5dcf34f35a1874d190c81c7197785c4f4f9305842918fc70fe9d912040978422

General

Target

5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Size

312KB
MD5

ce4b358d37051ea1c94278239faae503
SHA1

70c4dedb69612151bf670ac12d73373db8227b1b
SHA256

5dcf34f35a1874d190c81c7197785c4f4f9305842918fc70fe9d912040978422
SHA512

cd512ac255c687db5af7ca2d78ccacd53b45c7e2d1610776c51f4a9e8343bfea76b31dc4d7da185ce1785c83a626a75a29efcc225203ae1750a39307e2c85432

Score

10^/10

evasion spyware stealer suricata trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

y5rcAXM6DSDdIIIIjOmdm8ws.exeMfDLbTBx_jymxcvFZ2rqn3Af.exe

pid process

804 y5rcAXM6DSDdIIIIjOmdm8ws.exe
928 MfDLbTBx_jymxcvFZ2rqn3Af.exe

pid	process
804	y5rcAXM6DSDdIIIIjOmdm8ws.exe
928	MfDLbTBx_jymxcvFZ2rqn3Af.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe

Loads dropped DLL 6 IoCs

Processes:

5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe

pid	process
2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ipinfo.io
18 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
17	ipinfo.io
18	ipinfo.io

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe

pid process

2000 5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe

description	pid	process	target process
PID 2000 wrote to memory of 804	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	y5rcAXM6DSDdIIIIjOmdm8ws.exe
PID 2000 wrote to memory of 804	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	y5rcAXM6DSDdIIIIjOmdm8ws.exe
PID 2000 wrote to memory of 804	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	y5rcAXM6DSDdIIIIjOmdm8ws.exe
PID 2000 wrote to memory of 804	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	y5rcAXM6DSDdIIIIjOmdm8ws.exe
PID 2000 wrote to memory of 928	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	MfDLbTBx_jymxcvFZ2rqn3Af.exe
PID 2000 wrote to memory of 928	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	MfDLbTBx_jymxcvFZ2rqn3Af.exe
PID 2000 wrote to memory of 928	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	MfDLbTBx_jymxcvFZ2rqn3Af.exe
PID 2000 wrote to memory of 928	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	MfDLbTBx_jymxcvFZ2rqn3Af.exe
PID 2000 wrote to memory of 1148	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	_P2D629lujq6WIrc2G6qpkqc.exe
PID 2000 wrote to memory of 1148	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	_P2D629lujq6WIrc2G6qpkqc.exe
PID 2000 wrote to memory of 1148	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	_P2D629lujq6WIrc2G6qpkqc.exe
PID 2000 wrote to memory of 1148	2000	5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe	_P2D629lujq6WIrc2G6qpkqc.exe

C:\Users\Admin\AppData\Local\Temp\5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe
"C:\Users\Admin\AppData\Local\Temp\5DCF34F35A1874D190C81C7197785C4F4F9305842918F.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\Pictures\Adobe Films\MfDLbTBx_jymxcvFZ2rqn3Af.exe
"C:\Users\Admin\Pictures\Adobe Films\MfDLbTBx_jymxcvFZ2rqn3Af.exe"
2⤵
- Executes dropped EXE
PID:928

C:\Users\Admin\Pictures\Adobe Films\y5rcAXM6DSDdIIIIjOmdm8ws.exe
"C:\Users\Admin\Pictures\Adobe Films\y5rcAXM6DSDdIIIIjOmdm8ws.exe"
2⤵
- Executes dropped EXE
PID:804

C:\Users\Admin\Pictures\Adobe Films\_P2D629lujq6WIrc2G6qpkqc.exe
"C:\Users\Admin\Pictures\Adobe Films\_P2D629lujq6WIrc2G6qpkqc.exe"
2⤵
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\Adobe Films\y5rcAXM6DSDdIIIIjOmdm8ws.exe
Filesize
365KB

MD5
14d1ed8606ad8a67bb9e8cabbac889cb

SHA1
682ae84172e9ada44fc0cd270769384159e7f162

SHA256
ba9e8bb18f192acac89f06ccce7e87b63128727bbaa7b3e1b2d95adb5449b853

SHA512
b1a999a9d7615a7fa98e048f3132b4b4a86b811173ce7e80da9eb6c57f1b8e6bfda73f16da3b3553d06c2ad33404ef0716ba0db8cf859564d0155ef694259a50

Download Submit
\Users\Admin\Pictures\Adobe Films\MfDLbTBx_jymxcvFZ2rqn3Af.exe
Filesize
393KB

MD5
b0788093ab423639aefac4eb31d8a2d1

SHA1
35d5bfc9f3ff67a50558fccbe8b2c45eead03661

SHA256
6e20db9320c1902cff4324891402a7ab38fdf118131c69a3e47578589efc130d

SHA512
7cb35b890646e099fab47b1581e9c2acd5daae29e9b1788a1815496a51983aefacbad360be49be26cdc6787d36c9e5e2032b9571b5be3154ac1995ec456da758

Download Submit
\Users\Admin\Pictures\Adobe Films\MfDLbTBx_jymxcvFZ2rqn3Af.exe
Filesize
393KB

MD5
b0788093ab423639aefac4eb31d8a2d1

SHA1
35d5bfc9f3ff67a50558fccbe8b2c45eead03661

SHA256
6e20db9320c1902cff4324891402a7ab38fdf118131c69a3e47578589efc130d

SHA512
7cb35b890646e099fab47b1581e9c2acd5daae29e9b1788a1815496a51983aefacbad360be49be26cdc6787d36c9e5e2032b9571b5be3154ac1995ec456da758

Download Submit
\Users\Admin\Pictures\Adobe Films\y5rcAXM6DSDdIIIIjOmdm8ws.exe
Filesize
365KB

MD5
14d1ed8606ad8a67bb9e8cabbac889cb

SHA1
682ae84172e9ada44fc0cd270769384159e7f162

SHA256
ba9e8bb18f192acac89f06ccce7e87b63128727bbaa7b3e1b2d95adb5449b853

SHA512
b1a999a9d7615a7fa98e048f3132b4b4a86b811173ce7e80da9eb6c57f1b8e6bfda73f16da3b3553d06c2ad33404ef0716ba0db8cf859564d0155ef694259a50

Download Submit
\Users\Admin\Pictures\Adobe Films\y5rcAXM6DSDdIIIIjOmdm8ws.exe
Filesize
365KB

MD5
14d1ed8606ad8a67bb9e8cabbac889cb

SHA1
682ae84172e9ada44fc0cd270769384159e7f162

SHA256
ba9e8bb18f192acac89f06ccce7e87b63128727bbaa7b3e1b2d95adb5449b853

SHA512
b1a999a9d7615a7fa98e048f3132b4b4a86b811173ce7e80da9eb6c57f1b8e6bfda73f16da3b3553d06c2ad33404ef0716ba0db8cf859564d0155ef694259a50

Download Submit
memory/804-63-0x0000000000000000-mapping.dmp

Download
memory/928-66-0x0000000000000000-mapping.dmp

Download
memory/2000-57-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2000-60-0x0000000005AB0000-0x0000000005ADE000-memory.dmp

Filesize
184KB

Download
memory/2000-59-0x0000000003950000-0x0000000003BD4000-memory.dmp

Filesize
2.5MB

Download
memory/2000-58-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2000-54-0x0000000075221000-0x0000000075223000-memory.dmp

Filesize
8KB

Download
memory/2000-56-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2000-55-0x000000000065B000-0x0000000000677000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads