cryptbot | 497c07b12b4e7f9082b872ef2aac2e9619f1dbc82c94993724cd246dd54b38c4

Analysis

max time kernel
146s
max time network
135s
platform
windows10_x64
resource
win10v20210410
submitted
22-05-2021 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

298b235d48e3c7d8b6c8df1635db47cc.exe
Size

754KB
MD5

298b235d48e3c7d8b6c8df1635db47cc
SHA1

25e305503957099453b98d7590bcd651236ff076
SHA256

497c07b12b4e7f9082b872ef2aac2e9619f1dbc82c94993724cd246dd54b38c4
SHA512

cb48aabf0f377676ea9cc23c35465f3d7b1d47005261fdee00af41705f835696406dee4429d8d7fd41a7c5d6c1dbaa156bbca70f8744fd9091ddd0c1c113e75d

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

cryptbot

sogxjp62.top

morgyu06.top

Attributes

payload_url
http://doucsy08.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1892-114-0x0000000002170000-0x0000000002251000-memory.dmp	family_cryptbot
behavioral2/memory/1892-115-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/1300-155-0x0000000000460000-0x00000000005AA000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 8 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow	pid	process
35	2304	RUNDLL32.EXE
37	2788	WScript.exe
39	2788	WScript.exe
41	2788	WScript.exe
43	2788	WScript.exe
44	2304	RUNDLL32.EXE
45	2304	RUNDLL32.EXE
48	2304	RUNDLL32.EXE

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

xHDqqg.exevpn.exe4.exeQuali.exe.comQuali.exe.comSmartClock.exeQuali.exe.comgdmigkxmlik.exe

pid process

1292 xHDqqg.exe
2148 vpn.exe
512 4.exe
1216 Quali.exe.com
2576 Quali.exe.com
1300 SmartClock.exe
1604 Quali.exe.com
3768 gdmigkxmlik.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 5 IoCs

Processes:

xHDqqg.exerundll32.exeRUNDLL32.EXE

pid process

1292 xHDqqg.exe
2736 rundll32.exe
2736 rundll32.exe
2304 RUNDLL32.EXE
2304 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Quali.exe.com

description pid process target process

PID 2576 set thread context of 1604 2576 Quali.exe.com Quali.exe.com

pid	process
1292	xHDqqg.exe
2148	vpn.exe
512	4.exe
1216	Quali.exe.com
2576	Quali.exe.com
1300	SmartClock.exe
1604	Quali.exe.com
3768	gdmigkxmlik.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
1292	xHDqqg.exe
2736	rundll32.exe
2736	rundll32.exe
2304	RUNDLL32.EXE
2304	RUNDLL32.EXE

flow	ioc
22	ip-api.com

description	pid	process	target process
PID 2576 set thread context of 1604	2576	Quali.exe.com	Quali.exe.com

Drops file in Program Files directory 3 IoCs

Processes:

xHDqqg.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	xHDqqg.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	xHDqqg.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	xHDqqg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

298b235d48e3c7d8b6c8df1635db47cc.exeQuali.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	298b235d48e3c7d8b6c8df1635db47cc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	298b235d48e3c7d8b6c8df1635db47cc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Quali.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Quali.exe.com

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3156 timeout.exe
Modifies registry class 1 IoCs

Processes:

Quali.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Quali.exe.com

pid	process
3156	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Quali.exe.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

664 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1300 SmartClock.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 2736 rundll32.exe
Token: SeDebugPrivilege 2304 RUNDLL32.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

298b235d48e3c7d8b6c8df1635db47cc.exe

pid process

1892 298b235d48e3c7d8b6c8df1635db47cc.exe
1892 298b235d48e3c7d8b6c8df1635db47cc.exe

pid	process
664	PING.EXE

pid	process
1300	SmartClock.exe

description	pid	process
Token: SeDebugPrivilege	2736	rundll32.exe
Token: SeDebugPrivilege	2304	RUNDLL32.EXE

pid	process
1892	298b235d48e3c7d8b6c8df1635db47cc.exe
1892	298b235d48e3c7d8b6c8df1635db47cc.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

298b235d48e3c7d8b6c8df1635db47cc.execmd.exexHDqqg.exevpn.execmd.execmd.exeQuali.exe.comcmd.exe4.exeQuali.exe.comQuali.exe.comgdmigkxmlik.exerundll32.exe

description	pid	process	target process
PID 1892 wrote to memory of 3544	1892	298b235d48e3c7d8b6c8df1635db47cc.exe	cmd.exe
PID 1892 wrote to memory of 3544	1892	298b235d48e3c7d8b6c8df1635db47cc.exe	cmd.exe
PID 1892 wrote to memory of 3544	1892	298b235d48e3c7d8b6c8df1635db47cc.exe	cmd.exe
PID 3544 wrote to memory of 1292	3544	cmd.exe	xHDqqg.exe
PID 3544 wrote to memory of 1292	3544	cmd.exe	xHDqqg.exe
PID 3544 wrote to memory of 1292	3544	cmd.exe	xHDqqg.exe
PID 1292 wrote to memory of 2148	1292	xHDqqg.exe	vpn.exe
PID 1292 wrote to memory of 2148	1292	xHDqqg.exe	vpn.exe
PID 1292 wrote to memory of 2148	1292	xHDqqg.exe	vpn.exe
PID 1292 wrote to memory of 512	1292	xHDqqg.exe	4.exe
PID 1292 wrote to memory of 512	1292	xHDqqg.exe	4.exe
PID 1292 wrote to memory of 512	1292	xHDqqg.exe	4.exe
PID 2148 wrote to memory of 2796	2148	vpn.exe	cmd.exe
PID 2148 wrote to memory of 2796	2148	vpn.exe	cmd.exe
PID 2148 wrote to memory of 2796	2148	vpn.exe	cmd.exe
PID 2796 wrote to memory of 1820	2796	cmd.exe	cmd.exe
PID 2796 wrote to memory of 1820	2796	cmd.exe	cmd.exe
PID 2796 wrote to memory of 1820	2796	cmd.exe	cmd.exe
PID 1820 wrote to memory of 2788	1820	cmd.exe	findstr.exe
PID 1820 wrote to memory of 2788	1820	cmd.exe	findstr.exe
PID 1820 wrote to memory of 2788	1820	cmd.exe	findstr.exe
PID 1820 wrote to memory of 1216	1820	cmd.exe	Quali.exe.com
PID 1820 wrote to memory of 1216	1820	cmd.exe	Quali.exe.com
PID 1820 wrote to memory of 1216	1820	cmd.exe	Quali.exe.com
PID 1820 wrote to memory of 664	1820	cmd.exe	PING.EXE
PID 1820 wrote to memory of 664	1820	cmd.exe	PING.EXE
PID 1820 wrote to memory of 664	1820	cmd.exe	PING.EXE
PID 1892 wrote to memory of 412	1892	298b235d48e3c7d8b6c8df1635db47cc.exe	cmd.exe
PID 1892 wrote to memory of 412	1892	298b235d48e3c7d8b6c8df1635db47cc.exe	cmd.exe
PID 1892 wrote to memory of 412	1892	298b235d48e3c7d8b6c8df1635db47cc.exe	cmd.exe
PID 1216 wrote to memory of 2576	1216	Quali.exe.com	Quali.exe.com
PID 1216 wrote to memory of 2576	1216	Quali.exe.com	Quali.exe.com
PID 1216 wrote to memory of 2576	1216	Quali.exe.com	Quali.exe.com
PID 412 wrote to memory of 3156	412	cmd.exe	timeout.exe
PID 412 wrote to memory of 3156	412	cmd.exe	timeout.exe
PID 412 wrote to memory of 3156	412	cmd.exe	timeout.exe
PID 512 wrote to memory of 1300	512	4.exe	SmartClock.exe
PID 512 wrote to memory of 1300	512	4.exe	SmartClock.exe
PID 512 wrote to memory of 1300	512	4.exe	SmartClock.exe
PID 2576 wrote to memory of 1604	2576	Quali.exe.com	Quali.exe.com
PID 2576 wrote to memory of 1604	2576	Quali.exe.com	Quali.exe.com
PID 2576 wrote to memory of 1604	2576	Quali.exe.com	Quali.exe.com
PID 2576 wrote to memory of 1604	2576	Quali.exe.com	Quali.exe.com
PID 2576 wrote to memory of 1604	2576	Quali.exe.com	Quali.exe.com
PID 1604 wrote to memory of 3768	1604	Quali.exe.com	gdmigkxmlik.exe
PID 1604 wrote to memory of 3768	1604	Quali.exe.com	gdmigkxmlik.exe
PID 1604 wrote to memory of 3768	1604	Quali.exe.com	gdmigkxmlik.exe
PID 1604 wrote to memory of 3744	1604	Quali.exe.com	WScript.exe
PID 1604 wrote to memory of 3744	1604	Quali.exe.com	WScript.exe
PID 1604 wrote to memory of 3744	1604	Quali.exe.com	WScript.exe
PID 3768 wrote to memory of 2736	3768	gdmigkxmlik.exe	rundll32.exe
PID 3768 wrote to memory of 2736	3768	gdmigkxmlik.exe	rundll32.exe
PID 3768 wrote to memory of 2736	3768	gdmigkxmlik.exe	rundll32.exe
PID 2736 wrote to memory of 2304	2736	rundll32.exe	RUNDLL32.EXE
PID 2736 wrote to memory of 2304	2736	rundll32.exe	RUNDLL32.EXE
PID 2736 wrote to memory of 2304	2736	rundll32.exe	RUNDLL32.EXE
PID 1604 wrote to memory of 2788	1604	Quali.exe.com	WScript.exe
PID 1604 wrote to memory of 2788	1604	Quali.exe.com	WScript.exe
PID 1604 wrote to memory of 2788	1604	Quali.exe.com	WScript.exe

C:\Users\Admin\AppData\Local\Temp\298b235d48e3c7d8b6c8df1635db47cc.exe
"C:\Users\Admin\AppData\Local\Temp\298b235d48e3c7d8b6c8df1635db47cc.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\xHDqqg.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\xHDqqg.exe
    "C:\Users\Admin\AppData\Local\Temp\xHDqqg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo > C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe & cmd < Bagnava.docm
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^aayplFIulkmNYCqQVmOuXCiCCBEUgwsNXmOuMpmpVlqeYkNvneGPXpSQlCHJwNSpTMPmNUtMqFkMCtDdNivkcCPOHYVpCPiisRpjcgJEXUOaXyhyZdWTsGNsXwRPYUpkbtcLVsU$" Una.docm
        7⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quali.exe.com
        
        Quali.exe.com K
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quali.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quali.exe.com K
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quali.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quali.exe.com
        9⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\gdmigkxmlik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gdmigkxmlik.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\GDMIGK~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\GDMIGK~1.EXE
        11⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\GDMIGK~1.DLL,fkwyZI0=
        12⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tyjxonbnqrbe.vbs"
        10⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ratcpekia.vbs"
        10⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:2788
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        7⤵
        Runs ping.exe
        
        PID:664
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:512
    - - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:1300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\DQPKQJWJjy & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\298b235d48e3c7d8b6c8df1635db47cc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B39.tmp

MD5
149c2823b7eadbfb0a82388a2ab9494f

SHA1
415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

SHA256
06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

SHA512
f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bagnava.docm

MD5
6d91591519ea66e0e262137fa958f6bb

SHA1
b8c96bb870539cc27534e307d2a0a50536b9ea24

SHA256
d28dcce4c8f5f2a86ddccef5cbf462aed1369c85ff13392d07c1216a687358a3

SHA512
dbb9acbe330ac3d5278e259ec5801db0da7cf5d3c37642d9453d6a61f973f2be190696db65aa3a4286d70af758b595f2fd92a2cd4da72960ed12eb0faa5b5926

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Benedetto.docm

MD5
e361cf817e7bde2250db27edfaa426e1

SHA1
87c1b436798965afe8f48d782db13f68cb29fa89

SHA256
5df40cd5cf24a43fdea9d3b105143c52e23bc618294fcaa7c1679d12217df6a3

SHA512
b201516cdfe571da28f9bd7e0072831ed6ebba38df434bf10f2bd25ea1156ebf55c2090b5b891ac1f356cf1b6ac182ef16515b41ca96e84bd6f08cf3b6c87049

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Folle.docm

MD5
fb4ba1712f8f595afea2f5fff2cb8838

SHA1
bfae770c66a08ad6bf182abb3a0b05ece451ac0e

SHA256
8e344aaec51cae156ac264844cf2a1acff77c16b83fd64f3868d64153527291e

SHA512
74b576c9680012788df8a952a0ba2f4bd4ec6f08c19aaa41231748f2fdedcf2b3b12230fcfd3a29e05da1c49f2f3b8632f2e6889a79993f54e1fd7838b001638

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\K

MD5
fb4ba1712f8f595afea2f5fff2cb8838

SHA1
bfae770c66a08ad6bf182abb3a0b05ece451ac0e

SHA256
8e344aaec51cae156ac264844cf2a1acff77c16b83fd64f3868d64153527291e

SHA512
74b576c9680012788df8a952a0ba2f4bd4ec6f08c19aaa41231748f2fdedcf2b3b12230fcfd3a29e05da1c49f2f3b8632f2e6889a79993f54e1fd7838b001638

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quali.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quali.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quali.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quali.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Una.docm

MD5
36be1cad14893a17bb233bfda3570ef7

SHA1
b2696f7adcad16b35075728423a8b3bf9517c39e

SHA256
11d874c5e16d0e23952de0ec1a01a52106e0a470dc3b5d85bc6dc83a63c299ad

SHA512
29b439352348d5e91a610d1e6276d42d4a8bf0cea12b51e6eda1efa64b2f32fe842f3495fa12a4be379c548da107b6df650fca41321d0eb426e9c28f28b67af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQPKQJWJjy\URGHVT~1.ZIP

MD5
e0a99a91dce4e0ece94467fb9c089790

SHA1
370f56c0d60dd356d60f337a4a2fda5149f94c60

SHA256
e8e51228df387e08433dbacc79641f4904768eee0eeab0d6f84e0ff83e6cb1d3

SHA512
60fc06b2ac1b93d2a5d0af949a52051ec85eb675956afc805112f37fa58ddd671e9c49d8d46790ee869d3918d9fba52440e100d888198adb5155cec92df4573d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQPKQJWJjy\_Files\_Files\GRANTS~1.TXT

MD5
f0c9e4bf6410178da7e5256f34c5d5c2

SHA1
c783a23ece6351b20832613f60374fa30720280a

SHA256
f96cf3618024b1eefe7a59ff33cd9a505258edf2ecd62106750f99287ef360e1

SHA512
9895e176d5034203a1f8442769fd79e4784061a7420bd5e2c73ac71ef64a66656ce872609a3c6e48871e31499d8c576671f189985d735120d61d200281c95f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQPKQJWJjy\_Files\_INFOR~1.TXT

MD5
4dc312983922800b17fcc96e1a6a6532

SHA1
3ff1b5fb410e92edb6cbaba3869acc2d26467279

SHA256
dd8ad5f406fb703677dbf07298d0aa14de8064a39cd138c212a390aaf15beb4f

SHA512
348260766b3970eb88e143f3e5d52eccbe70edabdf686cc4382443554128e2e04fe8f9a802203b45e1f08b7f3b52bd47611c7062cb9e88e6cd4752045f0e510e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQPKQJWJjy\_Files\_SCREE~1.JPE

MD5
62afe962b321101920b44f69a80006f4

SHA1
d231326fb240547e64aa4c65acae166f731efbea

SHA256
0f8e6294209098661726ed7c0316c2907dd7dcdcb1d537c3098eaed3ad90b0c1

SHA512
7a87682cd5fee06cc234659083dac867a587f537f9aa6e773f3b4c0469d268a2f871d831dbe65813ae7d79ffe6ceea3ba8f24f50c880f2dcfe3e54aab68da65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQPKQJWJjy\dHrVoJql.zip

MD5
747109a75bed9c6f2f7713901a8a4f1f

SHA1
9a672bb2c1786ee238229dd20b6050b17142d84f

SHA256
06adeb4d62b2ca5388b00d7816481f6176476acb405d3c24415e0eae761d26a3

SHA512
2f3911e82e92609f57ad1fd416ebf56223c22a597c85f7b4729624fdca9c3bb26f80307976927ea23d40942bba6496e489079e5b75ebce3b74f9586e936b7e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQPKQJWJjy\files_\SCREEN~1.JPG

MD5
62afe962b321101920b44f69a80006f4

SHA1
d231326fb240547e64aa4c65acae166f731efbea

SHA256
0f8e6294209098661726ed7c0316c2907dd7dcdcb1d537c3098eaed3ad90b0c1

SHA512
7a87682cd5fee06cc234659083dac867a587f537f9aa6e773f3b4c0469d268a2f871d831dbe65813ae7d79ffe6ceea3ba8f24f50c880f2dcfe3e54aab68da65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQPKQJWJjy\files_\SYSTEM~1.TXT

MD5
692d4cc8c5c9bb83ec66a1b626b2f29a

SHA1
0895aece60696f5e97d5fdefa2a5976ba800464e

SHA256
6275baa9da8c894f272a4537db32c04263a417b2b017fd31b9e9e4383161a717

SHA512
8c80d3cfb3054e5616cd621fa45a29975f2c6f18d143acdf7f9e8b7169e420dcc745580690cca8d8af20e6e7816f43cd79eb92d05afa79a480edc74a1f441c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQPKQJWJjy\files_\files\GRANTS~1.TXT

MD5
f0c9e4bf6410178da7e5256f34c5d5c2

SHA1
c783a23ece6351b20832613f60374fa30720280a

SHA256
f96cf3618024b1eefe7a59ff33cd9a505258edf2ecd62106750f99287ef360e1

SHA512
9895e176d5034203a1f8442769fd79e4784061a7420bd5e2c73ac71ef64a66656ce872609a3c6e48871e31499d8c576671f189985d735120d61d200281c95f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GDMIGK~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
d89428117f6b8105a3f82a6227beb798

SHA1
1f5a983000c77b9a48c37ba66ade86fe7fc88194

SHA256
0575e011406c166bba9c5a31dc8f7e9b9db0da2611914cae35058a38dcf885eb

SHA512
a319f05d876b1c58d0ca2a9da6d59d007b6e9cf29929c363aee7a90f6ceb112e531c2070f8286fd5474ad75d6a222c8b1ad0f7588033320ed07ffc3746532581

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
d89428117f6b8105a3f82a6227beb798

SHA1
1f5a983000c77b9a48c37ba66ade86fe7fc88194

SHA256
0575e011406c166bba9c5a31dc8f7e9b9db0da2611914cae35058a38dcf885eb

SHA512
a319f05d876b1c58d0ca2a9da6d59d007b6e9cf29929c363aee7a90f6ceb112e531c2070f8286fd5474ad75d6a222c8b1ad0f7588033320ed07ffc3746532581

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
aee5a865605b5989aac9dc26619e8db4

SHA1
71598920a8da767d75e9985d1e8d37f0230e8a6e

SHA256
928d1cdea8e7c379e597352efc955d709ec51860b745bd95cd9a362b89dbf821

SHA512
11ccf0e714bd7229839b82f6ba8110875264cd7ea3b3925df393aedb8888f3a6dcc1322e4893395e22bad24855d055ced187e428e8e0c864d1b88083c142ba28

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
aee5a865605b5989aac9dc26619e8db4

SHA1
71598920a8da767d75e9985d1e8d37f0230e8a6e

SHA256
928d1cdea8e7c379e597352efc955d709ec51860b745bd95cd9a362b89dbf821

SHA512
11ccf0e714bd7229839b82f6ba8110875264cd7ea3b3925df393aedb8888f3a6dcc1322e4893395e22bad24855d055ced187e428e8e0c864d1b88083c142ba28

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdmigkxmlik.exe

MD5
beb2a449b973db76de299f20677b9937

SHA1
1abd24306719b2f67a601f9c95bdb4e7cad590a8

SHA256
56c3ec1d1b78a4157909f0889ba2c38f5693f1fe2d0273f2796b445fd72e87d0

SHA512
ad7abc33d03ca4b188759f75b222270075ee71f5f44d4028f4a732c2ffa0c96d092105693a5cffb2fca4b0efa092a0212544882a7a9e50250972b9b0206617b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdmigkxmlik.exe

MD5
beb2a449b973db76de299f20677b9937

SHA1
1abd24306719b2f67a601f9c95bdb4e7cad590a8

SHA256
56c3ec1d1b78a4157909f0889ba2c38f5693f1fe2d0273f2796b445fd72e87d0

SHA512
ad7abc33d03ca4b188759f75b222270075ee71f5f44d4028f4a732c2ffa0c96d092105693a5cffb2fca4b0efa092a0212544882a7a9e50250972b9b0206617b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratcpekia.vbs

MD5
8f399d8e8cb4dc3b468e34b11bc00de3

SHA1
26162b5c1545cdeb3efd3ee3536ec5321e2d235c

SHA256
ebca9ba96a3875d18d47d70d148fe9296d6c5e9edbcbb1083c2b4be467b7fe3c

SHA512
01d25282c30fe91d43b45d8278e461592f57e057d292e3b588d8e3be55e20eaebc3946abbc146545a1751577050e81ab3b459ea37e47617cdbf342225706c692

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyjxonbnqrbe.vbs

MD5
5a453543b582d374a1d5b21221bd290c

SHA1
afecb789468dc7af20d8c19de1cd3fa3f3f28b31

SHA256
ff6ba7132e618b9325481211a7a78fb7ae449e3ebec5c23cf4464bc819c3c304

SHA512
dc53e6c632ce6172bef611ffaa435debc21c2de775fe0b14cc42b10eb57b2936cdc2643a191c6cc2a308221698fb75f575725d16c6349efb123ce26d046ffde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xHDqqg.exe

MD5
2809de5c1d9de29a85dcd05e179b70e4

SHA1
5d8814ebcaabf09d9e7b033e105371367a9e09f2

SHA256
ae9aabd03661ced937c594cf83df2303a5991e3c2382474111e69322e6f22f32

SHA512
1e497983843c3b5b82f000a9602dc6ae64abc3a4841ebfc015d02686eba66a787e67215ba3d76b523020d0f053a5340fcabf092d231f1d59a8db011226b69bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xHDqqg.exe

MD5
2809de5c1d9de29a85dcd05e179b70e4

SHA1
5d8814ebcaabf09d9e7b033e105371367a9e09f2

SHA256
ae9aabd03661ced937c594cf83df2303a5991e3c2382474111e69322e6f22f32

SHA512
1e497983843c3b5b82f000a9602dc6ae64abc3a4841ebfc015d02686eba66a787e67215ba3d76b523020d0f053a5340fcabf092d231f1d59a8db011226b69bb9

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
d89428117f6b8105a3f82a6227beb798

SHA1
1f5a983000c77b9a48c37ba66ade86fe7fc88194

SHA256
0575e011406c166bba9c5a31dc8f7e9b9db0da2611914cae35058a38dcf885eb

SHA512
a319f05d876b1c58d0ca2a9da6d59d007b6e9cf29929c363aee7a90f6ceb112e531c2070f8286fd5474ad75d6a222c8b1ad0f7588033320ed07ffc3746532581

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
d89428117f6b8105a3f82a6227beb798

SHA1
1f5a983000c77b9a48c37ba66ade86fe7fc88194

SHA256
0575e011406c166bba9c5a31dc8f7e9b9db0da2611914cae35058a38dcf885eb

SHA512
a319f05d876b1c58d0ca2a9da6d59d007b6e9cf29929c363aee7a90f6ceb112e531c2070f8286fd5474ad75d6a222c8b1ad0f7588033320ed07ffc3746532581

Download Submit
\Users\Admin\AppData\Local\Temp\GDMIGK~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\GDMIGK~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\GDMIGK~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\GDMIGK~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\nsv555A.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/412-137-0x0000000000000000-mapping.dmp

Download
memory/512-123-0x0000000000000000-mapping.dmp

Download
memory/512-154-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/512-153-0x0000000001F40000-0x0000000001F66000-memory.dmp

Filesize
152KB

Download
memory/664-135-0x0000000000000000-mapping.dmp

Download
memory/1216-133-0x0000000000000000-mapping.dmp

Download
memory/1292-117-0x0000000000000000-mapping.dmp

Download
memory/1300-156-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1300-155-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/1300-150-0x0000000000000000-mapping.dmp

Download
memory/1604-158-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1604-160-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1820-129-0x0000000000000000-mapping.dmp

Download
memory/1892-115-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1892-114-0x0000000002170000-0x0000000002251000-memory.dmp

Filesize
900KB

Download
memory/2148-121-0x0000000000000000-mapping.dmp

Download
memory/2304-176-0x0000000000000000-mapping.dmp

Download
memory/2304-184-0x00000000053F1000-0x0000000005A50000-memory.dmp

Filesize
6.4MB

Download
memory/2304-182-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/2304-179-0x0000000004790000-0x0000000004D55000-memory.dmp

Filesize
5.8MB

Download
memory/2576-138-0x0000000000000000-mapping.dmp

Download
memory/2576-157-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/2736-170-0x0000000000000000-mapping.dmp

Download
memory/2736-181-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2736-180-0x0000000005471000-0x0000000005AD0000-memory.dmp

Filesize
6.4MB

Download
memory/2736-174-0x0000000004740000-0x0000000004D05000-memory.dmp

Filesize
5.8MB

Download
memory/2736-175-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2788-130-0x0000000000000000-mapping.dmp

Download
memory/2788-185-0x0000000000000000-mapping.dmp

Download
memory/2796-127-0x0000000000000000-mapping.dmp

Download
memory/3156-148-0x0000000000000000-mapping.dmp

Download
memory/3544-116-0x0000000000000000-mapping.dmp

Download
memory/3744-165-0x0000000000000000-mapping.dmp

Download
memory/3768-162-0x0000000000000000-mapping.dmp

Download
memory/3768-168-0x0000000000400000-0x0000000000B14000-memory.dmp

Filesize
7.1MB

Download
memory/3768-169-0x0000000000C40000-0x0000000000D8A000-memory.dmp

Filesize
1.3MB

Download
memory/3768-167-0x0000000002D80000-0x0000000003487000-memory.dmp

Filesize
7.0MB

Download