banload | 27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83

Analysis

max time kernel
200s
max time network
254s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Size

3.2MB
MD5

9d939a0e0267199dfe00ca6b67ce55ef
SHA1

25b73d95aeacbddd582f2368925c816c40a6dee0
SHA256

27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83
SHA512

050a623d9e6c8ab814ae89a9e510b1d1962b96d6905d1c3ca5efbebf4c673d843ec05f9f2688d22c45c69f9b914d65ca09fc9122bb597fdecfed69982efac7e3
SSDEEP

98304:XXz+eBX1C5Bs75yAsqAq01usThU1Amx6PRJTLuG:nKeV1CcZLF0Y+OmmxYCG

Score

10^/10

banload discovery downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

codec_installer.execodec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	codec_installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	codec.exe

Executes dropped EXE 5 IoCs

Processes:

codec.execodec_installer.execodec.execodec_installer.execodec.exe

pid process

1944 codec.exe
1144 codec_installer.exe
1780 codec.exe
1880 codec_installer.exe
1924 codec.exe

pid	process
1944	codec.exe
1144	codec_installer.exe
1780	codec.exe
1880	codec_installer.exe
1924	codec.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

codec.execodec_installer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	codec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	codec_installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	codec_installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	codec.exe

Loads dropped DLL 6 IoCs

Processes:

27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.execodec.execodec_installer.execodec.exe

pid	process
1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
1944	codec.exe
1144	codec_installer.exe
1780	codec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

Processes:

27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Àðáèòðàæíûé ñóä\Ïðèëîæåíèå Àðáèòðàæíîãî ñóäà\oops.exe	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 37 IoCs

Processes:

27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.execodec_installer.execodec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell\open\command	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\DefaultIcon	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\ = "Task Management Module"	codec_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\RnJdiyif = "U]Bxbc{ejYpJVYblYsQ_l"	codec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\mzKqOSPwnjz = "]Y\\M@~BiOSiYsleF"	codec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\{60E9EACB-8A22-13D1-B2E4-0060975B8649}\qRdtuteyZvba = "Vc{w`_Zgh`oongXpjdy`OnnpGpgb\x7f\x7f{m"	codec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\jjSDmigfxn = "J_Nj\x7f\x7fsz\\`LL~r@"	codec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\DefaultIcon\ = "C:\\Program Files (x86)\\Àðáèòðàæíûé ñóä\\Ïðèëîæåíèå Àðáèòðàæíîãî ñóäà\\oops.exe,0"	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\Verb\0	codec_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\jjSDmigfxn = "J_Nk\x7f\x7fsz\\hxy_[\\"	codec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\{60E9EACB-8A22-13D1-B2E4-0060975B8649}\nnuzg = "n@pQZd]hgWKOUYBzUXv`Wr]WKkR@CL"	codec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\{60E9EACB-8A22-13D1-B2E4-0060975B8649}\mzKqOSPwnjz = "nHJp`FvQAxn\|qSN~"	codec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\{60E9EACB-8A22-13D1-B2E4-0060975B8649}\jjSDmigfxn = "ahbztnMDuf^_Zu@"	codec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\Verb\1	codec_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\nnuzg = "nNN\\\x7f\x7fzPT@hyY_xDEHw`Fy\\C}qqVWP"	codec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\MjNJwretm = "NznyWp_pvwJ{oOEaku^r{\\zcdXvOm"	codec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\{60E9EACB-8A22-13D1-B2E4-0060975B8649}\RnJdiyif = "uXq\\~NSRdGEte`ZW@p}mM"	codec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell\open	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}	codec_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\Verb\1\ = "&Open,0,2"	codec_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\qRdtuteyZvba = "~Ka]do}vtijFVbrgZ`AjyjR~W~vcFZ_W"	codec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\{60E9EACB-8A22-13D1-B2E4-0060975B8649}\RnJdiyif = "uXq\\~NSRdGute`ZW@pMmM"	codec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\{60E9EACB-8A22-13D1-B2E4-0060975B8649}\jjSDmigfxn = "ahbytnMDuk_erq\\"	codec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbf	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\Verb\0\ = "&Edit,0,2"	codec_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\SNuZkmds = "@]oXRrCBQpoWd^bCnu\x7f~KzsW"	codec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\jjSDmigfxn = "J_Ni\x7f\x7fsz\\mMvVv\\"	codec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell\open\command\ = "C:\\Program Files (x86)\\Àðáèòðàæíûé ñóä\\Ïðèëîæåíèå Àðáèòðàæíîãî ñóäà\\oops.exe \"%1\""	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\RnJdiyif = "U]Bxbc{ejY@JVYblYsa_l"	codec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbf\ = "cbffile"	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\Verb	codec_installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\{60E9EACB-8A22-13D1-B2E4-0060975B8649}	codec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\{60E9EACB-8A22-13D1-B2E4-0060975B8649}\MjNJwretm = "eCTKR[XrhZ[Qze[\\NJMYrBixzkRac"	codec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\{60E9EACB-8A22-13D1-B2E4-0060975B8649}\SNuZkmds = "E^M~oiGzCSjTeR\\H_xZnnxyJ"	codec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\{60E9EACB-8A22-13D1-B2E4-0060975B8649}\jjSDmigfxn = "ahbxtnMDuckPSX@"	codec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

codec.exe

pid process

1780 codec.exe

pid	process
1780	codec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

codec_installer.execodec.exe

description	pid	process
Token: 33	1880	codec_installer.exe
Token: SeIncBasePriorityPrivilege	1880	codec_installer.exe
Token: 33	1880	codec_installer.exe
Token: SeIncBasePriorityPrivilege	1880	codec_installer.exe
Token: 33	1780	codec.exe
Token: SeIncBasePriorityPrivilege	1780	codec.exe
Token: 33	1780	codec.exe
Token: SeIncBasePriorityPrivilege	1780	codec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.execodec.execodec_installer.exe

description	pid	process	target process
PID 1192 wrote to memory of 1944	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec.exe
PID 1192 wrote to memory of 1944	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec.exe
PID 1192 wrote to memory of 1944	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec.exe
PID 1192 wrote to memory of 1944	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec.exe
PID 1192 wrote to memory of 1144	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec_installer.exe
PID 1192 wrote to memory of 1144	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec_installer.exe
PID 1192 wrote to memory of 1144	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec_installer.exe
PID 1192 wrote to memory of 1144	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec_installer.exe
PID 1192 wrote to memory of 1144	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec_installer.exe
PID 1192 wrote to memory of 1144	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec_installer.exe
PID 1192 wrote to memory of 1144	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec_installer.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1144 wrote to memory of 1880	1144	codec_installer.exe	codec_installer.exe
PID 1144 wrote to memory of 1880	1144	codec_installer.exe	codec_installer.exe
PID 1144 wrote to memory of 1880	1144	codec_installer.exe	codec_installer.exe
PID 1144 wrote to memory of 1880	1144	codec_installer.exe	codec_installer.exe
PID 1144 wrote to memory of 1880	1144	codec_installer.exe	codec_installer.exe
PID 1144 wrote to memory of 1880	1144	codec_installer.exe	codec_installer.exe
PID 1144 wrote to memory of 1880	1144	codec_installer.exe	codec_installer.exe
PID 1144 wrote to memory of 1880	1144	codec_installer.exe	codec_installer.exe
PID 1192 wrote to memory of 1700	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	WScript.exe
PID 1192 wrote to memory of 1700	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	WScript.exe
PID 1192 wrote to memory of 1700	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	WScript.exe
PID 1192 wrote to memory of 1700	1192	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	WScript.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1144 wrote to memory of 1880	1144	codec_installer.exe	codec_installer.exe
PID 1144 wrote to memory of 1880	1144	codec_installer.exe	codec_installer.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe
PID 1944 wrote to memory of 1780	1944	codec.exe	codec.exe

C:\Users\Admin\AppData\Local\Temp\27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
"C:\Users\Admin\AppData\Local\Temp\27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\codec.exe
"C:\Users\Admin\AppData\Local\Temp\codec.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\codec.exe
"C:\Users\Admin\AppData\Local\Temp\codec.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Users\Admin\AppData\Local\Temp\codec.exe
"C:\Users\Admin\AppData\Local\Temp\codec.exe" runas
4⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\AppData\Local\Temp\codec.exe
"C:\Users\Admin\AppData\Local\Temp\codec.exe" runas
5⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\codec_installer.exe
"C:\Users\Admin\AppData\Local\Temp\codec_installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\codec_installer.exe
"C:\Users\Admin\AppData\Local\Temp\codec_installer.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\error.vbs"
2⤵
PID:1700

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP\RAIDTest
Filesize
4B

MD5
959dedb23f3421e58d16c60eff6a367b

SHA1
7bdb5d6220d393c9020ba05bedeedb7fbb31b6ab

SHA256
205549d84f02f8d00a6547a0259b5ce7728d3af0a248cac8a6d3fcda2b287ce0

SHA512
c8151442fb6e2f0437550eb3e99f696f9fbd41230ee47d5de41223e2ad62e23bc1e7a05afb05d4a978b147f313fc9220282619d9b0dee594644573be22fbb491

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
7310f856bc9f09ac48c232139e0b5d32

SHA1
3cfd1e7c824d78842253f3c72e91840225bff41c

SHA256
9110f0baf6781cd2056799b66fc0731baa84eda37e6b58518aa267f08ef4c5a1

SHA512
4d78fe5625f04e331d47f3fb8a87d14e2665c9ff809f863d30523307d81274d6acfe5e910d411c9d3b2b05b89870b8a4fbc9d4b4c4a0d90239732156506cf220

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
7310f856bc9f09ac48c232139e0b5d32

SHA1
3cfd1e7c824d78842253f3c72e91840225bff41c

SHA256
9110f0baf6781cd2056799b66fc0731baa84eda37e6b58518aa267f08ef4c5a1

SHA512
4d78fe5625f04e331d47f3fb8a87d14e2665c9ff809f863d30523307d81274d6acfe5e910d411c9d3b2b05b89870b8a4fbc9d4b4c4a0d90239732156506cf220

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
7310f856bc9f09ac48c232139e0b5d32

SHA1
3cfd1e7c824d78842253f3c72e91840225bff41c

SHA256
9110f0baf6781cd2056799b66fc0731baa84eda37e6b58518aa267f08ef4c5a1

SHA512
4d78fe5625f04e331d47f3fb8a87d14e2665c9ff809f863d30523307d81274d6acfe5e910d411c9d3b2b05b89870b8a4fbc9d4b4c4a0d90239732156506cf220

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
7310f856bc9f09ac48c232139e0b5d32

SHA1
3cfd1e7c824d78842253f3c72e91840225bff41c

SHA256
9110f0baf6781cd2056799b66fc0731baa84eda37e6b58518aa267f08ef4c5a1

SHA512
4d78fe5625f04e331d47f3fb8a87d14e2665c9ff809f863d30523307d81274d6acfe5e910d411c9d3b2b05b89870b8a4fbc9d4b4c4a0d90239732156506cf220

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec_installer.exe
Filesize
1.8MB

MD5
84511956d93b9b4639fcc0a467de5f37

SHA1
c578e017eea863ce8026805ca8061204bf700b1d

SHA256
fd15fda9a35b58c1a0693b250f4f0837ac100306a678531e59d0b31775a613d0

SHA512
407d84bc02ca42a812f0c8bd172f16cbb70d9852cd5e58684a48d9ff3f0fdb48e1c4cb5e7c7fd3212e70831910f3ae40f5b35751477017567a180b37bccc11c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec_installer.exe
Filesize
1.8MB

MD5
84511956d93b9b4639fcc0a467de5f37

SHA1
c578e017eea863ce8026805ca8061204bf700b1d

SHA256
fd15fda9a35b58c1a0693b250f4f0837ac100306a678531e59d0b31775a613d0

SHA512
407d84bc02ca42a812f0c8bd172f16cbb70d9852cd5e58684a48d9ff3f0fdb48e1c4cb5e7c7fd3212e70831910f3ae40f5b35751477017567a180b37bccc11c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec_installer.exe
Filesize
1.8MB

MD5
84511956d93b9b4639fcc0a467de5f37

SHA1
c578e017eea863ce8026805ca8061204bf700b1d

SHA256
fd15fda9a35b58c1a0693b250f4f0837ac100306a678531e59d0b31775a613d0

SHA512
407d84bc02ca42a812f0c8bd172f16cbb70d9852cd5e58684a48d9ff3f0fdb48e1c4cb5e7c7fd3212e70831910f3ae40f5b35751477017567a180b37bccc11c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\error.vbs
Filesize
143B

MD5
e607596ab74fe74b9476affbdd6c1b13

SHA1
e3b6975f483da4a24c729cb37e5421184dc63392

SHA256
82668703d21f77ba26104eb17ce4def042a11981cd0c403294a9a1b0091940fd

SHA512
ed0713b0945e7c5aed88baedfec9c16214078d27325a722792e2726677e0f3c819d0ab0c22c14a354c4b5ed8bdd58829f057a52253759a1b27ce8d6cbf240cf3

Download Submit
\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
7310f856bc9f09ac48c232139e0b5d32

SHA1
3cfd1e7c824d78842253f3c72e91840225bff41c

SHA256
9110f0baf6781cd2056799b66fc0731baa84eda37e6b58518aa267f08ef4c5a1

SHA512
4d78fe5625f04e331d47f3fb8a87d14e2665c9ff809f863d30523307d81274d6acfe5e910d411c9d3b2b05b89870b8a4fbc9d4b4c4a0d90239732156506cf220

Download Submit
\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
7310f856bc9f09ac48c232139e0b5d32

SHA1
3cfd1e7c824d78842253f3c72e91840225bff41c

SHA256
9110f0baf6781cd2056799b66fc0731baa84eda37e6b58518aa267f08ef4c5a1

SHA512
4d78fe5625f04e331d47f3fb8a87d14e2665c9ff809f863d30523307d81274d6acfe5e910d411c9d3b2b05b89870b8a4fbc9d4b4c4a0d90239732156506cf220

Download Submit
\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
7310f856bc9f09ac48c232139e0b5d32

SHA1
3cfd1e7c824d78842253f3c72e91840225bff41c

SHA256
9110f0baf6781cd2056799b66fc0731baa84eda37e6b58518aa267f08ef4c5a1

SHA512
4d78fe5625f04e331d47f3fb8a87d14e2665c9ff809f863d30523307d81274d6acfe5e910d411c9d3b2b05b89870b8a4fbc9d4b4c4a0d90239732156506cf220

Download Submit
\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
7310f856bc9f09ac48c232139e0b5d32

SHA1
3cfd1e7c824d78842253f3c72e91840225bff41c

SHA256
9110f0baf6781cd2056799b66fc0731baa84eda37e6b58518aa267f08ef4c5a1

SHA512
4d78fe5625f04e331d47f3fb8a87d14e2665c9ff809f863d30523307d81274d6acfe5e910d411c9d3b2b05b89870b8a4fbc9d4b4c4a0d90239732156506cf220

Download Submit
\Users\Admin\AppData\Local\Temp\codec_installer.exe
Filesize
1.8MB

MD5
84511956d93b9b4639fcc0a467de5f37

SHA1
c578e017eea863ce8026805ca8061204bf700b1d

SHA256
fd15fda9a35b58c1a0693b250f4f0837ac100306a678531e59d0b31775a613d0

SHA512
407d84bc02ca42a812f0c8bd172f16cbb70d9852cd5e58684a48d9ff3f0fdb48e1c4cb5e7c7fd3212e70831910f3ae40f5b35751477017567a180b37bccc11c9

Download Submit
\Users\Admin\AppData\Local\Temp\codec_installer.exe
Filesize
1.8MB

MD5
84511956d93b9b4639fcc0a467de5f37

SHA1
c578e017eea863ce8026805ca8061204bf700b1d

SHA256
fd15fda9a35b58c1a0693b250f4f0837ac100306a678531e59d0b31775a613d0

SHA512
407d84bc02ca42a812f0c8bd172f16cbb70d9852cd5e58684a48d9ff3f0fdb48e1c4cb5e7c7fd3212e70831910f3ae40f5b35751477017567a180b37bccc11c9

Download Submit
memory/1144-71-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1144-61-0x0000000000000000-mapping.dmp

Download
memory/1144-96-0x0000000002780000-0x00000000029CA000-memory.dmp

Filesize
2.3MB

Download
memory/1192-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1192-70-0x00000000031E0000-0x000000000342A000-memory.dmp

Filesize
2.3MB

Download
memory/1192-68-0x00000000031C0000-0x00000000034D7000-memory.dmp

Filesize
3.1MB

Download
memory/1700-77-0x0000000000000000-mapping.dmp

Download
memory/1780-110-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1780-130-0x0000000000409000-0x000000000040A000-memory.dmp

Filesize
4KB

Download
memory/1780-64-0x0000000000000000-mapping.dmp

Download
memory/1780-156-0x000000000042D000-0x000000000042E000-memory.dmp

Filesize
4KB

Download
memory/1780-94-0x0000000002690000-0x000000000289C000-memory.dmp

Filesize
2.0MB

Download
memory/1780-80-0x0000000002690000-0x000000000289C000-memory.dmp

Filesize
2.0MB

Download
memory/1780-155-0x000000000042B000-0x000000000042C000-memory.dmp

Filesize
4KB

Download
memory/1780-141-0x0000000000428000-0x0000000000429000-memory.dmp

Filesize
4KB

Download
memory/1780-99-0x0000000002690000-0x000000000289C000-memory.dmp

Filesize
2.0MB

Download
memory/1780-142-0x000000000041E000-0x000000000041F000-memory.dmp

Filesize
4KB

Download
memory/1780-143-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1780-154-0x000000000040A000-0x000000000040B000-memory.dmp

Filesize
4KB

Download
memory/1780-144-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/1780-145-0x0000000000445000-0x0000000000446000-memory.dmp

Filesize
4KB

Download
memory/1780-146-0x000000000044B000-0x000000000044C000-memory.dmp

Filesize
4KB

Download
memory/1780-72-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1780-108-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1780-109-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1780-147-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download
memory/1780-111-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1780-121-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1780-122-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/1780-123-0x0000000000412000-0x0000000000413000-memory.dmp

Filesize
4KB

Download
memory/1780-124-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/1780-125-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download
memory/1780-126-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/1780-128-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/1780-127-0x000000000040D000-0x000000000040E000-memory.dmp

Filesize
4KB

Download
memory/1780-129-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/1780-148-0x0000000000417000-0x0000000000418000-memory.dmp

Filesize
4KB

Download
memory/1780-131-0x000000000040F000-0x0000000000410000-memory.dmp

Filesize
4KB

Download
memory/1780-132-0x0000000000411000-0x0000000000412000-memory.dmp

Filesize
4KB

Download
memory/1780-133-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1780-134-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1780-135-0x000000000041B000-0x000000000041C000-memory.dmp

Filesize
4KB

Download
memory/1780-136-0x0000000000414000-0x0000000000415000-memory.dmp

Filesize
4KB

Download
memory/1780-137-0x0000000000413000-0x0000000000414000-memory.dmp

Filesize
4KB

Download
memory/1780-138-0x0000000000415000-0x0000000000416000-memory.dmp

Filesize
4KB

Download
memory/1780-139-0x0000000000426000-0x0000000000427000-memory.dmp

Filesize
4KB

Download
memory/1780-140-0x0000000000427000-0x0000000000428000-memory.dmp

Filesize
4KB

Download
memory/1780-153-0x000000000042A000-0x000000000042B000-memory.dmp

Filesize
4KB

Download
memory/1780-152-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1780-151-0x000000000042C000-0x000000000042D000-memory.dmp

Filesize
4KB

Download
memory/1780-150-0x0000000000429000-0x000000000042A000-memory.dmp

Filesize
4KB

Download
memory/1780-149-0x0000000000446000-0x0000000000447000-memory.dmp

Filesize
4KB

Download
memory/1880-102-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1880-76-0x0000000000000000-mapping.dmp

Download
memory/1880-106-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1880-105-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/1880-104-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1880-103-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1880-87-0x00000000029A0000-0x0000000002BAC000-memory.dmp

Filesize
2.0MB

Download
memory/1880-100-0x00000000029A0000-0x0000000002BAC000-memory.dmp

Filesize
2.0MB

Download
memory/1880-83-0x0000000000519000-0x000000000051A000-memory.dmp

Filesize
4KB

Download
memory/1880-97-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1880-95-0x00000000029A0000-0x0000000002BAC000-memory.dmp

Filesize
2.0MB

Download
memory/1924-523-0x0000000000000000-mapping.dmp

Download
memory/1944-69-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1944-526-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1944-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads