netwire | 1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be

General

Target

1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe
Size

187KB
MD5

01a713e9c0dfaaaed49ad3c77bd23b8c
SHA1

91ae5b3f67e51a076c002a68d57450822f644836
SHA256

1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be
SHA512

d59461758a50496fa8f8aa2b0471c31210f43d333f1809e5fe7b5f37d62c607ca1b8e3fc2a030abdc2e5edd568f85b6b4a96ce0d660832d396a752a4ef89c4cc
SSDEEP

3072:RoBYrfOh1KnnD69k9sjze6sFFUZedvaW64lfQ83VpvGaNbCvV7qSZJPfX0Li:RcJgD/9B5CZela+lX3bCt7qSZH

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2484-143-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2484-146-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/2484-150-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Tradesee.exeTradesee.exe

pid process

1876 Tradesee.exe
2484 Tradesee.exe

pid	process
1876	Tradesee.exe
2484	Tradesee.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe

Drops startup file 1 IoCs

Processes:

1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Behindnote.lnk	1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Tradesee.exe

description pid process target process

PID 1876 set thread context of 2484 1876 Tradesee.exe Tradesee.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1876 set thread context of 2484	1876	Tradesee.exe	Tradesee.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Tradesee.exe

pid process

1876 Tradesee.exe
1876 Tradesee.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Tradesee.exe

description pid process

Token: SeDebugPrivilege 1876 Tradesee.exe

pid	process
1876	Tradesee.exe
1876	Tradesee.exe

description	pid	process
Token: SeDebugPrivilege	1876	Tradesee.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exeTradesee.exe

description	pid	process	target process
PID 4100 wrote to memory of 1876	4100	1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe	Tradesee.exe
PID 4100 wrote to memory of 1876	4100	1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe	Tradesee.exe
PID 4100 wrote to memory of 1876	4100	1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe	Tradesee.exe
PID 1876 wrote to memory of 2484	1876	Tradesee.exe	Tradesee.exe
PID 1876 wrote to memory of 2484	1876	Tradesee.exe	Tradesee.exe
PID 1876 wrote to memory of 2484	1876	Tradesee.exe	Tradesee.exe
PID 1876 wrote to memory of 2484	1876	Tradesee.exe	Tradesee.exe
PID 1876 wrote to memory of 2484	1876	Tradesee.exe	Tradesee.exe

C:\Users\Admin\AppData\Local\Temp\1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe
"C:\Users\Admin\AppData\Local\Temp\1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4100

C:\ProgramData\Makingread\Tradesee.exe
"C:\ProgramData\Makingread\Tradesee.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\ProgramData\Makingread\Tradesee.exe
C:\ProgramData\Makingread\Tradesee.exe
3⤵
- Executes dropped EXE
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Makingread\Tradesee.exe
Filesize
187KB

MD5
01a713e9c0dfaaaed49ad3c77bd23b8c

SHA1
91ae5b3f67e51a076c002a68d57450822f644836

SHA256
1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be

SHA512
d59461758a50496fa8f8aa2b0471c31210f43d333f1809e5fe7b5f37d62c607ca1b8e3fc2a030abdc2e5edd568f85b6b4a96ce0d660832d396a752a4ef89c4cc

Download Submit
C:\ProgramData\Makingread\Tradesee.exe
Filesize
187KB

MD5
01a713e9c0dfaaaed49ad3c77bd23b8c

SHA1
91ae5b3f67e51a076c002a68d57450822f644836

SHA256
1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be

SHA512
d59461758a50496fa8f8aa2b0471c31210f43d333f1809e5fe7b5f37d62c607ca1b8e3fc2a030abdc2e5edd568f85b6b4a96ce0d660832d396a752a4ef89c4cc

Download Submit
C:\ProgramData\Makingread\Tradesee.exe
Filesize
187KB

MD5
01a713e9c0dfaaaed49ad3c77bd23b8c

SHA1
91ae5b3f67e51a076c002a68d57450822f644836

SHA256
1e4a27850b6739e16df5786f16cc322042e9e6cf5734c5e213f1b2e0f93984be

SHA512
d59461758a50496fa8f8aa2b0471c31210f43d333f1809e5fe7b5f37d62c607ca1b8e3fc2a030abdc2e5edd568f85b6b4a96ce0d660832d396a752a4ef89c4cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26AD01F9C002FAD37427E734302383D8_8591D99E88513CEACEDF0CE25181F50B
Filesize
471B

MD5
456b3fa310255d0f0abf18230151a915

SHA1
5264e87eec264ee5db27cbba0eb6999ab8631872

SHA256
2f138c4881083940ca6af61f3fa24dfe8f271c8e9e71fb1eecdff02bddcacb37

SHA512
54919204bb96197985c7b814ed343f979feb9b1d2d333dcc88231e0dbaab80701fdb15563d119d1402efdace41dcef4a604e05f0aa233521d0c196a4e60335f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9
Filesize
471B

MD5
4c93b1193d50085fb80df1f646629463

SHA1
7c6eed83fe292d5532e8e5fe5acf11172d7139a2

SHA256
a093f6b4637bc082d6bb6d0efb0b037fb9b0a186a66e89176ef0bddef7e30717

SHA512
72b88491815d7a8408dbe468a367719fac913384d3b0786ba421d0863629575bbb903c48c0962917401dd2f42fab0caf80163edb379d12e5449ec7551fa35123

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26AD01F9C002FAD37427E734302383D8_8591D99E88513CEACEDF0CE25181F50B
Filesize
426B

MD5
b13ae1e91a8bae293dd7e6804fd1b478

SHA1
fd00f3024cd327d5229dd5e9acd1c5521847c126

SHA256
4396ea10d6518d59a26cc5f812eec5ef5d43de7f46b5f15a9a2b71936aebe563

SHA512
10f660f414660c637208ee7041cae9f45f5578759c3fc1fd005d27baef1c0d3663cc1e7b077f5c2e14998d90f9b3209d83fe86a31e52b64a89b6d072e7d06fc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9
Filesize
438B

MD5
71e59a605232cf01503b4c640c225bb8

SHA1
e74ccf272c609cca5f4db58e921b38b2710e9287

SHA256
4c7507963c4bc5ec9086e6b5465a403bcb243deceb884d6f976104e9eaa53e3b

SHA512
cf36d30c2e14daa752f004b866216f103ba8ddbca62c784cfa4ca9c44f2072a8f9c2b3629b9e7318ad8095922800204d48aa6f0d0bb272b2498915d7a38a86c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Behindnote.lnk
Filesize
878B

MD5
745b39a1187bddac13714babff1914b7

SHA1
e69b0953459f3c0ab1e756ffb81a9a2b1ab40d19

SHA256
548bc1ed6e28c43a93a3d4a37a6b2e4de49f3398bfb52f214da6d025420e4fa0

SHA512
a47bff9bb2273cb82a2706915134d070f84880fff9343a4688bb83c4d221178056e631913a9e01ce27d042d8d6b8e361538de5e8359924f86bf4c408909dbc87

Download Submit
memory/1876-141-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/1876-133-0x0000000000000000-mapping.dmp

Download
memory/1876-151-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2484-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2484-146-0x0000000000000000-mapping.dmp

Download
memory/2484-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4100-140-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/4100-132-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads