bitrat | e2340403396069b5ca3a235a66889abf2540c8e382bff1cb704ef2cdb13dade9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2022 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

receipt.exe
Size

1.4MB
MD5

220925c99e482fd480dedb37ca1b59d3
SHA1

828278c1467af367892469cbced139533ecce7e1
SHA256

e2340403396069b5ca3a235a66889abf2540c8e382bff1cb704ef2cdb13dade9
SHA512

55dc454a0cc616fbcbb646646cad5aa7beefdafd7a6193ad7ca653eacdd2a15fa6d077991135dbd681c74f1cfe16e99a0baba73ac81048ab77977ce8fceedb27
SSDEEP

24576:9ct1Eh0F4ATi6OKm1Hh1DV2FK/71dEbni7H1o0wwCwTdaPWU0XFpfbICj7J:9aeRKi6Nm1BVV2FI52sHGCdRXFpfbn7

Score

10^/10

bitrat nanocore evasion keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

216.250.251.191:24980

uzu.duckdns.org:24980

Mutex

549c9b02-da26-418a-8695-f2a6ff7cd7b3

Attributes

activate_away_mode
true
backup_connection_host
uzu.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-02-06T07:21:58.722428536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
24980
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
549c9b02-da26-418a-8695-f2a6ff7cd7b3
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
216.250.251.191
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

bitrat

Version

1.38

tcki6mrrcnrt33qy52viv7m64y6hepkv646nnzglrkbgytyt6b2hdrid.onion:80

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
dllhost

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

ACProtect 1.3x - 1.4x DLL software 14 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\951497bb\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\951497bb\tor\libssp-0.dll	acprotect

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Rzqhcgbd1time.exec3Zx4izIJOvLlWHR.exedllhost.exe

pid process

1424 Rzqhcgbd1time.exe
3524 c3Zx4izIJOvLlWHR.exe
3392 dllhost.exe

pid	process
1424	Rzqhcgbd1time.exe
3524	c3Zx4izIJOvLlWHR.exe
3392	dllhost.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\951497bb\tor\dllhost.exe	upx
C:\Users\Admin\AppData\Local\951497bb\tor\dllhost.exe	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\951497bb\tor\libssp-0.dll	upx
behavioral2/memory/3392-182-0x00000000006B0000-0x0000000000AB4000-memory.dmp	upx
behavioral2/memory/3392-184-0x0000000070960000-0x0000000070A2E000-memory.dmp	upx
behavioral2/memory/3392-183-0x0000000070B50000-0x0000000070C18000-memory.dmp	upx
behavioral2/memory/3392-186-0x0000000070B00000-0x0000000070B49000-memory.dmp	upx
behavioral2/memory/3392-187-0x0000000070690000-0x000000007095F000-memory.dmp	upx
behavioral2/memory/3392-188-0x0000000070AD0000-0x0000000070AF4000-memory.dmp	upx
behavioral2/memory/3392-189-0x0000000070600000-0x0000000070688000-memory.dmp	upx
behavioral2/memory/3392-190-0x00000000704F0000-0x00000000705FA000-memory.dmp	upx
behavioral2/memory/3392-192-0x00000000006B0000-0x0000000000AB4000-memory.dmp	upx
behavioral2/memory/3392-193-0x0000000070B50000-0x0000000070C18000-memory.dmp	upx
behavioral2/memory/3392-194-0x0000000070960000-0x0000000070A2E000-memory.dmp	upx
behavioral2/memory/3392-195-0x0000000070690000-0x000000007095F000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c3Zx4izIJOvLlWHR.exereceipt.exereceipt.exeRzqhcgbd1time.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c3Zx4izIJOvLlWHR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	receipt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	receipt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Rzqhcgbd1time.exe

Loads dropped DLL 7 IoCs

Processes:

dllhost.exe

pid process

3392 dllhost.exe
3392 dllhost.exe
3392 dllhost.exe
3392 dllhost.exe
3392 dllhost.exe
3392 dllhost.exe
3392 dllhost.exe

pid	process
3392	dllhost.exe
3392	dllhost.exe
3392	dllhost.exe
3392	dllhost.exe
3392	dllhost.exe
3392	dllhost.exe
3392	dllhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

receipt.exereceipt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uewizrlgm = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zyfrlcamp\\Uewizrlgm.exe\""	receipt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cfrstztdf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Qwpuntax\\Cfrstztdf.exe\""	receipt.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

receipt.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA receipt.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

56 myexternalip.com
57 myexternalip.com
68 myexternalip.com
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	receipt.exe

flow	ioc
56	myexternalip.com
57	myexternalip.com
68	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

c3Zx4izIJOvLlWHR.exe

pid	process
3524	c3Zx4izIJOvLlWHR.exe
3524	c3Zx4izIJOvLlWHR.exe
3524	c3Zx4izIJOvLlWHR.exe
3524	c3Zx4izIJOvLlWHR.exe
3524	c3Zx4izIJOvLlWHR.exe
3524	c3Zx4izIJOvLlWHR.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

receipt.exereceipt.exe

description	pid	process	target process
PID 3780 set thread context of 2228	3780	receipt.exe	receipt.exe
PID 2228 set thread context of 4228	2228	receipt.exe	receipt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3968 schtasks.exe

pid	process
3968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exereceipt.exepowershell.exereceipt.exe

pid	process
980	powershell.exe
980	powershell.exe
3780	receipt.exe
3780	receipt.exe
1400	powershell.exe
1400	powershell.exe
4228	receipt.exe
4228	receipt.exe
4228	receipt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

receipt.exe

pid process

4228 receipt.exe

pid	process
4228	receipt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exereceipt.exepowershell.exereceipt.exereceipt.exec3Zx4izIJOvLlWHR.exe

description	pid	process
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	3780	receipt.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2228	receipt.exe
Token: SeDebugPrivilege	4228	receipt.exe
Token: SeShutdownPrivilege	3524	c3Zx4izIJOvLlWHR.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c3Zx4izIJOvLlWHR.exe

pid process

3524 c3Zx4izIJOvLlWHR.exe
3524 c3Zx4izIJOvLlWHR.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

receipt.exereceipt.exereceipt.exeRzqhcgbd1time.exec3Zx4izIJOvLlWHR.exe

description	pid	process	target process
PID 3780 wrote to memory of 980	3780	receipt.exe	powershell.exe
PID 3780 wrote to memory of 980	3780	receipt.exe	powershell.exe
PID 3780 wrote to memory of 980	3780	receipt.exe	powershell.exe
PID 3780 wrote to memory of 4020	3780	receipt.exe	receipt.exe
PID 3780 wrote to memory of 4020	3780	receipt.exe	receipt.exe
PID 3780 wrote to memory of 4020	3780	receipt.exe	receipt.exe
PID 3780 wrote to memory of 2228	3780	receipt.exe	receipt.exe
PID 3780 wrote to memory of 2228	3780	receipt.exe	receipt.exe
PID 3780 wrote to memory of 2228	3780	receipt.exe	receipt.exe
PID 3780 wrote to memory of 2228	3780	receipt.exe	receipt.exe
PID 3780 wrote to memory of 2228	3780	receipt.exe	receipt.exe
PID 3780 wrote to memory of 2228	3780	receipt.exe	receipt.exe
PID 3780 wrote to memory of 2228	3780	receipt.exe	receipt.exe
PID 3780 wrote to memory of 2228	3780	receipt.exe	receipt.exe
PID 2228 wrote to memory of 1400	2228	receipt.exe	powershell.exe
PID 2228 wrote to memory of 1400	2228	receipt.exe	powershell.exe
PID 2228 wrote to memory of 1400	2228	receipt.exe	powershell.exe
PID 2228 wrote to memory of 1424	2228	receipt.exe	Rzqhcgbd1time.exe
PID 2228 wrote to memory of 1424	2228	receipt.exe	Rzqhcgbd1time.exe
PID 2228 wrote to memory of 1424	2228	receipt.exe	Rzqhcgbd1time.exe
PID 2228 wrote to memory of 4228	2228	receipt.exe	receipt.exe
PID 2228 wrote to memory of 4228	2228	receipt.exe	receipt.exe
PID 2228 wrote to memory of 4228	2228	receipt.exe	receipt.exe
PID 2228 wrote to memory of 4228	2228	receipt.exe	receipt.exe
PID 2228 wrote to memory of 4228	2228	receipt.exe	receipt.exe
PID 2228 wrote to memory of 4228	2228	receipt.exe	receipt.exe
PID 2228 wrote to memory of 4228	2228	receipt.exe	receipt.exe
PID 2228 wrote to memory of 4228	2228	receipt.exe	receipt.exe
PID 4228 wrote to memory of 3968	4228	receipt.exe	schtasks.exe
PID 4228 wrote to memory of 3968	4228	receipt.exe	schtasks.exe
PID 4228 wrote to memory of 3968	4228	receipt.exe	schtasks.exe
PID 1424 wrote to memory of 3524	1424	Rzqhcgbd1time.exe	c3Zx4izIJOvLlWHR.exe
PID 1424 wrote to memory of 3524	1424	Rzqhcgbd1time.exe	c3Zx4izIJOvLlWHR.exe
PID 1424 wrote to memory of 3524	1424	Rzqhcgbd1time.exe	c3Zx4izIJOvLlWHR.exe
PID 3524 wrote to memory of 3392	3524	c3Zx4izIJOvLlWHR.exe	dllhost.exe
PID 3524 wrote to memory of 3392	3524	c3Zx4izIJOvLlWHR.exe	dllhost.exe
PID 3524 wrote to memory of 3392	3524	c3Zx4izIJOvLlWHR.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\receipt.exe
"C:\Users\Admin\AppData\Local\Temp\receipt.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Users\Admin\AppData\Local\Temp\receipt.exe
C:\Users\Admin\AppData\Local\Temp\receipt.exe
2⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\receipt.exe
C:\Users\Admin\AppData\Local\Temp\receipt.exe
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Users\Admin\AppData\Local\Temp\Rzqhcgbd1time.exe
"C:\Users\Admin\AppData\Local\Temp\Rzqhcgbd1time.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\c3Zx4izIJOvLlWHR.exe
"C:\Users\Admin\AppData\Local\Temp\c3Zx4izIJOvLlWHR.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524

C:\Users\Admin\AppData\Local\951497bb\tor\dllhost.exe
"C:\Users\Admin\AppData\Local\951497bb\tor\dllhost.exe" -f torrc
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3392

C:\Users\Admin\AppData\Local\Temp\receipt.exe
C:\Users\Admin\AppData\Local\Temp\receipt.exe
3⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB12F.tmp"
4⤵
- Creates scheduled task(s)
PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\951497bb\tor\dllhost.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\dllhost.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libcrypto-1_1.dll
Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\torrc
Filesize
157B

MD5
0abc0c2c50e17f9ae5c8ab3245eb656b

SHA1
079865f62cef9dd3577f1b16e5a33411e38bbc7a

SHA256
eee8bdeac9340fd17d498eced366348b65e9da7176aaa5614cdb7f5fa34394ea

SHA512
9adf325f4bd495e93a380e5dda2f08cbdd2cb30045f669b3d3a979dce09c71f5a7677cff009f234bd14943f995b38d3675571fb56f201208b947df82130a9ddd

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
C:\Users\Admin\AppData\Local\951497bb\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\receipt.exe.log
Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
7e6c7a5ddbfe03e4204fc4a1ca9cd043

SHA1
b2dedef63a84956753c4db442898dd6108196962

SHA256
163eb0c59ba6a26d8aa4b3754ec3224a476e0e3af1bbfe5759fb3bcb8b6d0f51

SHA512
2369d68281a0eae1e13c3ca4aac86fd199dfaa62750dc0b92fe965d7c5c4fbc92ada3febadf5d89f42228e88c2c5f5eba3ec574aa54c9b70f356d48f9b032a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rzqhcgbd1time.exe
Filesize
230KB

MD5
75c8427471203e42a905f099d986bae4

SHA1
0516e741687ab1f9d10aa65ae27295da3583881e

SHA256
176a5367d9746b3b7c35aaeb04b905007f59edff29bc3790345864f13f54a045

SHA512
d4c34e343e3d959dcf8386f1b25ffc4c2b1e7a69c4b9b19d9026ebfbdc7a6dcd7b4369323005e18a00929e9293a89163009e72011368d18fa3be16d6194907b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rzqhcgbd1time.exe
Filesize
230KB

MD5
75c8427471203e42a905f099d986bae4

SHA1
0516e741687ab1f9d10aa65ae27295da3583881e

SHA256
176a5367d9746b3b7c35aaeb04b905007f59edff29bc3790345864f13f54a045

SHA512
d4c34e343e3d959dcf8386f1b25ffc4c2b1e7a69c4b9b19d9026ebfbdc7a6dcd7b4369323005e18a00929e9293a89163009e72011368d18fa3be16d6194907b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3Zx4izIJOvLlWHR.exe
Filesize
7.8MB

MD5
a9f5e3e4df4ed31cb7fb95068d4c240b

SHA1
f40e523b5fc1703fca65f069baf6cd991a4dcf23

SHA256
03aa67a1cb5896c377e33a6d71feedf90088a823e895b35ee651a159a4dc8316

SHA512
791f17b8f6e60bc86e637697bfefb4694769d6a43882686bd663d64d37f97c1929d54f4c445803662d02e387280d70be6f870025ac74827e074e8658b6e3ec7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3Zx4izIJOvLlWHR.exe
Filesize
7.8MB

MD5
a9f5e3e4df4ed31cb7fb95068d4c240b

SHA1
f40e523b5fc1703fca65f069baf6cd991a4dcf23

SHA256
03aa67a1cb5896c377e33a6d71feedf90088a823e895b35ee651a159a4dc8316

SHA512
791f17b8f6e60bc86e637697bfefb4694769d6a43882686bd663d64d37f97c1929d54f4c445803662d02e387280d70be6f870025ac74827e074e8658b6e3ec7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB12F.tmp
Filesize
1KB

MD5
2237150f6585a5a008578ef40bb32466

SHA1
8f5e244b66d1a86a8592d014a817a467db467e49

SHA256
a697b23a9e986b47f4f19598de804dfc3e70c411dde186b9510152eb8655a649

SHA512
a72830c3d8d7e79567fd0a817f420593fe441104dd7406c5da9c7367363414e875df255ef6eb1142042f83fb15182eaa5fd1ca6d9070f2645c5e7af5c09e578f

Download Submit
memory/980-136-0x0000000005390000-0x00000000059B8000-memory.dmp

Filesize
6.2MB

Download
memory/980-139-0x00000000061F0000-0x000000000620E000-memory.dmp

Filesize
120KB

Download
memory/980-138-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/980-137-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/980-140-0x0000000007A30000-0x00000000080AA000-memory.dmp

Filesize
6.5MB

Download
memory/980-141-0x00000000066E0000-0x00000000066FA000-memory.dmp

Filesize
104KB

Download
memory/980-135-0x0000000004C40000-0x0000000004C76000-memory.dmp

Filesize
216KB

Download
memory/980-134-0x0000000000000000-mapping.dmp

Download
memory/1400-146-0x0000000000000000-mapping.dmp

Download
memory/1424-150-0x0000000000000000-mapping.dmp

Download
memory/2228-143-0x0000000000000000-mapping.dmp

Download
memory/2228-144-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3392-186-0x0000000070B00000-0x0000000070B49000-memory.dmp

Filesize
292KB

Download
memory/3392-189-0x0000000070600000-0x0000000070688000-memory.dmp

Filesize
544KB

Download
memory/3392-165-0x0000000000000000-mapping.dmp

Download
memory/3392-195-0x0000000070690000-0x000000007095F000-memory.dmp

Filesize
2.8MB

Download
memory/3392-194-0x0000000070960000-0x0000000070A2E000-memory.dmp

Filesize
824KB

Download
memory/3392-193-0x0000000070B50000-0x0000000070C18000-memory.dmp

Filesize
800KB

Download
memory/3392-192-0x00000000006B0000-0x0000000000AB4000-memory.dmp

Filesize
4.0MB

Download
memory/3392-190-0x00000000704F0000-0x00000000705FA000-memory.dmp

Filesize
1.0MB

Download
memory/3392-188-0x0000000070AD0000-0x0000000070AF4000-memory.dmp

Filesize
144KB

Download
memory/3392-187-0x0000000070690000-0x000000007095F000-memory.dmp

Filesize
2.8MB

Download
memory/3392-183-0x0000000070B50000-0x0000000070C18000-memory.dmp

Filesize
800KB

Download
memory/3392-184-0x0000000070960000-0x0000000070A2E000-memory.dmp

Filesize
824KB

Download
memory/3392-182-0x00000000006B0000-0x0000000000AB4000-memory.dmp

Filesize
4.0MB

Download
memory/3524-191-0x0000000070150000-0x0000000070189000-memory.dmp

Filesize
228KB

Download
memory/3524-196-0x0000000070D00000-0x0000000070D39000-memory.dmp

Filesize
228KB

Download
memory/3524-164-0x0000000071740000-0x0000000071779000-memory.dmp

Filesize
228KB

Download
memory/3524-161-0x0000000000000000-mapping.dmp

Download
memory/3780-132-0x0000000000200000-0x0000000000376000-memory.dmp

Filesize
1.5MB

Download
memory/3780-133-0x0000000005100000-0x0000000005122000-memory.dmp

Filesize
136KB

Download
memory/3968-159-0x0000000000000000-mapping.dmp

Download
memory/4020-142-0x0000000000000000-mapping.dmp

Download
memory/4228-157-0x00000000051B0000-0x000000000524C000-memory.dmp

Filesize
624KB

Download
memory/4228-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4228-158-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/4228-156-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/4228-153-0x0000000000000000-mapping.dmp

Download
memory/4228-155-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download