icedid | eac5d2ad5965e0c2da630487b93ba8922202720234df6ec941af3da66b4239cb

General

Target

sac3p.7z
Size

222KB
MD5

1dffe2464ff57e37a483c713f5823039
SHA1

02d35e456b553be3ba9906c395386a7ec0dacb97
SHA256

eac5d2ad5965e0c2da630487b93ba8922202720234df6ec941af3da66b4239cb
SHA512

9aa19fa0444cc713c04330953cd54c980c5999d95ce18d21c9b4c1d4af6eff9d72611643226606538bea2584f46a3c33248fc27c2e7107e54ea35e8876c82417

Score

10^/10

icedid 3635541348 banker loader suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

3635541348

C2

piponareatna.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

39 364 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

364 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Windows\rescache\_merged\3720402701\2219095117.pri explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
39	364	rundll32.exe

pid	process
364	rundll32.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 57 IoCs

Processes:

explorer.exeOpenWith.execmd.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000008e546eb612004170704461746100400009000400efbe8e546eb68e546eb62e0000008b520100000001000000000000000000000000000000391f9b004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000008e546eb61100557365727300640009000400efbe724a0b5d8e546eb62e000000320500000000010000000000000000003a0000000000036aa90055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000008e5415bc100041646d696e003c0009000400efbe8e546eb68e5415bc2e0000007f520100000001000000000000000000000000000000a262fc00410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000008e54e3b810004c6f63616c003c0009000400efbe8e546eb68e54e3b82e0000009e520100000001000000000000000000000000000000b97d66004c006f00630061006c00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000de5413a7100054656d7000003a0009000400efbe8e546eb6de5413a72e0000009f520100000001000000000000000000000000000000ec33df00540065006d007000000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

3580 explorer.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exerundll32.exe

pid process

4448 powershell.exe
4448 powershell.exe
4448 powershell.exe
364 rundll32.exe
364 rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3580 explorer.exe

pid	process
3580	explorer.exe

pid	process
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
364	rundll32.exe
364	rundll32.exe

pid	process
3580	explorer.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exe7zG.exe7zG.exe

description	pid	process
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeRestorePrivilege	4540	7zG.exe
Token: 35	4540	7zG.exe
Token: SeSecurityPrivilege	4540	7zG.exe
Token: SeSecurityPrivilege	4540	7zG.exe
Token: SeRestorePrivilege	4684	7zG.exe
Token: 35	4684	7zG.exe
Token: SeSecurityPrivilege	4684	7zG.exe
Token: SeSecurityPrivilege	4684	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zG.exe7zG.exe

pid process

4540 7zG.exe
4684 7zG.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OpenWith.exeexplorer.exe

pid process

2256 OpenWith.exe
3580 explorer.exe
3580 explorer.exe
3580 explorer.exe

pid	process
4540	7zG.exe
4684	7zG.exe

pid	process
2256	OpenWith.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

powershell.execmd.exeexplorer.exe

description	pid	process	target process
PID 4448 wrote to memory of 4104	4448	powershell.exe	cmd.exe
PID 4448 wrote to memory of 4104	4448	powershell.exe	cmd.exe
PID 4104 wrote to memory of 2936	4104	cmd.exe	explorer.exe
PID 4104 wrote to memory of 2936	4104	cmd.exe	explorer.exe
PID 3580 wrote to memory of 4540	3580	explorer.exe	7zG.exe
PID 3580 wrote to memory of 4540	3580	explorer.exe	7zG.exe
PID 3580 wrote to memory of 4684	3580	explorer.exe	7zG.exe
PID 3580 wrote to memory of 4684	3580	explorer.exe	7zG.exe
PID 4104 wrote to memory of 364	4104	cmd.exe	rundll32.exe
PID 4104 wrote to memory of 364	4104	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sac3p.7z
1⤵
- Modifies registry class
PID:3748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\explorer.exe
explorer .
3⤵
PID:2936

C:\Windows\system32\rundll32.exe
rundll32 sac3p.dll,#1
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap16611:88:7zEvent18434
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap1133:88:7zEvent23252
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sac3p.dll
Filesize
424KB

MD5
d562ddfacb68466a719ebb035629bb5e

SHA1
349dbcd9a35fef4172028a4528a9359c0d51fe31

SHA256
57dfa7a0ea9b024f85fa46cf2c383b9c7b0800916c12a17b2f2b64010b2ef509

SHA512
dec42c080298452524d660f26dabb4444c02d5f2037ec2e72b8f18d021733203e1bd12eded656d5b29b40b999e020b7f34e1593e3fc1ff8de5809a7daa68374f

Download Submit
\Users\Admin\AppData\Local\Temp\sac3p.dll
Filesize
424KB

MD5
d562ddfacb68466a719ebb035629bb5e

SHA1
349dbcd9a35fef4172028a4528a9359c0d51fe31

SHA256
57dfa7a0ea9b024f85fa46cf2c383b9c7b0800916c12a17b2f2b64010b2ef509

SHA512
dec42c080298452524d660f26dabb4444c02d5f2037ec2e72b8f18d021733203e1bd12eded656d5b29b40b999e020b7f34e1593e3fc1ff8de5809a7daa68374f

Download Submit
memory/364-177-0x0000000000000000-mapping.dmp

Download
memory/364-180-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/2936-174-0x0000000000000000-mapping.dmp

Download
memory/4104-172-0x0000000000000000-mapping.dmp

Download
memory/4448-122-0x000001EE54730000-0x000001EE54752000-memory.dmp

Filesize
136KB

Download
memory/4448-142-0x000001EE54CD0000-0x000001EE54D0C000-memory.dmp

Filesize
240KB

Download
memory/4448-153-0x000001EE54D90000-0x000001EE54E06000-memory.dmp

Filesize
472KB

Download
memory/4540-175-0x0000000000000000-mapping.dmp

Download
memory/4684-176-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads