrote to memory of 3156	60	lv.exe.1.exe	vpn_ico.exe
PID 60 wrote to memory of 3156	60	lv.exe.1.exe	vpn_ico.exe
PID 3144 wrote to memory of 504	3144	4_ico.exe	SmartClock.exe
PID 3144 wrote to memory of 504	3144	4_ico.exe	SmartClock.exe
PID 3144 wrote to memory of 504	3144	4_ico.exe	SmartClock.exe
PID 3156 wrote to memory of 3228	3156	vpn_ico.exe	kxgcofgdb.exe
PID 3156 wrote to memory of 3228	3156	vpn_ico.exe	kxgcofgdb.exe
PID 3156 wrote to memory of 3228	3156	vpn_ico.exe	kxgcofgdb.exe
PID 3156 wrote to memory of 348	3156	vpn_ico.exe	WScript.exe
PID 3156 wrote to memory of 348	3156	vpn_ico.exe	WScript.exe
PID 3156 wrote to memory of 348	3156	vpn_ico.exe	WScript.exe
PID 3784 wrote to memory of 2248	3784	6_ico.exe	cmd.exe
PID 3784 wrote to memory of 2248	3784	6_ico.exe	cmd.exe
PID 3784 wrote to memory of 2248	3784	6_ico.exe	cmd.exe
PID 2248 wrote to memory of 3116	2248	cmd.exe	timeout.exe
PID 2248 wrote to memory of 3116	2248	cmd.exe	timeout.exe
PID 2248 wrote to memory of 3116	2248	cmd.exe	timeout.exe
PID 3784 wrote to memory of 660	3784	6_ico.exe	cmd.exe
PID 3784 wrote to memory of 660	3784	6_ico.exe	cmd.exe
PID 3784 wrote to memory of 660	3784	6_ico.exe	cmd.exe
PID 660 wrote to memory of 2820	660	cmd.exe	timeout.exe
PID 660 wrote to memory of 2820	660	cmd.exe	timeout.exe
PID 660 wrote to memory of 2820	660	cmd.exe	timeout.exe
PID 3228 wrote to memory of 2780	3228	kxgcofgdb.exe	rundll32.exe
PID 3228 wrote to memory of 2780	3228	kxgcofgdb.exe	rundll32.exe
PID 3228 wrote to memory of 2780	3228	kxgcofgdb.exe	rundll32.exe
PID 2780 wrote to memory of 548	2780	rundll32.exe	RUNDLL32.EXE
PID 2780 wrote to memory of 548	2780	rundll32.exe	RUNDLL32.EXE
PID 2780 wrote to memory of 548	2780	rundll32.exe	RUNDLL32.EXE
PID 548 wrote to memory of 4048	548	RUNDLL32.EXE	powershell.exe
PID 548 wrote to memory of 4048	548	RUNDLL32.EXE	powershell.exe
PID 548 wrote to memory of 4048	548	RUNDLL32.EXE	powershell.exe
PID 3156 wrote to memory of 1828	3156	vpn_ico.exe	WScript.exe
PID 3156 wrote to memory of 1828	3156	vpn_ico.exe	WScript.exe
PID 3156 wrote to memory of 1828	3156	vpn_ico.exe	WScript.exe
PID 548 wrote to memory of 2592	548	RUNDLL32.EXE	powershell.exe
PID 548 wrote to memory of 2592	548	RUNDLL32.EXE	powershell.exe
PID 548 wrote to memory of 2592	548	RUNDLL32.EXE	powershell.exe
PID 2592 wrote to memory of 3764	2592	powershell.exe	nslookup.exe
PID 2592 wrote to memory of 3764	2592	powershell.exe	nslookup.exe
PID 2592 wrote to memory of 3764	2592	powershell.exe	nslookup.exe
PID 548 wrote to memory of 3792	548	RUNDLL32.EXE	schtasks.exe
PID 548 wrote to memory of 3792	548	RUNDLL32.EXE	schtasks.exe
PID 548 wrote to memory of 3792	548	RUNDLL32.EXE	schtasks.exe
PID 548 wrote to memory of 1180	548	RUNDLL32.EXE	schtasks.exe
PID 548 wrote to memory of 1180	548	RUNDLL32.EXE	schtasks.exe
PID 548 wrote to memory of 1180	548	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\lv.exe.1.exe
"C:\Users\Admin\AppData\Local\Temp\lv.exe.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:504

C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\lejmidkhwlp & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:3116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\lejmidkhwlp & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:2820

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exe
"C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\KXGCOF~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\KXGCOF~1.EXE
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\KXGCOF~1.DLL,aRpP
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpBB18.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE269.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
7⤵
PID:3764

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:3792

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:1180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hudiujsffiwj.vbs"
3⤵
PID:348

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trqkqdpbfa.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lejmidkhwlp\46173476.txt
MD5
e2c235b45b393651a3fa5a8ce723084e

SHA1
da74aae744ade5e0c31829eeca9f01bc63dac249

SHA256
38c60acee553da4ed8de04d3d468e78a680b9645cee505aa78b48ecaec33cb30

SHA512
5c7f5cba87a61a20b46eeae885d0cc4c79f417c432e790907caae0365988a7fc8203f9ee2ec90b474f0dfafaa3929d73416272bcbac03c05bfd7330bcc59728b

Download Submit
C:\ProgramData\lejmidkhwlp\8372422.txt
MD5
550cc6486c1ac1d65c8f1b14517a8294

SHA1
6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

SHA256
176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

SHA512
eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

Download Submit
C:\ProgramData\lejmidkhwlp\Files\_INFOR~1.TXT
MD5
c34a41c9fa74e5952d888b16829aa44f

SHA1
5cede3294d280f6c3a40eb2f7afc1e7a6abfefdb

SHA256
cf47cd2d2be93167ad2efddab042eb171b5373e534c3e7a823abf5d2334cb32f

SHA512
720840817c731daf291ea670ba91dca16f9160eb291450c99da4e1fece4fe38324121015c8ad90a3930632f34a9526e47df2cd3c19e6a7c09f11e6aaeace0a14

Download Submit
C:\ProgramData\lejmidkhwlp\NL_202~1.ZIP
MD5
262f3893e04661c850161e4790d56c93

SHA1
f63ca3f6709b8a14aae47f57ae9fb1fc729c5211

SHA256
e2c18e41b7b3970cc198988a50af6d1360ab3bd5b0caae984c9acf57483abeda

SHA512
9943b3e3feb2b993e10cdd46fdeb11b27e17a11f7b6c16d0ff2bc69457869ba793fd5fb5c4c355fb7a2aad20539a9c12f74b0d5d3fd8ad5378378bbbb2736b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2bfc5bfcf144885a49eea684c08dc8bf

SHA1
90920d29134a8e8fe1e657eb30fc760d0be624a8

SHA256
b7ecd588c615bab0c714be21158bdbd59e1f6928fb5db7cb722c81e1487c4eac

SHA512
a388681e026808e93814bbc6edc940d6af714a08485ede8b3a57474d0aa4dfc7e3913dca8f10ba2352fdd211c74a5429205274b79cbb126b60ec15a21bd769f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KXGCOF~1.DLL
MD5
17e141221316b1e3a3fa2cc58fd6dd14

SHA1
15892b6ec1f12a7fc5c1f5713aafa26869ba6cc5

SHA256
75fa87392f0e7b4d9d73d55ab01f63db0196feb5878a6a3108902719f2b6ba52

SHA512
1a22f24a0100df771822581811897bb54cdb1cd3970217c34d5ef307080db36f94c0fa3f36f09e48cdf608bd70b542780f37891218b400744c69a1124f1d9e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
28c51cb777fc8b3fb7df6b1bdc1c7e03

SHA1
24c2dfbe1c367718fbfcc5fc6a2bfb2d425d366a

SHA256
c265e742691b3d174b27b037ee7800c28989b6d3c2595b06b71cf04574cafc03

SHA512
13627ebf98f8ee5cb810bd36b031acc7f554543f8fceb22acf94c40de1df593a473a6718afce4a15ca0b3d0e3abe88788cbc6a35b60da46825c338460c87cc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
28c51cb777fc8b3fb7df6b1bdc1c7e03

SHA1
24c2dfbe1c367718fbfcc5fc6a2bfb2d425d366a

SHA256
c265e742691b3d174b27b037ee7800c28989b6d3c2595b06b71cf04574cafc03

SHA512
13627ebf98f8ee5cb810bd36b031acc7f554543f8fceb22acf94c40de1df593a473a6718afce4a15ca0b3d0e3abe88788cbc6a35b60da46825c338460c87cc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
a5bd45032d411b03efc9eaedce7a37c2

SHA1
5e33357bd7107f4415ab33ce52625f20df47e343

SHA256
e87ac535cdef049f221d7aa3c5f5eb8e1495480321b5898c4a605503b8423674

SHA512
4ad7f72ef9f3e303f3ac2c6529f80a7c4046cebe83f25cda810cb5d40ac81e38714d392fea8d0ed534b01562f924b5e83ccf4806daa086fb3f16ff64a5b39c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
a5bd45032d411b03efc9eaedce7a37c2

SHA1
5e33357bd7107f4415ab33ce52625f20df47e343

SHA256
e87ac535cdef049f221d7aa3c5f5eb8e1495480321b5898c4a605503b8423674

SHA512
4ad7f72ef9f3e303f3ac2c6529f80a7c4046cebe83f25cda810cb5d40ac81e38714d392fea8d0ed534b01562f924b5e83ccf4806daa086fb3f16ff64a5b39c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
c0ffcf0a3850f75b4e080e282d83950e

SHA1
26ecc7690de6767626202b0036992b4fc3826ed8

SHA256
b4725df9c9daeee5ec97533ff63a7629e45ad047ee43befb8d3d76ba2c0c21ca

SHA512
ecb8f0862790520caa3445f667ca2a40b11d02a63b94aca9d8c4bee11b2435e554cb580ca71e0ebda9c5edd19ad6c6d28b96d5fa41b11a1ccc7a82df035a1f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
c0ffcf0a3850f75b4e080e282d83950e

SHA1
26ecc7690de6767626202b0036992b4fc3826ed8

SHA256
b4725df9c9daeee5ec97533ff63a7629e45ad047ee43befb8d3d76ba2c0c21ca

SHA512
ecb8f0862790520caa3445f667ca2a40b11d02a63b94aca9d8c4bee11b2435e554cb580ca71e0ebda9c5edd19ad6c6d28b96d5fa41b11a1ccc7a82df035a1f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hudiujsffiwj.vbs
MD5
26ff94f552c85eaba6c1f770f72fd548

SHA1
12661948bbfc2911c066b78a0340bbf5ba8591c3

SHA256
a7860d83ebae8992371e15b604d582d4c3b506ea5367939480ee48e33e03b62d

SHA512
8401494d1b9f74f26376195034c021aa808f639521f3cb5202f52ab45c3bc850372cbf293603198de287f0161a39482d4092e488d039e808e6d6690477a5b452

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exe
MD5
cf45aaae14ccdd5a2ff0f675c86a2ba0

SHA1
97c68000ce732fb698b25dfb9bb598dbe5c7e3b9

SHA256
44483c34a2668610d6b6bd1a94914e8c2bf2f2eacddb3eff12a0064ab7a5db52

SHA512
9a08fb66c3753b2fad09d36e4d79f1591cecd67c98e88675f5090381fe3abeb56f683e41c707772b92a00fac58f4b044db7c621d0c71a8d1fbe4bed3a9e95954

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exe
MD5
cf45aaae14ccdd5a2ff0f675c86a2ba0

SHA1
97c68000ce732fb698b25dfb9bb598dbe5c7e3b9

SHA256
44483c34a2668610d6b6bd1a94914e8c2bf2f2eacddb3eff12a0064ab7a5db52

SHA512
9a08fb66c3753b2fad09d36e4d79f1591cecd67c98e88675f5090381fe3abeb56f683e41c707772b92a00fac58f4b044db7c621d0c71a8d1fbe4bed3a9e95954

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB18.tmp.ps1
MD5
76e565510b9e68500746c384ab893ba8

SHA1
ae597c82eab73c3d0864f05eb54661e3ff3dd356

SHA256
13655cb44649235eda7c28a7e08026e09030907dfb004ac31e9b4c40c8e4fcd8

SHA512
0e4dba498f1f0d4233b555b8699949ef526aab63386f80c6d706d51e752a8b57093701fea53d8e056e41d60b6bf75206a83ec121c923918c71954559d6775a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB19.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE269.tmp.ps1
MD5
627134ce88dd2a4cd33f75dedcca13af

SHA1
bdf7863281963dc6262b8def08745201fa53b866

SHA256
595d1c3a8da1f506b14cc3968d89085502968fb72b21f6d02578eaaee8f32481

SHA512
25837b03bd054b70ef5251070d2ba8afcbe3638dc29ac316f640850a254ea9bf481da0914c230cda286b85a897987b28f8439d933f49fdd964e8d4d21790c5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE279.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\trqkqdpbfa.vbs
MD5
2ac1e4bb9ee94a4cb3ebeb62398c9d01

SHA1
7b91b6e27ec27f46b23db2557ce9d9b655706e79

SHA256
8eeeb6a1ec95d51c916021474ccedfd62584a9bbca0b20548969a7f37069de62

SHA512
48625b870aaad5027b5e9f335a53543a75a5f4b23144f1883020d923a7d3b5257d4d7ab312c94291779ec24fa850c031296f091e2b6df7ab8090dfbc7691db98

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
28c51cb777fc8b3fb7df6b1bdc1c7e03

SHA1
24c2dfbe1c367718fbfcc5fc6a2bfb2d425d366a

SHA256
c265e742691b3d174b27b037ee7800c28989b6d3c2595b06b71cf04574cafc03

SHA512
13627ebf98f8ee5cb810bd36b031acc7f554543f8fceb22acf94c40de1df593a473a6718afce4a15ca0b3d0e3abe88788cbc6a35b60da46825c338460c87cc62

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
28c51cb777fc8b3fb7df6b1bdc1c7e03

SHA1
24c2dfbe1c367718fbfcc5fc6a2bfb2d425d366a

SHA256
c265e742691b3d174b27b037ee7800c28989b6d3c2595b06b71cf04574cafc03

SHA512
13627ebf98f8ee5cb810bd36b031acc7f554543f8fceb22acf94c40de1df593a473a6718afce4a15ca0b3d0e3abe88788cbc6a35b60da46825c338460c87cc62

Download Submit
\Users\Admin\AppData\Local\Temp\KXGCOF~1.DLL
MD5
17e141221316b1e3a3fa2cc58fd6dd14

SHA1
15892b6ec1f12a7fc5c1f5713aafa26869ba6cc5

SHA256
75fa87392f0e7b4d9d73d55ab01f63db0196feb5878a6a3108902719f2b6ba52

SHA512
1a22f24a0100df771822581811897bb54cdb1cd3970217c34d5ef307080db36f94c0fa3f36f09e48cdf608bd70b542780f37891218b400744c69a1124f1d9e14

Download Submit
\Users\Admin\AppData\Local\Temp\KXGCOF~1.DLL
MD5
17e141221316b1e3a3fa2cc58fd6dd14

SHA1
15892b6ec1f12a7fc5c1f5713aafa26869ba6cc5

SHA256
75fa87392f0e7b4d9d73d55ab01f63db0196feb5878a6a3108902719f2b6ba52

SHA512
1a22f24a0100df771822581811897bb54cdb1cd3970217c34d5ef307080db36f94c0fa3f36f09e48cdf608bd70b542780f37891218b400744c69a1124f1d9e14

Download Submit
\Users\Admin\AppData\Local\Temp\nsp6B92.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/348-26-0x0000000000000000-mapping.dmp

Download
memory/504-18-0x0000000000000000-mapping.dmp

Download
memory/504-22-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/504-21-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/548-41-0x0000000000000000-mapping.dmp

Download
memory/548-44-0x0000000005170000-0x00000000057CF000-memory.dmp

Filesize
6.4MB

Download
memory/660-35-0x0000000000000000-mapping.dmp

Download
memory/1180-83-0x0000000000000000-mapping.dmp

Download
memory/1828-53-0x0000000000000000-mapping.dmp

Download
memory/2248-29-0x0000000000000000-mapping.dmp

Download
memory/2592-66-0x0000000070BB0000-0x000000007129E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-72-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/2592-75-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/2592-64-0x0000000000000000-mapping.dmp

Download
memory/2780-40-0x0000000005050000-0x00000000056AF000-memory.dmp

Filesize
6.4MB

Download
memory/2780-37-0x0000000000000000-mapping.dmp

Download
memory/2820-36-0x0000000000000000-mapping.dmp

Download
memory/3116-34-0x0000000000000000-mapping.dmp

Download
memory/3144-3-0x0000000000000000-mapping.dmp

Download
memory/3144-13-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3144-12-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/3156-17-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/3156-15-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3156-9-0x0000000000000000-mapping.dmp

Download
memory/3228-23-0x0000000000000000-mapping.dmp

Download
memory/3228-28-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/3764-80-0x0000000000000000-mapping.dmp

Download
memory/3784-14-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/3784-6-0x0000000000000000-mapping.dmp

Download
memory/3784-16-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/3792-82-0x0000000000000000-mapping.dmp

Download
memory/4048-57-0x00000000085B0000-0x00000000085B1000-memory.dmp

Filesize
4KB

Download
memory/4048-45-0x0000000000000000-mapping.dmp

Download
memory/4048-62-0x0000000008700000-0x0000000008701000-memory.dmp

Filesize
4KB

Download
memory/4048-48-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/4048-47-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/4048-60-0x0000000009D10000-0x0000000009D11000-memory.dmp

Filesize
4KB

Download
memory/4048-46-0x0000000070E60000-0x000000007154E000-memory.dmp

Filesize
6.9MB

Download
memory/4048-61-0x00000000092B0000-0x00000000092B1000-memory.dmp

Filesize
4KB

Download
memory/4048-59-0x0000000007090000-0x0000000007091000-memory.dmp

Filesize
4KB

Download
memory/4048-49-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

Filesize
4KB

Download
memory/4048-51-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/4048-56-0x00000000082F0000-0x00000000082F1000-memory.dmp

Filesize
4KB

Download
memory/4048-55-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/4048-50-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/4048-52-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download