4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430

General

Target

4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
Size

265KB
MD5

0614bbc750f21100cc2325947ab7b640
SHA1

e291bcebb7894a3f32e570397deaf6bd8d6d07f0
SHA256

4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430
SHA512

4f135251d707c03ea1b4b0f4f8e924261b6be8a02a56ffcf3af90d4f57269e2a647f71c661b7640c53bf2e7e16e0404b16c899e42ab94aa7ca166025a354d0fc
SSDEEP

6144:w1m0vTVNcsYWv6pcBMq6hs/IaO9YTt+VrN:w1m0vBqw6a53tZI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe

pid process

320 Logo1_.exe
4260 4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe

pid	process
320	Logo1_.exe
4260	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

Logo1_.exe4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe

description	ioc	process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
File created	C:\Windows\Logo1_.exe	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exeLogo1_.exe

pid	process
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe
320	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1584 wrote to memory of 5096	1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe	net.exe
PID 1584 wrote to memory of 5096	1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe	net.exe
PID 1584 wrote to memory of 5096	1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe	net.exe
PID 5096 wrote to memory of 3456	5096	net.exe	net1.exe
PID 5096 wrote to memory of 3456	5096	net.exe	net1.exe
PID 5096 wrote to memory of 3456	5096	net.exe	net1.exe
PID 1584 wrote to memory of 2180	1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe	cmd.exe
PID 1584 wrote to memory of 2180	1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe	cmd.exe
PID 1584 wrote to memory of 2180	1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe	cmd.exe
PID 1584 wrote to memory of 320	1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe	Logo1_.exe
PID 1584 wrote to memory of 320	1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe	Logo1_.exe
PID 1584 wrote to memory of 320	1584	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe	Logo1_.exe
PID 320 wrote to memory of 3196	320	Logo1_.exe	net.exe
PID 320 wrote to memory of 3196	320	Logo1_.exe	net.exe
PID 320 wrote to memory of 3196	320	Logo1_.exe	net.exe
PID 3196 wrote to memory of 3912	3196	net.exe	net1.exe
PID 3196 wrote to memory of 3912	3196	net.exe	net1.exe
PID 3196 wrote to memory of 3912	3196	net.exe	net1.exe
PID 2180 wrote to memory of 4260	2180	cmd.exe	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
PID 2180 wrote to memory of 4260	2180	cmd.exe	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
PID 2180 wrote to memory of 4260	2180	cmd.exe	4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
PID 320 wrote to memory of 4072	320	Logo1_.exe	net.exe
PID 320 wrote to memory of 4072	320	Logo1_.exe	net.exe
PID 320 wrote to memory of 4072	320	Logo1_.exe	net.exe
PID 4072 wrote to memory of 1772	4072	net.exe	net1.exe
PID 4072 wrote to memory of 1772	4072	net.exe	net1.exe
PID 4072 wrote to memory of 1772	4072	net.exe	net1.exe
PID 320 wrote to memory of 2704	320	Logo1_.exe	Explorer.EXE
PID 320 wrote to memory of 2704	320	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
"C:\Users\Admin\AppData\Local\Temp\4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFD50.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe
"C:\Users\Admin\AppData\Local\Temp\4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe"
4⤵
- Executes dropped EXE
PID:4260

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:3912

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aFD50.bat

Filesize
722B

MD5
33af48ef4a919317aca1503322d71606

SHA1
42500bef23e325a0b3b17d285646d3e1a55eefbc

SHA256
b60b533fee44f511d3a806e929075c5d15e65d481bd451c922c40ed6a9816505

SHA512
268b1bce6f16ffd761c61401c8a405249d59b5fb1ed1a921acccbff1562453efa905e6f58b386e94a09f0c91d18babe96f8dcf0830543b3c5ca28929a5ae601c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe

Filesize
232KB

MD5
0399134531e9f01ad24b1bb7fde49469

SHA1
6ea25938c1ac546ac8fa768acfca145118aa4cfc

SHA256
2f03c822d9dd3ed740cc445810800fdc3a20c5ccfe5d8053bcced3b47b7afa49

SHA512
4076d674db14d196039c0a4956dbf3653b631ab6cae5f03829b0c193b0ecc9e06098acaa3a62600082bf895d2ba512846044c664d6eb5fdc4f7341086c547778

Download Submit
C:\Users\Admin\AppData\Local\Temp\4212ebeed89736eb4b4e23ff66d1cf76f98563881ef04be5f4dc9b1118c18430.exe.exe

Filesize
232KB

MD5
0399134531e9f01ad24b1bb7fde49469

SHA1
6ea25938c1ac546ac8fa768acfca145118aa4cfc

SHA256
2f03c822d9dd3ed740cc445810800fdc3a20c5ccfe5d8053bcced3b47b7afa49

SHA512
4076d674db14d196039c0a4956dbf3653b631ab6cae5f03829b0c193b0ecc9e06098acaa3a62600082bf895d2ba512846044c664d6eb5fdc4f7341086c547778

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
8b135ab7e86da36528896f549b2bc7b2

SHA1
219258ff7edf2b8921eeaf10706f075e5547bdc5

SHA256
84fb0405497a1b7c6e3d88e376088e91f1aa147e3d10790a5a3b8db73c126499

SHA512
feef91f0375ba744f0f9d841e14ac0daedad5871c92155107c27bce945c4b90095cde5ba71e2b10c9df82696659dff1ec10bb7f892a9717207387400a5cb48af

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
8b135ab7e86da36528896f549b2bc7b2

SHA1
219258ff7edf2b8921eeaf10706f075e5547bdc5

SHA256
84fb0405497a1b7c6e3d88e376088e91f1aa147e3d10790a5a3b8db73c126499

SHA512
feef91f0375ba744f0f9d841e14ac0daedad5871c92155107c27bce945c4b90095cde5ba71e2b10c9df82696659dff1ec10bb7f892a9717207387400a5cb48af

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
8b135ab7e86da36528896f549b2bc7b2

SHA1
219258ff7edf2b8921eeaf10706f075e5547bdc5

SHA256
84fb0405497a1b7c6e3d88e376088e91f1aa147e3d10790a5a3b8db73c126499

SHA512
feef91f0375ba744f0f9d841e14ac0daedad5871c92155107c27bce945c4b90095cde5ba71e2b10c9df82696659dff1ec10bb7f892a9717207387400a5cb48af

Download Submit
memory/320-136-0x0000000000000000-mapping.dmp

Download
memory/320-142-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/320-150-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1584-139-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1584-134-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1772-149-0x0000000000000000-mapping.dmp

Download
memory/2180-135-0x0000000000000000-mapping.dmp

Download
memory/3196-140-0x0000000000000000-mapping.dmp

Download
memory/3456-133-0x0000000000000000-mapping.dmp

Download
memory/3912-141-0x0000000000000000-mapping.dmp

Download
memory/4072-148-0x0000000000000000-mapping.dmp

Download
memory/4260-145-0x0000000000000000-mapping.dmp

Download
memory/5096-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads