1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47 | Triage

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 14:47 UTC

Sharing

Report Analysis Logs

General

Target

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Size

808KB
MD5

9028d8fdcf15ecc6533f998b82cfcae0
SHA1

676f28184518a99277d90255e21f3b6da0119b95
SHA256

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47
SHA512

1fd00a7ffe63771164d9ac66e38e49b9d518bbbe90f01fb58bee5769e4c44e1cc91fcf786ff57943626aded27cb2b275380e920adb7087ae0dfbf868de02888d
SSDEEP

3072:a18SouhTTtfiCXl+0LbLuO5aYd/5q6rsg2ZaZ/VuXQMul6mdoCom9QEst3FmcSDw:U8Yd4iaYd/5EkhTlBy3Fmcow

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

Modify Registry

Modify Existing Service

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Microsoft Windows Hosting Service Login = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components\{mCZHeGdd-MGXQ-Ukk4-fvKF-QbdYicFxzaFW}	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{mCZHeGdd-MGXQ-Ukk4-fvKF-QbdYicFxzaFW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BZ8YL.exe"	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{mCZHeGdd-MGXQ-Ukk4-fvKF-QbdYicFxzaFW}	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{mCZHeGdd-MGXQ-Ukk4-fvKF-QbdYicFxzaFW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BZ8YL.exe"	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3544-135-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3544-137-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3544-138-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3544-140-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3544-145-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Adds Run key to start application 2 TTPs 8 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Hosting Service Login = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Hosting Service Login = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QYSRQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BZ8YL.exe"	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TYWHvBYzBXR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BZ8YL.exe"	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1168 set thread context of 3544	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Hosting Service Login = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3544	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	82
PID 1168 wrote to memory of 3544	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	82
PID 1168 wrote to memory of 3544	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	82
PID 1168 wrote to memory of 3544	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	82
PID 1168 wrote to memory of 3544	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	82
PID 1168 wrote to memory of 3544	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	82
PID 1168 wrote to memory of 3544	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	82
PID 1168 wrote to memory of 3544	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	82
PID 1168 wrote to memory of 1848	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	83
PID 1168 wrote to memory of 1848	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	83
PID 1168 wrote to memory of 1848	1168	1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe	83

C:\Users\Admin\AppData\Local\Temp\1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
"C:\Users\Admin\AppData\Local\Temp\1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe"
1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
  C:\Users\Admin\AppData\Local\Temp\1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Modifies data under HKEY_USERS
  PID:3544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fy6aw2ESq8.bat" "
  2⤵
  PID:1848

Network

DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response
DNS

dankirc.homeip.net

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

Remote address:

8.8.8.8:53

Request

dankirc.homeip.net

IN A

Response

209.197.3.8:80

260 B
5
8.252.51.254:80

322 B
7
8.253.183.120:80

322 B
7
209.197.3.8:80

260 B
5
52.168.117.170:443

322 B
7
104.80.225.205:443

322 B
7
209.197.3.8:80

322 B
7
142.251.36.1:443

tls

46 B
120 B
1
1
142.251.36.1:443

tls

46 B
120 B
1
1
142.250.179.131:443

tls

46 B
120 B
1
1
142.251.39.100:443

tls

46 B
120 B
1
1
216.58.214.10:443

tls

46 B
120 B
1
1
142.250.179.194:443

tls

46 B
120 B
1
1
142.251.36.8:443

tls

46 B
120 B
1
1
216.58.214.10:443

tls

46 B
120 B
1
1
142.250.179.206:443

tls

46 B
120 B
1
1
172.217.168.206:443

tls

46 B
120 B
1
1
142.251.36.6:443

tls

46 B
120 B
1
1
142.250.179.131:443

tls

46 B
120 B
1
1
142.250.179.162:443

tls

46 B
120 B
1
1
142.250.102.155:443

tls

46 B
120 B
1
1
142.250.102.155:443

tls

46 B
120 B
1
1
142.250.179.142:443

tls

46 B
120 B
1
1
142.251.36.42:443

tls

46 B
120 B
1
1
142.251.36.1:443

tls

46 B
120 B
1
1
142.251.36.1:443

tls

46 B
120 B
1
1
142.251.36.54:443

tls

46 B
120 B
1
1
172.217.168.227:80

46 B
40 B
1
1
172.217.168.227:80

46 B
40 B
1
1
142.251.36.3:443

tls

46 B
120 B
1
1
142.251.36.3:443

tls

46 B
120 B
1
1
142.251.36.6:443

tls

46 B
120 B
1
1
142.250.179.162:443

tls

46 B
120 B
1
1
142.250.179.142:443

tls

46 B
120 B
1
1
142.251.36.54:443

tls

46 B
120 B
1
1
142.251.36.42:443

tls

46 B
120 B
1
1
142.251.36.8:443

tls

46 B
120 B
1
1
142.250.179.206:443

tls

46 B
120 B
1
1
172.217.168.206:443

tls

46 B
120 B
1
1
142.250.179.195:443

tls

46 B
120 B
1
1
142.250.179.195:443

tls

46 B
120 B
1
1
142.251.39.100:443

tls

46 B
120 B
1
1

8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

64 B
125 B
1
1

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

128 B
250 B
2
2

DNS Request

dankirc.homeip.net

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

128 B
250 B
2
2

DNS Request

dankirc.homeip.net

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

128 B
250 B
2
2

DNS Request

dankirc.homeip.net

DNS Request

dankirc.homeip.net
8.8.8.8:53

dankirc.homeip.net

dns

1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe

128 B
250 B
2
2

DNS Request

dankirc.homeip.net

DNS Request

dankirc.homeip.net

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BZ8YL.exe

Filesize
808KB

MD5
9028d8fdcf15ecc6533f998b82cfcae0

SHA1
676f28184518a99277d90255e21f3b6da0119b95

SHA256
1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47

SHA512
1fd00a7ffe63771164d9ac66e38e49b9d518bbbe90f01fb58bee5769e4c44e1cc91fcf786ff57943626aded27cb2b275380e920adb7087ae0dfbf868de02888d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fy6aw2ESq8.bat

Filesize
396B

MD5
7be111a5360e52356d2aaebc23888324

SHA1
2868348401cff7ede51718d082fb229623061d40

SHA256
9d0fecd700bf608435e03212c81f4e4ba3bc530ecce4d558c3da978d483c32ff

SHA512
45c83e714ed1cb33c8979d5b1a6b205183bfd989f0a5e1ee9f5237745cd9c9865eae5420fdd9da831a1f0d30d32fb0d0fc13c95316b7bf89fbec4de2232eac08

Download Submit
memory/1168-139-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1168-144-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/3544-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3544-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3544-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3544-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3544-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download