icedid | 9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35

Analysis

max time kernel
151s
max time network
149s
platform
windows10_x64
resource
win10-en-20211104
submitted
10-11-2021 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
Size

195KB
MD5

37f653cc837e9537c08838f7b36daa35
SHA1

7ece2be57742aebd48d4267e5d02ec255feb3724
SHA256

9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35
SHA512

c68f1e2c0f4f930bb734f5e557d78b809597e95b0554bac22e0a4c116b3f0c1b96fcd2c9d0303b23da79ee094f73ea8daaee81f3c78b6518645023b46c9c20be

Score

10^/10

icedid raccoon redline smokeloader 1217670233 2189c5f17d25883af847061b1a1ac5c6eaa79874 4557a7b982bafcd677193713fa5041fa32e7e61e 777666777 8dec62c1db2959619dca43e02fa46ad7bd606400 pub3 superstar test_3 backdoor banker discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nalirou70.top/

http://xacokuo80.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

redline

Botnet

777666777

93.115.20.139:28978

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

icedid

Botnet

1217670233

lakogrefop.rest

hangetilin.top

follytresh.co

zojecurf.store

Attributes

auth_var
14
url_path
/posts/

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

redline

Botnet

pub3

185.215.113.46:80

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

4557a7b982bafcd677193713fa5041fa32e7e61e

Attributes

url4cnc
http://91.219.236.162/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
http://193.38.54.238/agrybirdsgamerept
http://74.119.192.122/agrybirdsgamerept
http://91.219.236.240/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

Test_3

94.103.9.139:80

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

2189c5f17d25883af847061b1a1ac5c6eaa79874

Attributes

url4cnc
http://91.219.236.162/roswestnewros
http://185.163.47.176/roswestnewros
http://193.38.54.238/roswestnewros
http://74.119.192.122/roswestnewros
http://91.219.236.240/roswestnewros
https://t.me/roswestnewros

rc4.plain

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3832-137-0x0000000002A20000-0x0000000002A3B000-memory.dmp	family_redline
behavioral1/memory/648-146-0x0000000000440000-0x00000000004EE000-memory.dmp	family_redline
behavioral1/memory/1628-157-0x0000000002410000-0x000000000242C000-memory.dmp	family_redline
behavioral1/memory/1628-159-0x00000000025D0000-0x00000000025EB000-memory.dmp	family_redline
behavioral1/memory/2128-200-0x0000000004BA0000-0x0000000004BCD000-memory.dmp	family_redline
behavioral1/memory/2128-202-0x0000000004C20000-0x0000000004C4C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\AFCC.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\AFCC.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4616 created 4916	4616	WerFault.exe	98E8.exe
PID 2120 created 2352	2120	WerFault.exe	F62E.exe
PID 2204 created 2352	2204	WerFault.exe	F62E.exe
PID 2876 created 2728	2876	WerFault.exe	45E4.exe

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

F770.exeF770.exe1078.exe1A5C.exe2922.exe2922.exe45E4.exe45E4.exe6A55.exe98E8.exeAFCC.exeCE13.exeF62E.exe

pid	process
4484	F770.exe
3728	F770.exe
3832	1078.exe
648	1A5C.exe
408	2922.exe
1628	2922.exe
2716	45E4.exe
2728	45E4.exe
2128	6A55.exe
4916	98E8.exe
1404	AFCC.exe
4816	CE13.exe
2352	F62E.exe

Deletes itself 1 IoCs

Processes:

pid process

2436
Loads dropped DLL 2 IoCs

Processes:

1A5C.exeregsvr32.exe

pid process

648 1A5C.exe
2640 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2436

pid	process
648	1A5C.exe
2640	regsvr32.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exeF770.exe2922.exe45E4.exe

description	pid	process	target process
PID 3724 set thread context of 4076	3724	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
PID 4484 set thread context of 3728	4484	F770.exe	F770.exe
PID 408 set thread context of 1628	408	2922.exe	2922.exe
PID 2716 set thread context of 2728	2716	45E4.exe	45E4.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4616 4916 WerFault.exe 98E8.exe
2120 2352 WerFault.exe F62E.exe
2204 2352 WerFault.exe F62E.exe
2876 2728 WerFault.exe 45E4.exe

pid	pid_target	process	target process
4616	4916	WerFault.exe	98E8.exe
2120	2352	WerFault.exe	F62E.exe
2204	2352	WerFault.exe	F62E.exe
2876	2728	WerFault.exe	45E4.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exeF770.exe1A5C.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F770.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F770.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1A5C.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1A5C.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1A5C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F770.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe

pid	process
4076	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
4076	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2436
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exeF770.exe1A5C.exe

pid process

4076 9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
3728 F770.exe
648 1A5C.exe

pid	process
2436

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

1078.exe6A55.exeWerFault.exeAFCC.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeDebugPrivilege	3832	1078.exe
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeDebugPrivilege	2128	6A55.exe
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeRestorePrivilege	4616	WerFault.exe
Token: SeBackupPrivilege	4616	WerFault.exe
Token: SeDebugPrivilege	4616	WerFault.exe
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeDebugPrivilege	1404	AFCC.exe
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeDebugPrivilege	2120	WerFault.exe
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeDebugPrivilege	2876	WerFault.exe
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exeF770.exe2922.exe45E4.exe

description	pid	process	target process
PID 3724 wrote to memory of 4076	3724	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
PID 3724 wrote to memory of 4076	3724	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
PID 3724 wrote to memory of 4076	3724	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
PID 3724 wrote to memory of 4076	3724	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
PID 3724 wrote to memory of 4076	3724	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
PID 3724 wrote to memory of 4076	3724	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe	9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
PID 2436 wrote to memory of 4484	2436		F770.exe
PID 2436 wrote to memory of 4484	2436		F770.exe
PID 2436 wrote to memory of 4484	2436		F770.exe
PID 4484 wrote to memory of 3728	4484	F770.exe	F770.exe
PID 4484 wrote to memory of 3728	4484	F770.exe	F770.exe
PID 4484 wrote to memory of 3728	4484	F770.exe	F770.exe
PID 4484 wrote to memory of 3728	4484	F770.exe	F770.exe
PID 4484 wrote to memory of 3728	4484	F770.exe	F770.exe
PID 4484 wrote to memory of 3728	4484	F770.exe	F770.exe
PID 2436 wrote to memory of 3832	2436		1078.exe
PID 2436 wrote to memory of 3832	2436		1078.exe
PID 2436 wrote to memory of 648	2436		1A5C.exe
PID 2436 wrote to memory of 648	2436		1A5C.exe
PID 2436 wrote to memory of 648	2436		1A5C.exe
PID 2436 wrote to memory of 408	2436		2922.exe
PID 2436 wrote to memory of 408	2436		2922.exe
PID 2436 wrote to memory of 408	2436		2922.exe
PID 408 wrote to memory of 1628	408	2922.exe	2922.exe
PID 408 wrote to memory of 1628	408	2922.exe	2922.exe
PID 408 wrote to memory of 1628	408	2922.exe	2922.exe
PID 408 wrote to memory of 1628	408	2922.exe	2922.exe
PID 408 wrote to memory of 1628	408	2922.exe	2922.exe
PID 408 wrote to memory of 1628	408	2922.exe	2922.exe
PID 408 wrote to memory of 1628	408	2922.exe	2922.exe
PID 408 wrote to memory of 1628	408	2922.exe	2922.exe
PID 408 wrote to memory of 1628	408	2922.exe	2922.exe
PID 2436 wrote to memory of 2640	2436		regsvr32.exe
PID 2436 wrote to memory of 2640	2436		regsvr32.exe
PID 2436 wrote to memory of 2716	2436		45E4.exe
PID 2436 wrote to memory of 2716	2436		45E4.exe
PID 2436 wrote to memory of 2716	2436		45E4.exe
PID 2716 wrote to memory of 2728	2716	45E4.exe	45E4.exe
PID 2716 wrote to memory of 2728	2716	45E4.exe	45E4.exe
PID 2716 wrote to memory of 2728	2716	45E4.exe	45E4.exe
PID 2716 wrote to memory of 2728	2716	45E4.exe	45E4.exe
PID 2716 wrote to memory of 2728	2716	45E4.exe	45E4.exe
PID 2716 wrote to memory of 2728	2716	45E4.exe	45E4.exe
PID 2716 wrote to memory of 2728	2716	45E4.exe	45E4.exe
PID 2716 wrote to memory of 2728	2716	45E4.exe	45E4.exe
PID 2716 wrote to memory of 2728	2716	45E4.exe	45E4.exe
PID 2716 wrote to memory of 2728	2716	45E4.exe	45E4.exe
PID 2436 wrote to memory of 2128	2436		6A55.exe
PID 2436 wrote to memory of 2128	2436		6A55.exe
PID 2436 wrote to memory of 2128	2436		6A55.exe
PID 2436 wrote to memory of 4916	2436		98E8.exe
PID 2436 wrote to memory of 4916	2436		98E8.exe
PID 2436 wrote to memory of 4916	2436		98E8.exe
PID 2436 wrote to memory of 1404	2436		AFCC.exe
PID 2436 wrote to memory of 1404	2436		AFCC.exe
PID 2436 wrote to memory of 1404	2436		AFCC.exe
PID 2436 wrote to memory of 4816	2436		CE13.exe
PID 2436 wrote to memory of 4816	2436		CE13.exe
PID 2436 wrote to memory of 4816	2436		CE13.exe
PID 2436 wrote to memory of 2352	2436		F62E.exe
PID 2436 wrote to memory of 2352	2436		F62E.exe

C:\Users\Admin\AppData\Local\Temp\9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
"C:\Users\Admin\AppData\Local\Temp\9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe
"C:\Users\Admin\AppData\Local\Temp\9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4076

C:\Users\Admin\AppData\Local\Temp\F770.exe
C:\Users\Admin\AppData\Local\Temp\F770.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\F770.exe
C:\Users\Admin\AppData\Local\Temp\F770.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3728

C:\Users\Admin\AppData\Local\Temp\1078.exe
C:\Users\Admin\AppData\Local\Temp\1078.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Users\Admin\AppData\Local\Temp\1A5C.exe
C:\Users\Admin\AppData\Local\Temp\1A5C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:648

C:\Users\Admin\AppData\Local\Temp\2922.exe
C:\Users\Admin\AppData\Local\Temp\2922.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\2922.exe
C:\Users\Admin\AppData\Local\Temp\2922.exe
2⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\375C.dll
1⤵
- Loads dropped DLL
PID:2640

C:\Users\Admin\AppData\Local\Temp\45E4.exe
C:\Users\Admin\AppData\Local\Temp\45E4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\45E4.exe
C:\Users\Admin\AppData\Local\Temp\45E4.exe
2⤵
- Executes dropped EXE
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1244
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Users\Admin\AppData\Local\Temp\6A55.exe
C:\Users\Admin\AppData\Local\Temp\6A55.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Users\Admin\AppData\Local\Temp\98E8.exe
C:\Users\Admin\AppData\Local\Temp\98E8.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 680
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Users\Admin\AppData\Local\Temp\AFCC.exe
C:\Users\Admin\AppData\Local\Temp\AFCC.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Users\Admin\AppData\Local\Temp\CE13.exe
C:\Users\Admin\AppData\Local\Temp\CE13.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Users\Admin\AppData\Local\Temp\F62E.exe
C:\Users\Admin\AppData\Local\Temp\F62E.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2352 -s 980
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2352 -s 996
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:2204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1078.exe
MD5
605ade73eb76236d94daaea50024fe68

SHA1
b8f50f7fb8d667535d13c6209c4c7b0931ac910f

SHA256
b0a234a0ddd049c4ae39faf49146ae213163e1d930327b98f1521117f12e3022

SHA512
ea6611e9accf6323d6337292cbfa6edc4d08d7c0ed58b41d5a6274b2487ba34d6f80a6b931befb924cfdf22acde223a5a777142146c6001c6179e7a98bcf3926

Download Submit
C:\Users\Admin\AppData\Local\Temp\1078.exe
MD5
605ade73eb76236d94daaea50024fe68

SHA1
b8f50f7fb8d667535d13c6209c4c7b0931ac910f

SHA256
b0a234a0ddd049c4ae39faf49146ae213163e1d930327b98f1521117f12e3022

SHA512
ea6611e9accf6323d6337292cbfa6edc4d08d7c0ed58b41d5a6274b2487ba34d6f80a6b931befb924cfdf22acde223a5a777142146c6001c6179e7a98bcf3926

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A5C.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A5C.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\2922.exe
MD5
af448dbb20e9ada285adcba4a8adf687

SHA1
d9111443e49c632561b107821d00389d5b86be30

SHA256
d284e79c9aa8eb1a6cc09367ed9bdeff1ba9c7c91158689b9635b74316d2fdcf

SHA512
74079013fb15cb9c83d940e77cca187c259ac2b7cfd2476212961e3ee465c14e238bc420537d59a528107ead5af0a5bc11c7170b36b3a47f359c64e8f78647b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2922.exe
MD5
af448dbb20e9ada285adcba4a8adf687

SHA1
d9111443e49c632561b107821d00389d5b86be30

SHA256
d284e79c9aa8eb1a6cc09367ed9bdeff1ba9c7c91158689b9635b74316d2fdcf

SHA512
74079013fb15cb9c83d940e77cca187c259ac2b7cfd2476212961e3ee465c14e238bc420537d59a528107ead5af0a5bc11c7170b36b3a47f359c64e8f78647b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2922.exe
MD5
af448dbb20e9ada285adcba4a8adf687

SHA1
d9111443e49c632561b107821d00389d5b86be30

SHA256
d284e79c9aa8eb1a6cc09367ed9bdeff1ba9c7c91158689b9635b74316d2fdcf

SHA512
74079013fb15cb9c83d940e77cca187c259ac2b7cfd2476212961e3ee465c14e238bc420537d59a528107ead5af0a5bc11c7170b36b3a47f359c64e8f78647b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\375C.dll
MD5
3766ceff9fad0d5ccd13b060ca5269bb

SHA1
8fc8b51db082bc0a34c6088322a070578fb4fb21

SHA256
d0ca2f465d8e620742682dbcc955e7a52e20d71333483d31379d776e1ef0be58

SHA512
e132814c710195b9993331e9108b08aefe1e0a68572128509329e6747c3c948ebb8d52903b113ebb82a5868d66a0f282c116e05a61fd5c57c09447a8f235a105

Download Submit
C:\Users\Admin\AppData\Local\Temp\45E4.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\45E4.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\45E4.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A55.exe
MD5
ff5f9201e8bca81a126ea15a536e5eed

SHA1
9c009acb34a16c0a185df24d362da1b690003978

SHA256
efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c

SHA512
1b3c7e2cad142bbfe8529633b4a8e53f68a3319579a94cfa4e8019628113ea4b341ea397cb5c2e64eda971c5fd07d88f1d3af4f673385f262b5f6a67a2e2f4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A55.exe
MD5
ff5f9201e8bca81a126ea15a536e5eed

SHA1
9c009acb34a16c0a185df24d362da1b690003978

SHA256
efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c

SHA512
1b3c7e2cad142bbfe8529633b4a8e53f68a3319579a94cfa4e8019628113ea4b341ea397cb5c2e64eda971c5fd07d88f1d3af4f673385f262b5f6a67a2e2f4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\98E8.exe
MD5
32d1f43f6f402559aa26264ba08efa86

SHA1
c06823d7fd884c96b37cbcad5d46a52a2b72a321

SHA256
c7e5929e15455c8d22fd02254b990f1674156c3c72e3b3a67122f145d2629d3c

SHA512
5b6490ebab4dc658162cfdd7b3f6f5be205bd4b61d19553570fd782e940a0cffcd6ed7d73c8bc78c658de5d3aee432dde559e112138f17b3ec6e3662e5cbf3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\98E8.exe
MD5
32d1f43f6f402559aa26264ba08efa86

SHA1
c06823d7fd884c96b37cbcad5d46a52a2b72a321

SHA256
c7e5929e15455c8d22fd02254b990f1674156c3c72e3b3a67122f145d2629d3c

SHA512
5b6490ebab4dc658162cfdd7b3f6f5be205bd4b61d19553570fd782e940a0cffcd6ed7d73c8bc78c658de5d3aee432dde559e112138f17b3ec6e3662e5cbf3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFCC.exe
MD5
17b57e346f1b5eecc8a37dd405eb5b76

SHA1
f120c1acd341ceff5e35c8891c007406ff8986bc

SHA256
2da5e33b3e0a7bf86bbd2e28d6214b10c835d98ebebd0eb1e0f35c195613dc94

SHA512
79c39cad1ca5aad3d568a0e1665ffeea02e546dacbde42132e26944d99caf87dc6f9e5b0db98c9077911d3cb210607a43e12d0b242aec77b2a3755bb588b9208

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFCC.exe
MD5
17b57e346f1b5eecc8a37dd405eb5b76

SHA1
f120c1acd341ceff5e35c8891c007406ff8986bc

SHA256
2da5e33b3e0a7bf86bbd2e28d6214b10c835d98ebebd0eb1e0f35c195613dc94

SHA512
79c39cad1ca5aad3d568a0e1665ffeea02e546dacbde42132e26944d99caf87dc6f9e5b0db98c9077911d3cb210607a43e12d0b242aec77b2a3755bb588b9208

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE13.exe
MD5
d38f72f91b415e8ee3f88052b82233b3

SHA1
51dfe99bd3b0c341e697028e9feeb3385f2f3d7d

SHA256
d65b11b26599c30b502424c096e78eaaf7556a7623451993e941a9d31e019b19

SHA512
c4048cc3f5edde0b6a3ad7b39f35625c1eb25a4d46130df7b002161bbc571ebdec65f1b7b8b1477fcb899fb71d66503d6051802241d6b646813405055d27a8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE13.exe
MD5
d38f72f91b415e8ee3f88052b82233b3

SHA1
51dfe99bd3b0c341e697028e9feeb3385f2f3d7d

SHA256
d65b11b26599c30b502424c096e78eaaf7556a7623451993e941a9d31e019b19

SHA512
c4048cc3f5edde0b6a3ad7b39f35625c1eb25a4d46130df7b002161bbc571ebdec65f1b7b8b1477fcb899fb71d66503d6051802241d6b646813405055d27a8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F62E.exe
MD5
a2f1723a929663a1587146a4f6b384ee

SHA1
66c0e7e74c593196e0925a7b654e09258e3b1fb7

SHA256
fde991b388f65473179077821d9dd72876acbc3c45abae6f074d12ea9bf2f9cb

SHA512
dfc59cac45fc4fd4efc612a68e1cb9f239f9a7a215dc2dd98ea76a2683f020f589c0bdb390158d380487a0c6c12c4a183588862b6b8fa07bf81940f26827ae87

Download Submit
C:\Users\Admin\AppData\Local\Temp\F62E.exe
MD5
a2f1723a929663a1587146a4f6b384ee

SHA1
66c0e7e74c593196e0925a7b654e09258e3b1fb7

SHA256
fde991b388f65473179077821d9dd72876acbc3c45abae6f074d12ea9bf2f9cb

SHA512
dfc59cac45fc4fd4efc612a68e1cb9f239f9a7a215dc2dd98ea76a2683f020f589c0bdb390158d380487a0c6c12c4a183588862b6b8fa07bf81940f26827ae87

Download Submit
C:\Users\Admin\AppData\Local\Temp\F770.exe
MD5
37f653cc837e9537c08838f7b36daa35

SHA1
7ece2be57742aebd48d4267e5d02ec255feb3724

SHA256
9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35

SHA512
c68f1e2c0f4f930bb734f5e557d78b809597e95b0554bac22e0a4c116b3f0c1b96fcd2c9d0303b23da79ee094f73ea8daaee81f3c78b6518645023b46c9c20be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F770.exe
MD5
37f653cc837e9537c08838f7b36daa35

SHA1
7ece2be57742aebd48d4267e5d02ec255feb3724

SHA256
9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35

SHA512
c68f1e2c0f4f930bb734f5e557d78b809597e95b0554bac22e0a4c116b3f0c1b96fcd2c9d0303b23da79ee094f73ea8daaee81f3c78b6518645023b46c9c20be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F770.exe
MD5
37f653cc837e9537c08838f7b36daa35

SHA1
7ece2be57742aebd48d4267e5d02ec255feb3724

SHA256
9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35

SHA512
c68f1e2c0f4f930bb734f5e557d78b809597e95b0554bac22e0a4c116b3f0c1b96fcd2c9d0303b23da79ee094f73ea8daaee81f3c78b6518645023b46c9c20be

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\375C.dll
MD5
3766ceff9fad0d5ccd13b060ca5269bb

SHA1
8fc8b51db082bc0a34c6088322a070578fb4fb21

SHA256
d0ca2f465d8e620742682dbcc955e7a52e20d71333483d31379d776e1ef0be58

SHA512
e132814c710195b9993331e9108b08aefe1e0a68572128509329e6747c3c948ebb8d52903b113ebb82a5868d66a0f282c116e05a61fd5c57c09447a8f235a105

Download Submit
memory/408-165-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/408-166-0x00000000020B0000-0x00000000020E0000-memory.dmp

Filesize
192KB

Download
memory/408-150-0x0000000000000000-mapping.dmp

Download
memory/648-147-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/648-146-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/648-142-0x0000000000000000-mapping.dmp

Download
memory/648-148-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1404-235-0x0000000005380000-0x0000000005986000-memory.dmp

Filesize
6.0MB

Download
memory/1404-225-0x0000000000000000-mapping.dmp

Download
memory/1404-241-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/1404-228-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1628-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-164-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/1628-159-0x00000000025D0000-0x00000000025EB000-memory.dmp

Filesize
108KB

Download
memory/1628-160-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1628-161-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/1628-162-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1628-163-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1628-158-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/1628-157-0x0000000002410000-0x000000000242C000-memory.dmp

Filesize
112KB

Download
memory/1628-155-0x000000000040CD2F-mapping.dmp

Download
memory/1628-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-168-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1628-169-0x0000000002442000-0x0000000002443000-memory.dmp

Filesize
4KB

Download
memory/1628-170-0x0000000002443000-0x0000000002444000-memory.dmp

Filesize
4KB

Download
memory/1628-171-0x0000000002444000-0x0000000002446000-memory.dmp

Filesize
8KB

Download
memory/2128-214-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/2128-210-0x0000000007292000-0x0000000007293000-memory.dmp

Filesize
4KB

Download
memory/2128-200-0x0000000004BA0000-0x0000000004BCD000-memory.dmp

Filesize
180KB

Download
memory/2128-195-0x0000000000000000-mapping.dmp

Download
memory/2128-202-0x0000000004C20000-0x0000000004C4C000-memory.dmp

Filesize
176KB

Download
memory/2128-209-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/2128-208-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download
memory/2128-211-0x0000000007293000-0x0000000007294000-memory.dmp

Filesize
4KB

Download
memory/2128-199-0x0000000002B60000-0x0000000002C0E000-memory.dmp

Filesize
696KB

Download
memory/2128-212-0x0000000007294000-0x0000000007296000-memory.dmp

Filesize
8KB

Download
memory/2128-213-0x0000000008BD0000-0x0000000008BD1000-memory.dmp

Filesize
4KB

Download
memory/2128-215-0x0000000008FF0000-0x0000000008FF1000-memory.dmp

Filesize
4KB

Download
memory/2128-216-0x00000000090D0000-0x00000000090D1000-memory.dmp

Filesize
4KB

Download
memory/2128-221-0x00000000094D0000-0x00000000094D1000-memory.dmp

Filesize
4KB

Download
memory/2128-220-0x0000000009300000-0x0000000009301000-memory.dmp

Filesize
4KB

Download
memory/2352-250-0x0000000000000000-mapping.dmp

Download
memory/2352-253-0x00007FFB732C0000-0x00007FFB73CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2352-254-0x000000001ADA0000-0x000000001AF40000-memory.dmp

Filesize
1.6MB

Download
memory/2352-255-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2352-256-0x00007FFB8F150000-0x00007FFB8F151000-memory.dmp

Filesize
4KB

Download
memory/2352-257-0x00007FFB8F350000-0x00007FFB8F351000-memory.dmp

Filesize
4KB

Download
memory/2436-133-0x0000000001510000-0x0000000001526000-memory.dmp

Filesize
88KB

Download
memory/2436-122-0x0000000001340000-0x0000000001356000-memory.dmp

Filesize
88KB

Download
memory/2436-174-0x0000000003370000-0x0000000003386000-memory.dmp

Filesize
88KB

Download
memory/2640-178-0x0000000000670000-0x00000000006A7000-memory.dmp

Filesize
220KB

Download
memory/2640-175-0x0000000000000000-mapping.dmp

Download
memory/2716-188-0x0000000002240000-0x00000000022A3000-memory.dmp

Filesize
396KB

Download
memory/2716-179-0x0000000000000000-mapping.dmp

Download
memory/2716-183-0x00000000021B0000-0x0000000002233000-memory.dmp

Filesize
524KB

Download
memory/2716-182-0x0000000000650000-0x00000000006C7000-memory.dmp

Filesize
476KB

Download
memory/2716-189-0x00000000022B0000-0x0000000002320000-memory.dmp

Filesize
448KB

Download
memory/2716-184-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2728-186-0x0000000000402998-mapping.dmp

Download
memory/2728-194-0x00000000006E0000-0x000000000076E000-memory.dmp

Filesize
568KB

Download
memory/2728-192-0x0000000000690000-0x00000000006DE000-memory.dmp

Filesize
312KB

Download
memory/2728-193-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-191-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-190-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-185-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3724-121-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/3724-120-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/3728-127-0x0000000000402DC6-mapping.dmp

Download
memory/3832-173-0x000000001F380000-0x000000001F381000-memory.dmp

Filesize
4KB

Download
memory/3832-139-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3832-153-0x000000001D760000-0x000000001D761000-memory.dmp

Filesize
4KB

Download
memory/3832-149-0x000000001D980000-0x000000001D981000-memory.dmp

Filesize
4KB

Download
memory/3832-134-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3832-140-0x000000001D7A0000-0x000000001D7A1000-memory.dmp

Filesize
4KB

Download
memory/3832-130-0x0000000000000000-mapping.dmp

Download
memory/3832-141-0x0000000002A60000-0x0000000002A62000-memory.dmp

Filesize
8KB

Download
memory/3832-137-0x0000000002A20000-0x0000000002A3B000-memory.dmp

Filesize
108KB

Download
memory/3832-136-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/3832-172-0x000000001EC80000-0x000000001EC81000-memory.dmp

Filesize
4KB

Download
memory/3832-138-0x000000001D870000-0x000000001D871000-memory.dmp

Filesize
4KB

Download
memory/4076-119-0x0000000000402DC6-mapping.dmp

Download
memory/4076-118-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4484-123-0x0000000000000000-mapping.dmp

Download
memory/4484-129-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/4816-247-0x0000000002090000-0x00000000020DF000-memory.dmp

Filesize
316KB

Download
memory/4816-248-0x00000000020F0000-0x000000000217F000-memory.dmp

Filesize
572KB

Download
memory/4816-249-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4816-242-0x0000000000000000-mapping.dmp

Download
memory/4916-223-0x0000000002150000-0x00000000021DF000-memory.dmp

Filesize
572KB

Download
memory/4916-217-0x0000000000000000-mapping.dmp

Download
memory/4916-222-0x0000000000600000-0x000000000064F000-memory.dmp

Filesize
316KB

Download
memory/4916-224-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download