77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44

Analysis

max time kernel
151s
max time network
122s
platform
windows10_x64
resource
win10-en-20211208
submitted
18-12-2021 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

encomendas010-5u44cr2luF.msi
Size

578KB
MD5

d1c43bb1c9758eee8d2643731af9be7f
SHA1

0614681917d21a1d06492583561643599d12d5ac
SHA256

77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44
SHA512

880ca382078957b3b27c289a9696ceac0add7140b11bfa1bd5335d92361682d43ed3d6c6166433dc90e6e7ecb20dffbb6e4bccd887c6cd15fd2478875ba12039

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

MsiExec.exe

flow pid process

23 3140 MsiExec.exe
Executes dropped EXE 1 IoCs

Processes:

b0Nn2Nvdm.exe

pid process

2484 b0Nn2Nvdm.exe

flow	pid	process
23	3140	MsiExec.exe

pid	process
2484	b0Nn2Nvdm.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b0Nn2Nvdm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b0Nn2Nvdm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b0Nn2Nvdm.exe

Drops startup file 1 IoCs

Processes:

MsiExec.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GEYMOSAQDD.lnk MsiExec.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exeb0Nn2Nvdm.exe

pid process

3140 MsiExec.exe
3140 MsiExec.exe
3140 MsiExec.exe
3140 MsiExec.exe
2484 b0Nn2Nvdm.exe
2484 b0Nn2Nvdm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GEYMOSAQDD.lnk	MsiExec.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\UgEn7uiSOWCW2z\imgengine.dll	themida
\UgEn7uiSOWCW2z\imgengine.dll	themida
behavioral2/memory/2484-178-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral2/memory/2484-179-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral2/memory/2484-180-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral2/memory/2484-181-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral2/memory/2484-182-0x0000000000400000-0x0000000002245000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exeMsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\nimdA = "\"C:\\with_NintendoÂ®\\ddnxanD.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\Microsoft\Windows\CurrentVersion\Run	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\GEYMOSAQDD = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\GEYMOSAQDD.lnk"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

b0Nn2Nvdm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b0Nn2Nvdm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b0Nn2Nvdm.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

b0Nn2Nvdm.exe

pid process

2484 b0Nn2Nvdm.exe

pid	process
2484	b0Nn2Nvdm.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA686.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f759e35.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2EA.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1EB7D3DC-337E-42DB-B3A5-B90FDB49D1FF}	msiexec.exe
File created	C:\Windows\Installer\f759e35.msi	msiexec.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exepowershell.exeb0Nn2Nvdm.exe

pid	process
3952	msiexec.exe
3952	msiexec.exe
4524	powershell.exe
4524	powershell.exe
4524	powershell.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b0Nn2Nvdm.exe

pid process

2484 b0Nn2Nvdm.exe

pid	process
2484	b0Nn2Nvdm.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

msiexec.exemsiexec.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3348	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3348	msiexec.exe
Token: SeSecurityPrivilege	3952	msiexec.exe
Token: SeCreateTokenPrivilege	3348	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3348	msiexec.exe
Token: SeLockMemoryPrivilege	3348	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3348	msiexec.exe
Token: SeMachineAccountPrivilege	3348	msiexec.exe
Token: SeTcbPrivilege	3348	msiexec.exe
Token: SeSecurityPrivilege	3348	msiexec.exe
Token: SeTakeOwnershipPrivilege	3348	msiexec.exe
Token: SeLoadDriverPrivilege	3348	msiexec.exe
Token: SeSystemProfilePrivilege	3348	msiexec.exe
Token: SeSystemtimePrivilege	3348	msiexec.exe
Token: SeProfSingleProcessPrivilege	3348	msiexec.exe
Token: SeIncBasePriorityPrivilege	3348	msiexec.exe
Token: SeCreatePagefilePrivilege	3348	msiexec.exe
Token: SeCreatePermanentPrivilege	3348	msiexec.exe
Token: SeBackupPrivilege	3348	msiexec.exe
Token: SeRestorePrivilege	3348	msiexec.exe
Token: SeShutdownPrivilege	3348	msiexec.exe
Token: SeDebugPrivilege	3348	msiexec.exe
Token: SeAuditPrivilege	3348	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3348	msiexec.exe
Token: SeChangeNotifyPrivilege	3348	msiexec.exe
Token: SeRemoteShutdownPrivilege	3348	msiexec.exe
Token: SeUndockPrivilege	3348	msiexec.exe
Token: SeSyncAgentPrivilege	3348	msiexec.exe
Token: SeEnableDelegationPrivilege	3348	msiexec.exe
Token: SeManageVolumePrivilege	3348	msiexec.exe
Token: SeImpersonatePrivilege	3348	msiexec.exe
Token: SeCreateGlobalPrivilege	3348	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeDebugPrivilege	4524	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exeMsiExec.exeb0Nn2Nvdm.exe

pid process

3348 msiexec.exe
3140 MsiExec.exe
3348 msiexec.exe
2484 b0Nn2Nvdm.exe

pid	process
3348	msiexec.exe
3140	MsiExec.exe
3348	msiexec.exe
2484	b0Nn2Nvdm.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

MsiExec.exeb0Nn2Nvdm.exe

pid	process
3140	MsiExec.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe
2484	b0Nn2Nvdm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

msiexec.exeMsiExec.exepowershell.exeb0Nn2Nvdm.execmd.exe

description	pid	process	target process
PID 3952 wrote to memory of 3140	3952	msiexec.exe	MsiExec.exe
PID 3952 wrote to memory of 3140	3952	msiexec.exe	MsiExec.exe
PID 3952 wrote to memory of 3140	3952	msiexec.exe	MsiExec.exe
PID 3140 wrote to memory of 4524	3140	MsiExec.exe	powershell.exe
PID 3140 wrote to memory of 4524	3140	MsiExec.exe	powershell.exe
PID 3140 wrote to memory of 4524	3140	MsiExec.exe	powershell.exe
PID 4524 wrote to memory of 2484	4524	powershell.exe	b0Nn2Nvdm.exe
PID 4524 wrote to memory of 2484	4524	powershell.exe	b0Nn2Nvdm.exe
PID 2484 wrote to memory of 4808	2484	b0Nn2Nvdm.exe	cmd.exe
PID 2484 wrote to memory of 4808	2484	b0Nn2Nvdm.exe	cmd.exe
PID 4808 wrote to memory of 4900	4808	cmd.exe	reg.exe
PID 4808 wrote to memory of 4900	4808	cmd.exe	reg.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\encomendas010-5u44cr2luF.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3348

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5A67E577C0AEAFC390E027BE5C7B38AE
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cd\;cd 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup';Start-Sleep -s 6;Invoke-Item 'GEYMOSAQDD.lnk'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\UgEn7uiSOWCW2z\b0Nn2Nvdm.exe
      "C:\UgEn7uiSOWCW2z\b0Nn2Nvdm.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "nimdA" /t REG_SZ /F /D "\"C:\with_NintendoÂ®\ddnxanD.exe\"" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "nimdA" /t REG_SZ /F /D "\"C:\with_NintendoÂ®\ddnxanD.exe\""
        6⤵
        Adds Run key to start application
        
        PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UgEn7uiSOWCW2z\b0Nn2Nvdm.exe

MD5
53b00fffa618fe5ce3a1c84cc81f5c3e

SHA1
8dfd75408c7683082af6030b3318cd8401264b7d

SHA256
353133e9989fd0610b1696f24648c1eadb66b08f8b31bdf573ec2af84457598d

SHA512
f1cd162e0c0354af9f54b8836b35b286d63a40cbdc255e7f6beda2e94be8de3c68c15acad18aaadfceadaf0a8a8f41c28f4dacc0c27d1c7ac6e5b4bbf4cca968

Download Submit
C:\UgEn7uiSOWCW2z\b0Nn2Nvdm.exe

MD5
53b00fffa618fe5ce3a1c84cc81f5c3e

SHA1
8dfd75408c7683082af6030b3318cd8401264b7d

SHA256
353133e9989fd0610b1696f24648c1eadb66b08f8b31bdf573ec2af84457598d

SHA512
f1cd162e0c0354af9f54b8836b35b286d63a40cbdc255e7f6beda2e94be8de3c68c15acad18aaadfceadaf0a8a8f41c28f4dacc0c27d1c7ac6e5b4bbf4cca968

Download Submit
C:\UgEn7uiSOWCW2z\imgengine.dll

MD5
ef7de8e17a46bbb875ff5b48a5111f75

SHA1
1758ad8c4574dc8aba71ef4e541dd78579853826

SHA256
4563e5ab64572adb62bc0e4e6c472b4c6485c9e5af3aa40dc17d84170c442e82

SHA512
0a7a0316856c766fb0ec8dae0519acb480d3e1c738c4a2ba442cb8cc5e67b920839ade09bc69e54eb406bb4575cae9fd1958512c25a826e134d4d036b744fd80

Download Submit
C:\UgEn7uiSOWCW2z\sptdintf.dll

MD5
5b91b8ef0dd74486bcaa38004417e565

SHA1
01c5cfc191ca8006b43f355ee41a35ad49c34fd4

SHA256
7353ea393051b369f92e230459d6904f88938e1ef94562aaa86342b9aaea7762

SHA512
aedbfb925e23e216dd0b03e6e26c1852ecfdee6a79662ce327e4213cda8d97eac2d9dc4d86f65a287c1346ec1d57573135711f941fd98acecdfa6215ec4b3ab1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GEYMOSAQDD.lnk

MD5
efb8469048215d0998bfbaf9f398c16f

SHA1
ddc7bc18072c0ad7946461878d9a1ae3fc8bad8b

SHA256
910848fb4292d1ff4b98f006f1da1a09717ae0c12a4bd597194fea7562f3964a

SHA512
8655012881d5bd52ce1c5c3a5cf261fc60fc461b57be319527c484203bac2260857ef78b93c9a0cb4454adc53893f2a7455bd251c64472a7535bed239767db7a

Download Submit
C:\Windows\Installer\MSI9EA2.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
C:\Windows\Installer\MSIA1D0.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
C:\Windows\Installer\MSIA2EA.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
C:\Windows\Installer\MSIA3C6.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
\UgEn7uiSOWCW2z\imgengine.dll

MD5
ef7de8e17a46bbb875ff5b48a5111f75

SHA1
1758ad8c4574dc8aba71ef4e541dd78579853826

SHA256
4563e5ab64572adb62bc0e4e6c472b4c6485c9e5af3aa40dc17d84170c442e82

SHA512
0a7a0316856c766fb0ec8dae0519acb480d3e1c738c4a2ba442cb8cc5e67b920839ade09bc69e54eb406bb4575cae9fd1958512c25a826e134d4d036b744fd80

Download Submit
\UgEn7uiSOWCW2z\sptdintf.dll

MD5
5b91b8ef0dd74486bcaa38004417e565

SHA1
01c5cfc191ca8006b43f355ee41a35ad49c34fd4

SHA256
7353ea393051b369f92e230459d6904f88938e1ef94562aaa86342b9aaea7762

SHA512
aedbfb925e23e216dd0b03e6e26c1852ecfdee6a79662ce327e4213cda8d97eac2d9dc4d86f65a287c1346ec1d57573135711f941fd98acecdfa6215ec4b3ab1

Download Submit
\Windows\Installer\MSI9EA2.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
\Windows\Installer\MSIA1D0.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
\Windows\Installer\MSIA2EA.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
\Windows\Installer\MSIA3C6.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
memory/2484-181-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/2484-183-0x0000017F40E60000-0x0000017F40E61000-memory.dmp

Filesize
4KB

Download
memory/2484-170-0x0000000000000000-mapping.dmp

Download
memory/2484-180-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/2484-179-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/2484-178-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/2484-182-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/3140-120-0x0000000000000000-mapping.dmp

Download
memory/3140-121-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3140-122-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3348-117-0x0000023C341E0000-0x0000023C341E2000-memory.dmp

Filesize
8KB

Download
memory/3348-116-0x0000023C341E0000-0x0000023C341E2000-memory.dmp

Filesize
8KB

Download
memory/3952-118-0x000001B762490000-0x000001B762492000-memory.dmp

Filesize
8KB

Download
memory/3952-119-0x000001B762490000-0x000001B762492000-memory.dmp

Filesize
8KB

Download
memory/4524-139-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/4524-140-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/4524-152-0x00000000094B0000-0x00000000094B1000-memory.dmp

Filesize
4KB

Download
memory/4524-153-0x0000000009550000-0x0000000009551000-memory.dmp

Filesize
4KB

Download
memory/4524-154-0x0000000009BF0000-0x0000000009BF1000-memory.dmp

Filesize
4KB

Download
memory/4524-159-0x000000000A770000-0x000000000A771000-memory.dmp

Filesize
4KB

Download
memory/4524-145-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4524-144-0x0000000008780000-0x0000000008781000-memory.dmp

Filesize
4KB

Download
memory/4524-143-0x0000000008450000-0x0000000008451000-memory.dmp

Filesize
4KB

Download
memory/4524-142-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/4524-141-0x00000000072C2000-0x00000000072C3000-memory.dmp

Filesize
4KB

Download
memory/4524-151-0x00000000095C0000-0x00000000095C1000-memory.dmp

Filesize
4KB

Download
memory/4524-138-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/4524-137-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/4524-176-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4524-177-0x00000000072C3000-0x00000000072C4000-memory.dmp

Filesize
4KB

Download
memory/4524-136-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/4524-135-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/4524-134-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/4524-133-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4524-132-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4524-131-0x0000000000000000-mapping.dmp

Download
memory/4808-184-0x0000000000000000-mapping.dmp

Download
memory/4900-185-0x0000000000000000-mapping.dmp

Download