raccoon | a0154b4fabd2c805e493581d18ed2972032fbbd7558271a4317de4b61ac36653

Analysis

max time kernel
150s
max time network
181s
platform
windows7_x64
resource
win7v20210410
submitted
18-06-2021 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a9ae7b212ebc856dda3f75f372cec95.exe
Size

297KB
MD5

5a9ae7b212ebc856dda3f75f372cec95
SHA1

faa97e21b1dfa25ae4534361fc6a43351087e236
SHA256

a0154b4fabd2c805e493581d18ed2972032fbbd7558271a4317de4b61ac36653
SHA512

b4cae6e8774f3bbf84709eb1b0b07770f486b0c85c373ca6ca3d2b776aa3e36cf665f098e1f79b60e7f5f99201ddc97a52d6710a11cc4eb81d8196188059130a

Score

10^/10

raccoon redline smokeloader tofsee vidar 3 50f8ded12c46443e43915127b1219ac2fc439bb6 931 backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

50f8ded12c46443e43915127b1219ac2fc439bb6

Attributes

url4cnc
https://tttttt.me/mimimimaxormin

rc4.plain

Extracted

Family

vidar

Version

39.3

Botnet

931

https://bandakere.tumblr.com

Attributes

profile_id
931

Extracted

Family

redline

Botnet

135.181.221.121:34106

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/860-138-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/860-139-0x0000000000417DCE-mapping.dmp	family_redline
behavioral1/memory/860-143-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1468-135-0x0000000000320000-0x00000000003B7000-memory.dmp	family_vidar
behavioral1/memory/1468-136-0x0000000000400000-0x000000000093F000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 10 IoCs

Processes:

56F6.exe5F41.exe67BA.exe6E50.exenjbzhqtl.exe86E0.exe988D.exe9E48.exeA9FC.exeA9FC.exe

pid process

860 56F6.exe
940 5F41.exe
1868 67BA.exe
1824 6E50.exe
1424 njbzhqtl.exe
908 86E0.exe
1240 988D.exe
1468 9E48.exe
1488 A9FC.exe
860 A9FC.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

pid process

1200
Loads dropped DLL 2 IoCs

Processes:

5a9ae7b212ebc856dda3f75f372cec95.exeA9FC.exe

pid process

1500 5a9ae7b212ebc856dda3f75f372cec95.exe
1488 A9FC.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe

pid	process
860	56F6.exe
940	5F41.exe
1868	67BA.exe
1824	6E50.exe
1424	njbzhqtl.exe
908	86E0.exe
1240	988D.exe
1468	9E48.exe
1488	A9FC.exe
860	A9FC.exe

pid	process
1200

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5a9ae7b212ebc856dda3f75f372cec95.exenjbzhqtl.exeA9FC.exe

description	pid	process	target process
PID 1648 set thread context of 1500	1648	5a9ae7b212ebc856dda3f75f372cec95.exe	5a9ae7b212ebc856dda3f75f372cec95.exe
PID 1424 set thread context of 1224	1424	njbzhqtl.exe	svchost.exe
PID 1488 set thread context of 860	1488	A9FC.exe	A9FC.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5a9ae7b212ebc856dda3f75f372cec95.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5a9ae7b212ebc856dda3f75f372cec95.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5a9ae7b212ebc856dda3f75f372cec95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5a9ae7b212ebc856dda3f75f372cec95.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = e43b053d6feed20424edb47d450dd49d084297dce82e72baa49d1ffde47c7f1d31f0750185cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691dda834b7c35e4aa644490bdb1782de5955a01cffc8d3c74bbc4103d37f8a16e12d9874b7d0db8f2054991cfdb2470dd906d5d8dc4b5622dd79d420530ff942e569beb092d60b19d491ec485b67b23ec965d3491abee3571bbd91d5061cda5691dda834b7c35e5ac64c9d4b48421379bfd6d34fdc48c541de4da1b4f6f92e72f52edb47d440dd49d641bfb7c310814dda46d3731d68e541de4ac450531e3ac7312dd9a4c753dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad943c04cd	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6E50.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	6E50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	6E50.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5a9ae7b212ebc856dda3f75f372cec95.exe

pid	process
1500	5a9ae7b212ebc856dda3f75f372cec95.exe
1500	5a9ae7b212ebc856dda3f75f372cec95.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1200
Suspicious behavior: MapViewOfSection 15 IoCs

Processes:

5a9ae7b212ebc856dda3f75f372cec95.exe

pid process

1500 5a9ae7b212ebc856dda3f75f372cec95.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

A9FC.exe

description pid process

Token: SeShutdownPrivilege 1200
Token: SeDebugPrivilege 1488 A9FC.exe
Token: SeShutdownPrivilege 1200
Token: SeShutdownPrivilege 1200
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1200
1200
1200
1200
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1200
1200
1200
1200
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

56F6.exe5F41.exe

pid process

860 56F6.exe
940 5F41.exe

pid	process
1200

description	pid	process
Token: SeShutdownPrivilege	1200
Token: SeDebugPrivilege	1488	A9FC.exe
Token: SeShutdownPrivilege	1200
Token: SeShutdownPrivilege	1200

pid	process
1200
1200
1200
1200

pid	process
1200
1200
1200
1200

pid	process
860	56F6.exe
940	5F41.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5a9ae7b212ebc856dda3f75f372cec95.exe67BA.exenjbzhqtl.exe

description	pid	process	target process
PID 1648 wrote to memory of 1500	1648	5a9ae7b212ebc856dda3f75f372cec95.exe	5a9ae7b212ebc856dda3f75f372cec95.exe
PID 1648 wrote to memory of 1500	1648	5a9ae7b212ebc856dda3f75f372cec95.exe	5a9ae7b212ebc856dda3f75f372cec95.exe
PID 1648 wrote to memory of 1500	1648	5a9ae7b212ebc856dda3f75f372cec95.exe	5a9ae7b212ebc856dda3f75f372cec95.exe
PID 1648 wrote to memory of 1500	1648	5a9ae7b212ebc856dda3f75f372cec95.exe	5a9ae7b212ebc856dda3f75f372cec95.exe
PID 1648 wrote to memory of 1500	1648	5a9ae7b212ebc856dda3f75f372cec95.exe	5a9ae7b212ebc856dda3f75f372cec95.exe
PID 1648 wrote to memory of 1500	1648	5a9ae7b212ebc856dda3f75f372cec95.exe	5a9ae7b212ebc856dda3f75f372cec95.exe
PID 1648 wrote to memory of 1500	1648	5a9ae7b212ebc856dda3f75f372cec95.exe	5a9ae7b212ebc856dda3f75f372cec95.exe
PID 1200 wrote to memory of 860	1200		56F6.exe
PID 1200 wrote to memory of 860	1200		56F6.exe
PID 1200 wrote to memory of 860	1200		56F6.exe
PID 1200 wrote to memory of 860	1200		56F6.exe
PID 1200 wrote to memory of 940	1200		5F41.exe
PID 1200 wrote to memory of 940	1200		5F41.exe
PID 1200 wrote to memory of 940	1200		5F41.exe
PID 1200 wrote to memory of 940	1200		5F41.exe
PID 1200 wrote to memory of 1868	1200		67BA.exe
PID 1200 wrote to memory of 1868	1200		67BA.exe
PID 1200 wrote to memory of 1868	1200		67BA.exe
PID 1200 wrote to memory of 1868	1200		67BA.exe
PID 1200 wrote to memory of 1824	1200		6E50.exe
PID 1200 wrote to memory of 1824	1200		6E50.exe
PID 1200 wrote to memory of 1824	1200		6E50.exe
PID 1200 wrote to memory of 1824	1200		6E50.exe
PID 1868 wrote to memory of 1336	1868	67BA.exe	cmd.exe
PID 1868 wrote to memory of 1336	1868	67BA.exe	cmd.exe
PID 1868 wrote to memory of 1336	1868	67BA.exe	cmd.exe
PID 1868 wrote to memory of 1336	1868	67BA.exe	cmd.exe
PID 1868 wrote to memory of 848	1868	67BA.exe	cmd.exe
PID 1868 wrote to memory of 848	1868	67BA.exe	cmd.exe
PID 1868 wrote to memory of 848	1868	67BA.exe	cmd.exe
PID 1868 wrote to memory of 848	1868	67BA.exe	cmd.exe
PID 1868 wrote to memory of 1552	1868	67BA.exe	sc.exe
PID 1868 wrote to memory of 1552	1868	67BA.exe	sc.exe
PID 1868 wrote to memory of 1552	1868	67BA.exe	sc.exe
PID 1868 wrote to memory of 1552	1868	67BA.exe	sc.exe
PID 1868 wrote to memory of 1152	1868	67BA.exe	sc.exe
PID 1868 wrote to memory of 1152	1868	67BA.exe	sc.exe
PID 1868 wrote to memory of 1152	1868	67BA.exe	sc.exe
PID 1868 wrote to memory of 1152	1868	67BA.exe	sc.exe
PID 1868 wrote to memory of 556	1868	67BA.exe	sc.exe
PID 1868 wrote to memory of 556	1868	67BA.exe	sc.exe
PID 1868 wrote to memory of 556	1868	67BA.exe	sc.exe
PID 1868 wrote to memory of 556	1868	67BA.exe	sc.exe
PID 1200 wrote to memory of 908	1200		86E0.exe
PID 1200 wrote to memory of 908	1200		86E0.exe
PID 1200 wrote to memory of 908	1200		86E0.exe
PID 1200 wrote to memory of 908	1200		86E0.exe
PID 1868 wrote to memory of 944	1868	67BA.exe	netsh.exe
PID 1868 wrote to memory of 944	1868	67BA.exe	netsh.exe
PID 1868 wrote to memory of 944	1868	67BA.exe	netsh.exe
PID 1868 wrote to memory of 944	1868	67BA.exe	netsh.exe
PID 1200 wrote to memory of 1240	1200		988D.exe
PID 1200 wrote to memory of 1240	1200		988D.exe
PID 1200 wrote to memory of 1240	1200		988D.exe
PID 1200 wrote to memory of 1240	1200		988D.exe
PID 1424 wrote to memory of 1224	1424	njbzhqtl.exe	svchost.exe
PID 1424 wrote to memory of 1224	1424	njbzhqtl.exe	svchost.exe
PID 1424 wrote to memory of 1224	1424	njbzhqtl.exe	svchost.exe
PID 1424 wrote to memory of 1224	1424	njbzhqtl.exe	svchost.exe
PID 1424 wrote to memory of 1224	1424	njbzhqtl.exe	svchost.exe
PID 1424 wrote to memory of 1224	1424	njbzhqtl.exe	svchost.exe
PID 1200 wrote to memory of 1468	1200		9E48.exe
PID 1200 wrote to memory of 1468	1200		9E48.exe
PID 1200 wrote to memory of 1468	1200		9E48.exe

C:\Users\Admin\AppData\Local\Temp\5a9ae7b212ebc856dda3f75f372cec95.exe
"C:\Users\Admin\AppData\Local\Temp\5a9ae7b212ebc856dda3f75f372cec95.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\5a9ae7b212ebc856dda3f75f372cec95.exe
"C:\Users\Admin\AppData\Local\Temp\5a9ae7b212ebc856dda3f75f372cec95.exe"
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1500

C:\Users\Admin\AppData\Local\Temp\56F6.exe
C:\Users\Admin\AppData\Local\Temp\56F6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:860

C:\Users\Admin\AppData\Local\Temp\5F41.exe
C:\Users\Admin\AppData\Local\Temp\5F41.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:940

C:\Users\Admin\AppData\Local\Temp\67BA.exe
C:\Users\Admin\AppData\Local\Temp\67BA.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lhgbkmic\
2⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\njbzhqtl.exe" C:\Windows\SysWOW64\lhgbkmic\
2⤵
PID:848

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create lhgbkmic binPath= "C:\Windows\SysWOW64\lhgbkmic\njbzhqtl.exe /d\"C:\Users\Admin\AppData\Local\Temp\67BA.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1552

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description lhgbkmic "wifi internet conection"
2⤵
PID:1152

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start lhgbkmic
2⤵
PID:556

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\6E50.exe
C:\Users\Admin\AppData\Local\Temp\6E50.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1824

C:\Windows\SysWOW64\lhgbkmic\njbzhqtl.exe
C:\Windows\SysWOW64\lhgbkmic\njbzhqtl.exe /d"C:\Users\Admin\AppData\Local\Temp\67BA.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1224

C:\Users\Admin\AppData\Local\Temp\86E0.exe
C:\Users\Admin\AppData\Local\Temp\86E0.exe
1⤵
- Executes dropped EXE
PID:908

C:\Users\Admin\AppData\Local\Temp\988D.exe
C:\Users\Admin\AppData\Local\Temp\988D.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Users\Admin\AppData\Local\Temp\9E48.exe
C:\Users\Admin\AppData\Local\Temp\9E48.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Users\Admin\AppData\Local\Temp\A9FC.exe
C:\Users\Admin\AppData\Local\Temp\A9FC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Users\Admin\AppData\Local\Temp\A9FC.exe
C:\Users\Admin\AppData\Local\Temp\A9FC.exe
2⤵
- Executes dropped EXE
PID:860

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1584

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1828

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1096

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:808

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:920

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1460

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\56F6.exe

MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F41.exe

MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\67BA.exe

MD5
e980e3eaca8b32ab741a9483804a65aa

SHA1
49d97cad18acbf0678d97c39364292ef3ed01487

SHA256
9f8c6e33b172b30a5c94af7b30df429f87ec7c0cffb7f6b91afcba0210f6d58a

SHA512
3bca03123e6f760388c132339960c0137abf2af3fe12d14e2d98f62b83ab9f91a8ca21f23db9df3c6f7596ecaad3fef8fcebd8a36d7a16b312adf73b053b5caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\67BA.exe

MD5
e980e3eaca8b32ab741a9483804a65aa

SHA1
49d97cad18acbf0678d97c39364292ef3ed01487

SHA256
9f8c6e33b172b30a5c94af7b30df429f87ec7c0cffb7f6b91afcba0210f6d58a

SHA512
3bca03123e6f760388c132339960c0137abf2af3fe12d14e2d98f62b83ab9f91a8ca21f23db9df3c6f7596ecaad3fef8fcebd8a36d7a16b312adf73b053b5caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E50.exe

MD5
6652b49881dceedae99850f00639bff0

SHA1
0102a452d1e01e0cdd71a3abba5d5466b2a80505

SHA256
4415d0e588b7e01d745639afe4bf853e25bc6568dd1bfdc543e617380bd4b084

SHA512
c0bd47b68eb9e70aefad40c7a7e959aca67eecbf8537a78377f41704e135a9ffbfcec54e6e742572f8295598f2b7c511437b83204f864b18ff6cd9ce191fb35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\86E0.exe

MD5
572103ac4cecdf96fd25de9283680e82

SHA1
41f242adb6ba1c48bc1291410f40cdcae2ac2416

SHA256
4d7c54a3e59b356344a5880219532b00bae8b417a08423833cc92bb5410d4db1

SHA512
1aad5627b8ee2fce8f2d79778fb3b006d2a5d56fbae78bda65c00920512592371ca0dae91feb3ebe5a7035e73361633a00352f930ff1f340100e9da3c072dca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\988D.exe

MD5
572103ac4cecdf96fd25de9283680e82

SHA1
41f242adb6ba1c48bc1291410f40cdcae2ac2416

SHA256
4d7c54a3e59b356344a5880219532b00bae8b417a08423833cc92bb5410d4db1

SHA512
1aad5627b8ee2fce8f2d79778fb3b006d2a5d56fbae78bda65c00920512592371ca0dae91feb3ebe5a7035e73361633a00352f930ff1f340100e9da3c072dca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E48.exe

MD5
1aa964412e87da4656fde033a1719d3c

SHA1
e3a611781e830b06111fe82fd7c38125847ff243

SHA256
3bb3eb2e485c893ccd298f5a0813dcf57de87225c1688923bf928f5177cbbae1

SHA512
00e746d78975ba77051c9185b58179e8c4dcd27a0f147e0cf808591ce0122e99e64203bfdc9ca29efef87506d597c9564e4aad5a119ff65adf0ddd64e0ed2f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9FC.exe

MD5
bed30f24400ee4686628068cd324c17a

SHA1
5278f4605643e9f5fcc6cda33ce9cececa002598

SHA256
e9c2704e19759626252f4a973e95d7d1637f62ab8b51b8ffd3541121778cb4aa

SHA512
1e37dd00325e7d49e2a832fb8b748fe14c4962a928aa035db19c03076db68d913510cf5ed059edab44acae3f0837e3cfd8ed7a40652398ebf5cedf9fea3d4ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9FC.exe

MD5
bed30f24400ee4686628068cd324c17a

SHA1
5278f4605643e9f5fcc6cda33ce9cececa002598

SHA256
e9c2704e19759626252f4a973e95d7d1637f62ab8b51b8ffd3541121778cb4aa

SHA512
1e37dd00325e7d49e2a832fb8b748fe14c4962a928aa035db19c03076db68d913510cf5ed059edab44acae3f0837e3cfd8ed7a40652398ebf5cedf9fea3d4ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9FC.exe

MD5
bed30f24400ee4686628068cd324c17a

SHA1
5278f4605643e9f5fcc6cda33ce9cececa002598

SHA256
e9c2704e19759626252f4a973e95d7d1637f62ab8b51b8ffd3541121778cb4aa

SHA512
1e37dd00325e7d49e2a832fb8b748fe14c4962a928aa035db19c03076db68d913510cf5ed059edab44acae3f0837e3cfd8ed7a40652398ebf5cedf9fea3d4ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\njbzhqtl.exe

MD5
30ecd84c02c6e8db5e35ab2a674a6b98

SHA1
79fb2b6bc5e333e8c309bc6b5d3fab64bfcc50c6

SHA256
feced52b4a34cc8fa821d8196547528babb32c0b05fe1b956424022e1c36842d

SHA512
7b541904b5f9c9ea00ef0d8e3e43a0bed37308512c1d4d6b926156bb9fcabb454a3488546f7c7e90077603cbc7db9213848fc7db5c93011fa2fc88673c8071c6

Download Submit
C:\Windows\SysWOW64\lhgbkmic\njbzhqtl.exe

MD5
30ecd84c02c6e8db5e35ab2a674a6b98

SHA1
79fb2b6bc5e333e8c309bc6b5d3fab64bfcc50c6

SHA256
feced52b4a34cc8fa821d8196547528babb32c0b05fe1b956424022e1c36842d

SHA512
7b541904b5f9c9ea00ef0d8e3e43a0bed37308512c1d4d6b926156bb9fcabb454a3488546f7c7e90077603cbc7db9213848fc7db5c93011fa2fc88673c8071c6

Download Submit
\Users\Admin\AppData\Local\Temp\A9FC.exe

MD5
bed30f24400ee4686628068cd324c17a

SHA1
5278f4605643e9f5fcc6cda33ce9cececa002598

SHA256
e9c2704e19759626252f4a973e95d7d1637f62ab8b51b8ffd3541121778cb4aa

SHA512
1e37dd00325e7d49e2a832fb8b748fe14c4962a928aa035db19c03076db68d913510cf5ed059edab44acae3f0837e3cfd8ed7a40652398ebf5cedf9fea3d4ef5

Download Submit
\Users\Admin\AppData\Local\Temp\AE30.tmp

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/556-90-0x0000000000000000-mapping.dmp

Download
memory/808-142-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/808-137-0x0000000000000000-mapping.dmp

Download
memory/808-141-0x0000000000070000-0x0000000000079000-memory.dmp

Filesize
36KB

Download
memory/848-83-0x0000000000000000-mapping.dmp

Download
memory/860-66-0x0000000000000000-mapping.dmp

Download
memory/860-139-0x0000000000417DCE-mapping.dmp

Download
memory/860-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/860-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/860-148-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/908-104-0x00000000002E0000-0x0000000000371000-memory.dmp

Filesize
580KB

Download
memory/908-92-0x0000000000000000-mapping.dmp

Download
memory/908-106-0x0000000000400000-0x000000000092C000-memory.dmp

Filesize
5.2MB

Download
memory/920-145-0x0000000000000000-mapping.dmp

Download
memory/920-149-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/920-150-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/940-70-0x0000000000000000-mapping.dmp

Download
memory/944-94-0x0000000000000000-mapping.dmp

Download
memory/1096-133-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1096-129-0x0000000000000000-mapping.dmp

Download
memory/1096-131-0x0000000073F91000-0x0000000073F93000-memory.dmp

Filesize
8KB

Download
memory/1096-134-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1152-87-0x0000000000000000-mapping.dmp

Download
memory/1200-65-0x0000000002CA0000-0x0000000002CB7000-memory.dmp

Filesize
92KB

Download
memory/1224-100-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1224-101-0x0000000000089A6B-mapping.dmp

Download
memory/1240-96-0x0000000000000000-mapping.dmp

Download
memory/1240-124-0x0000000000400000-0x000000000092C000-memory.dmp

Filesize
5.2MB

Download
memory/1336-80-0x0000000000000000-mapping.dmp

Download
memory/1424-108-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/1460-151-0x0000000000000000-mapping.dmp

Download
memory/1460-153-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1460-152-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1468-136-0x0000000000400000-0x000000000093F000-memory.dmp

Filesize
5.2MB

Download
memory/1468-135-0x0000000000320000-0x00000000003B7000-memory.dmp

Filesize
604KB

Download
memory/1468-103-0x0000000000000000-mapping.dmp

Download
memory/1488-114-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/1488-121-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1488-110-0x0000000000000000-mapping.dmp

Download
memory/1500-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1500-60-0x0000000000402F68-mapping.dmp

Download
memory/1500-61-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/1552-85-0x0000000000000000-mapping.dmp

Download
memory/1584-128-0x00000000000F0000-0x000000000015B000-memory.dmp

Filesize
428KB

Download
memory/1584-125-0x00000000001B0000-0x0000000000224000-memory.dmp

Filesize
464KB

Download
memory/1584-120-0x0000000074151000-0x0000000074153000-memory.dmp

Filesize
8KB

Download
memory/1584-113-0x0000000000000000-mapping.dmp

Download
memory/1628-154-0x0000000000000000-mapping.dmp

Download
memory/1648-63-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/1824-88-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1824-76-0x0000000000000000-mapping.dmp

Download
memory/1824-89-0x0000000000400000-0x000000000092C000-memory.dmp

Filesize
5.2MB

Download
memory/1828-126-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1828-127-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/1828-123-0x0000000000000000-mapping.dmp

Download
memory/1868-74-0x0000000000000000-mapping.dmp

Download
memory/1868-81-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/1868-82-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download