5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465

Analysis

max time kernel
94s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 00:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465.exe
Size

2.9MB
MD5

34012d2e25c4071a1c0b2e0a0ca0c803
SHA1

600c7d4a18e102ba4552ad28e649d4e8d76424d1
SHA256

5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465
SHA512

2b92201e32be6265890406d18c57e2d62c5d1ceaf735ffaafea61c641a7517c77e6e3bc7e6a133a2aedc0ac490e5c2d9c971c066d5eda5fcc6e26e631cb26696
SSDEEP

49152:0mESoEFmn0xL7o2hp6ybPHoFMMmzSkHZJYFIJtPvUEqPF8bZUAtAHKjFsP2LnvC3:4dk7o2hp6OIFMik5yi4GN/iKZsPyK72c

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\WINDOWS\\Config\\csrss.exe"	1.4 XR Bot.exe

ACProtect 1.3x - 1.4x DLL software 9 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000022f8c-143.dat	acprotect
behavioral2/files/0x0007000000022f8c-144.dat	acprotect
behavioral2/files/0x0006000000022f90-155.dat	acprotect
behavioral2/files/0x0006000000022f90-154.dat	acprotect
behavioral2/files/0x0006000000022f90-158.dat	acprotect
behavioral2/files/0x0006000000022f90-157.dat	acprotect
behavioral2/files/0x0006000000022f90-156.dat	acprotect
behavioral2/files/0x0006000000022f90-165.dat	acprotect
behavioral2/files/0x0006000000022f90-164.dat	acprotect

Executes dropped EXE 4 IoCs

pid	Process
4408	14XRBO~2.EXE
4288	1.4 XR Bot.exe
2736	FLSTUD~1.EXE
1456	is-JMLL4.tmp

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f8d-141.dat	upx
behavioral2/files/0x0006000000022f8d-142.dat	upx
behavioral2/memory/4288-147-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4288-170-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	14XRBO~2.EXE

Loads dropped DLL 12 IoCs

pid	Process
4408	14XRBO~2.EXE
4408	14XRBO~2.EXE
4288	1.4 XR Bot.exe
4288	1.4 XR Bot.exe
4288	1.4 XR Bot.exe
4288	1.4 XR Bot.exe
2736	FLSTUD~1.EXE
2736	FLSTUD~1.EXE
4288	1.4 XR Bot.exe
4288	1.4 XR Bot.exe
1456	is-JMLL4.tmp
1456	is-JMLL4.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aplib.dll	14XRBO~2.EXE
File opened for modification	C:\WINDOWS\SysWOW64\MSWINSCK.OCX	1.4 XR Bot.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Config\csrss.exe	1.4 XR Bot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0 (SP6)"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0 (SP6)"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	1.4 XR Bot.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0 (SP6)"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	1.4 XR Bot.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	1.4 XR Bot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	1.4 XR Bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	1.4 XR Bot.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4408	14XRBO~2.EXE
4288	1.4 XR Bot.exe
4288	1.4 XR Bot.exe
2736	FLSTUD~1.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4408	2312	5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465.exe	79
PID 2312 wrote to memory of 4408	2312	5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465.exe	79
PID 2312 wrote to memory of 4408	2312	5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465.exe	79
PID 4408 wrote to memory of 4288	4408	14XRBO~2.EXE	80
PID 4408 wrote to memory of 4288	4408	14XRBO~2.EXE	80
PID 4408 wrote to memory of 4288	4408	14XRBO~2.EXE	80
PID 2312 wrote to memory of 2736	2312	5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465.exe	81
PID 2312 wrote to memory of 2736	2312	5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465.exe	81
PID 2312 wrote to memory of 2736	2312	5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465.exe	81
PID 2736 wrote to memory of 1456	2736	FLSTUD~1.EXE	82
PID 2736 wrote to memory of 1456	2736	FLSTUD~1.EXE	82
PID 2736 wrote to memory of 1456	2736	FLSTUD~1.EXE	82

C:\Users\Admin\AppData\Local\Temp\5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465.exe
"C:\Users\Admin\AppData\Local\Temp\5ee98095ad48b2f9e2c37b451ce24c8980a8c5ddccd86505709706d40a8c9465.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14XRBO~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14XRBO~2.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\1.4 XR Bot.exe
    "C:\Users\Admin\AppData\Local\Temp\1.4 XR Bot.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4288
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLSTUD~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLSTUD~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\is-2KDUK.tmp\is-JMLL4.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2KDUK.tmp\is-JMLL4.tmp" /SL4 $601D2 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLSTUD~1.EXE" 2329742 73216
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.4 XR Bot.exe

Filesize
311KB

MD5
eeac47c812a1160fcd5254aec6594bb1

SHA1
d612a69c5333ebe862b963ec997bf69d2105dab7

SHA256
3a4a1f65b661a7479d81ec9d2a0d780674dfa7a405ded240b1ff90c668a4ac61

SHA512
bd55d23475f38523b86e2d3d39d34e5694f7188beeb2c4864f5b581bc0b147b0ceba7c2acb5977b62a627300f64314c85cb68d3d6be4fbf38bfcef7044b9a925

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.4 XR Bot.exe

Filesize
311KB

MD5
eeac47c812a1160fcd5254aec6594bb1

SHA1
d612a69c5333ebe862b963ec997bf69d2105dab7

SHA256
3a4a1f65b661a7479d81ec9d2a0d780674dfa7a405ded240b1ff90c668a4ac61

SHA512
bd55d23475f38523b86e2d3d39d34e5694f7188beeb2c4864f5b581bc0b147b0ceba7c2acb5977b62a627300f64314c85cb68d3d6be4fbf38bfcef7044b9a925

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14XRBO~2.EXE

Filesize
281KB

MD5
90f81f8e304a7f2164a7a4d1a48b0ddb

SHA1
453365af877a029403a384d2bf3d7789e9c27ca1

SHA256
d8cca860d88ba74e24be28b2c65713d9d7cc123d5e103c2982da578881a45d2c

SHA512
44b502b6582a1b39ef8290f6207bd0a7e3ddf334ea5bfd0b504af05486d874cd26fb649b5807f9318c172ce45120276df8e824f95e25c31438e5a109463bad36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14XRBO~2.EXE

Filesize
281KB

MD5
90f81f8e304a7f2164a7a4d1a48b0ddb

SHA1
453365af877a029403a384d2bf3d7789e9c27ca1

SHA256
d8cca860d88ba74e24be28b2c65713d9d7cc123d5e103c2982da578881a45d2c

SHA512
44b502b6582a1b39ef8290f6207bd0a7e3ddf334ea5bfd0b504af05486d874cd26fb649b5807f9318c172ce45120276df8e824f95e25c31438e5a109463bad36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLSTUD~1.EXE

Filesize
2.6MB

MD5
9a59592be45251f75d2fe419d0128562

SHA1
782ddabd6407240b2d6438451622bc458833764b

SHA256
f35e3b23fe05effc91edc8ce1ab4e4981a3df78b4f15df9bbd46b0f6e76262fb

SHA512
e66c0364e465ae2e4d33e9d9943df493995567d2d2193eecfc903f5f5e3f46e6a98dbb893eb9730a9cf35216595face27b9ed22617000fcb48980fb6cf8e74c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLSTUD~1.EXE

Filesize
2.6MB

MD5
9a59592be45251f75d2fe419d0128562

SHA1
782ddabd6407240b2d6438451622bc458833764b

SHA256
f35e3b23fe05effc91edc8ce1ab4e4981a3df78b4f15df9bbd46b0f6e76262fb

SHA512
e66c0364e465ae2e4d33e9d9943df493995567d2d2193eecfc903f5f5e3f46e6a98dbb893eb9730a9cf35216595face27b9ed22617000fcb48980fb6cf8e74c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2KDUK.tmp\is-JMLL4.tmp

Filesize
678KB

MD5
debc62e5b20a1839ff551217fcb99922

SHA1
89d72454d91f3b785ca2c5ab2315288b96e48c9a

SHA256
cbcdc82b05efcc0402809c26958e379202e819b3bed6100698b2307e9add75bf

SHA512
ab3ba345bfeee9236a250eace0d7a2cb575134836974fc44aaaf92ac0250c19fb80078057da08c6bea1ba64a99a93325f33eb6e9b8dd68bb8a1f60f716d9e606

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2KDUK.tmp\is-JMLL4.tmp

Filesize
678KB

MD5
debc62e5b20a1839ff551217fcb99922

SHA1
89d72454d91f3b785ca2c5ab2315288b96e48c9a

SHA256
cbcdc82b05efcc0402809c26958e379202e819b3bed6100698b2307e9add75bf

SHA512
ab3ba345bfeee9236a250eace0d7a2cb575134836974fc44aaaf92ac0250c19fb80078057da08c6bea1ba64a99a93325f33eb6e9b8dd68bb8a1f60f716d9e606

Download Submit
C:\Users\Admin\AppData\Local\Temp\mai57E.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mai57E.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zai7FF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zai7FF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zai7FF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zai7FF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zai7FF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zai7FF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zai7FF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
121KB

MD5
e8a2190a9e8ee5e5d2e0b599bbf9dda6

SHA1
4e97bf9519c83835da9db309e61ec87ddf165167

SHA256
80ab0b86de58a657956b2a293bd9957f78e37e7383c86d6cd142208c153b6311

SHA512
57f8473eedaf7e8aad3b5bcbb16d373fd6aaec290c3230033fc50b5ec220e93520b8915c936e758bb19107429a49965516425350e012f8db0de6d4f6226b42ee

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
121KB

MD5
e8a2190a9e8ee5e5d2e0b599bbf9dda6

SHA1
4e97bf9519c83835da9db309e61ec87ddf165167

SHA256
80ab0b86de58a657956b2a293bd9957f78e37e7383c86d6cd142208c153b6311

SHA512
57f8473eedaf7e8aad3b5bcbb16d373fd6aaec290c3230033fc50b5ec220e93520b8915c936e758bb19107429a49965516425350e012f8db0de6d4f6226b42ee

Download Submit
C:\Windows\SysWOW64\aplib.dll

Filesize
12KB

MD5
35d174edd3c0bcfa9a32dce19e1abeb9

SHA1
c22638e64f8a5f34809811a2c286ae2f115028f8

SHA256
34194aa58d0eb70b513ea6a876a4f35ba6cc2f19c4fb6d408dd05580dcc74b04

SHA512
f807df3655e6dd0cea2412ae82aa7b3babe3862fa9eee5d38673ee30b26a528b9618e1a25d3a58ef1ff14be36a666fabd32968b5f4dc481539d2372b526c1ead

Download Submit
C:\Windows\SysWOW64\aplib.dll

Filesize
12KB

MD5
35d174edd3c0bcfa9a32dce19e1abeb9

SHA1
c22638e64f8a5f34809811a2c286ae2f115028f8

SHA256
34194aa58d0eb70b513ea6a876a4f35ba6cc2f19c4fb6d408dd05580dcc74b04

SHA512
f807df3655e6dd0cea2412ae82aa7b3babe3862fa9eee5d38673ee30b26a528b9618e1a25d3a58ef1ff14be36a666fabd32968b5f4dc481539d2372b526c1ead

Download Submit
memory/1456-173-0x0000000002270000-0x00000000022E3000-memory.dmp

Filesize
460KB

Download
memory/1456-169-0x0000000002270000-0x00000000022E3000-memory.dmp

Filesize
460KB

Download
memory/2736-167-0x00000000020C0000-0x0000000002133000-memory.dmp

Filesize
460KB

Download
memory/2736-159-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2736-166-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4288-150-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/4288-168-0x0000000003310000-0x0000000003383000-memory.dmp

Filesize
460KB

Download
memory/4288-147-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4288-170-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4288-171-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/4288-172-0x0000000003310000-0x0000000003383000-memory.dmp

Filesize
460KB

Download
memory/4408-139-0x0000000002061000-0x0000000002063000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads