9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
Size

823KB
MD5

6a1d04294a323aced762cb4023946f02
SHA1

f7c92ef40d506c9fbe625560c080ea21414a9f20
SHA256

9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb
SHA512

25bfd60fc41260d8438460546358706b691194e85f8695efcda2bf400ab8591c2f1c6e9e32307de2a13779c70d3db4a5983ebb38e2f1fe707f04b5815fa41d95
SSDEEP

12288:ymi/oGGwH/BTqATt9IGeIm0JFg7qFhZjGgxGwPUD0INtcs9w7Ju+esTCmKkUUJ:5i/oMHZ1fm0s0agxGwfINyz7R2m3UG

Score

8^/10

aspackv2 bootkit persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000005c50-71.dat	aspack_v212_v242
behavioral1/files/0x0008000000005c50-72.dat	aspack_v212_v242
behavioral1/files/0x0008000000012329-73.dat	aspack_v212_v242
behavioral1/files/0x0008000000012301-86.dat	aspack_v212_v242
behavioral1/files/0x0008000000012329-88.dat	aspack_v212_v242
behavioral1/files/0x0008000000012329-89.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
1492	f7106984.exe
1596	unurai.exe

Loads dropped DLL 7 IoCs

pid	Process
1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
1976	regsvr32.exe
1492	f7106984.exe
1492	f7106984.exe
1492	f7106984.exe
1596	unurai.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winsync = "C:\\Windows\\system32\\unurai.exe reg_run"	f7106984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winsync = "C:\\Windows\\system32\\unurai.exe reg_run"	unurai.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	regsvr32.exe
File opened for modification	\??\PhysicalDrive0	unurai.exe
File opened for modification	\??\PhysicalDrive0	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
File opened for modification	\??\PhysicalDrive0	f7106984.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\okotion.dll	unurai.exe
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	unurai.exe
File opened for modification	C:\Windows\SysWOW64\lglrf.dll	unurai.exe
File created	C:\Windows\SysWOW64\vqvbp.dat	f7106984.exe
File opened for modification	C:\Windows\SysWOW64\unurai.exe	f7106984.exe
File created	C:\Windows\SysWOW64\lglrf.dll	f7106984.exe
File created	C:\Windows\SysWOW64\vqvbp.dat	unurai.exe
File opened for modification	C:\Windows\SysWOW64\ocorbmq.exe	unurai.exe
File created	C:\Windows\SysWOW64\wuauclt.dll	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
File created	C:\Windows\SysWOW64\vgactl.cpl	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
File created	C:\Windows\SysWOW64\okotion.dll	f7106984.exe
File created	C:\Windows\SysWOW64\unurai.exe	f7106984.exe
File created	C:\Windows\SysWOW64\ocorbmq.exe	f7106984.exe
File created	C:\Windows\SysWOW64\unurai.exe	unurai.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\pbplvq.dat	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
File created	C:\Windows\tetyr.dll	f7106984.exe
File opened for modification	C:\Windows\tetyr.dll	f7106984.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f7106984.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f7106984.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	unurai.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	f7106984.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	unurai.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7106984.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	unurai.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	unurai.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\CLSID = "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\MenuText = "Java"	regsvr32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a8a49dcf-c229-4f9d-bbcf-38f5960a0eb1}\ = "iriuerjr.class"	f7106984.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dff40340-90ce-4400-bcd3-bb1b04fee52e}\ProgId\ = "iriuerjr.class"	unurai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a8a49dcf-c229-4f9d-bbcf-38f5960a0eb1}	f7106984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dff40340-90ce-4400-bcd3-bb1b04fee52e}\InProcServer32\ThreadingModel = "Apartment"	unurai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dff40340-90ce-4400-bcd3-bb1b04fee52e}\ProgId	unurai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dff40340-90ce-4400-bcd3-bb1b04fee52e}\ = "iriuerjr.class"	unurai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "Columns class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a8a49dcf-c229-4f9d-bbcf-38f5960a0eb1}\InProcServer32\ = "C:\\Windows\\SysWow64\\lglrf.dll"	f7106984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId\ = "Columns class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\qgqtfxkx	unurai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a8a49dcf-c229-4f9d-bbcf-38f5960a0eb1}\ProgId\ = "iriuerjr.class"	f7106984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\qgqtfxkx\ = "{a8a49dcf-c229-4f9d-bbcf-38f5960a0eb1}"	f7106984.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dff40340-90ce-4400-bcd3-bb1b04fee52e}	unurai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a8a49dcf-c229-4f9d-bbcf-38f5960a0eb1}\InProcServer32\ThreadingModel = "Apartment"	f7106984.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a8a49dcf-c229-4f9d-bbcf-38f5960a0eb1}\ProgId	f7106984.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dff40340-90ce-4400-bcd3-bb1b04fee52e}\InProcServer32	unurai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a8a49dcf-c229-4f9d-bbcf-38f5960a0eb1}\InProcServer32	f7106984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ = "C:\\Windows\\SysWow64\\wuauclt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\qgqtfxkx	f7106984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dff40340-90ce-4400-bcd3-bb1b04fee52e}\InProcServer32\ = "C:\\Windows\\SysWow64\\lglrf.dll"	unurai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\qgqtfxkx\ = "{dff40340-90ce-4400-bcd3-bb1b04fee52e}"	unurai.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1976	1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	26
PID 1248 wrote to memory of 1976	1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	26
PID 1248 wrote to memory of 1976	1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	26
PID 1248 wrote to memory of 1976	1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	26
PID 1248 wrote to memory of 1976	1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	26
PID 1248 wrote to memory of 1976	1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	26
PID 1248 wrote to memory of 1976	1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	26
PID 1248 wrote to memory of 1492	1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	27
PID 1248 wrote to memory of 1492	1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	27
PID 1248 wrote to memory of 1492	1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	27
PID 1248 wrote to memory of 1492	1248	9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe	27
PID 1492 wrote to memory of 1596	1492	f7106984.exe	28
PID 1492 wrote to memory of 1596	1492	f7106984.exe	28
PID 1492 wrote to memory of 1596	1492	f7106984.exe	28
PID 1492 wrote to memory of 1596	1492	f7106984.exe	28

C:\Users\Admin\AppData\Local\Temp\9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe
"C:\Users\Admin\AppData\Local\Temp\9136f6bbd53341da822c423ba591818b03feae3011e2e17688504f999b2f2cbb.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\wuauclt.dll
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1976
- C:\Users\Admin\AppData\Local\Temp\f7106984.exe
  "C:\Users\Admin\AppData\Local\Temp\f7106984.exe" first_run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\unurai.exe
    first_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - Checks processor information in registry
    - Modifies registry class
    PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f7106984.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7106984.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
C:\Windows\SysWOW64\lglrf.dll

Filesize
130KB

MD5
78d4c669c1f3268b6cfc493e08df9d20

SHA1
bc54b50630a72c86d503f435459112cac1aa9989

SHA256
484e60c78e02266e8857f95511c3f2b2a7714020051b615fc5c8e6c6b1a4c5b7

SHA512
5a6b2904648337b6d32cc42f6aa45733c39f0a3590a2fb8547fc02f367fc882c046ade108e159c07d3f484e37118d4894972b1edf99546ce898f762355712a34

Download Submit
C:\Windows\SysWOW64\ocorbmq.exe

Filesize
163KB

MD5
eabbb6f57dac51f65b7fa7ad44dc0c85

SHA1
70b89bb6eda284e71271f35497f0309cde69fea7

SHA256
7907745f5df59442b6a80ceb8dfbcbf139c41580e5cfad5969c92090b0e711fa

SHA512
fb57dad1ca7957ff11bd915e66035380daf0ab2c78c41592bc0c5b6f326b138940737279e04248497fc58972a805fd5d7583a917f59dfc40b84e3cd2f093ecd3

Download Submit
C:\Windows\SysWOW64\okotion.dll

Filesize
176KB

MD5
e1900e1e64c730073c74c7bd72ef8f3e

SHA1
f2a2faf02d532bf9f2c209d349c580f4525ad19a

SHA256
b792a3a2b46072f6c0ef11cc0e0b4366af25a4a43e5a94476b6e387e765a1e25

SHA512
9256d304e6cfb52a070276d026eb86eec713fa6054092e9d977a5b734f240cc8d767f7f1117347fe4c50f516736339e34839d7614fd603eef4d4a797e1cd0722

Download Submit
C:\Windows\SysWOW64\unurai.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
C:\Windows\SysWOW64\unurai.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
C:\Windows\SysWOW64\wuauclt.dll

Filesize
156KB

MD5
6451095f639ab38909988e41432f1a43

SHA1
0d5839203d8b31bb23ab5746019ea45b5545da2c

SHA256
34ce0665cbd0125173995e8051ee5a62dbadeeb6041a1da1b74811db0a41311e

SHA512
cc008c301865028adee899f80223491dd2439bcb812cc66869d1c28d1cb75427c93b3248e2718ab4abef9b5d5895e33cb4f4f3fa24cd302760055dcee4fef7e2

Download Submit
C:\Windows\tetyr.dll

Filesize
34B

MD5
a164db1944ffe469dd95ba9b7f656674

SHA1
92ec5613a9560ef22706f2c8b1935bbd47131ce5

SHA256
caf995ea2c9465786d383b2cc27f7f56107d2010b082044d507ce3dd7442a430

SHA512
b0a54ba99814f94c2afd6d541acee4465fcea8a2efb9134e209b76697c49fd89602c92147e0223257fddd674237110edef3980e1c10f9c262894324c00f39c8e

Download Submit
\Users\Admin\AppData\Local\Temp\f7106984.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
\Users\Admin\AppData\Local\Temp\f7106984.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
\Windows\SysWOW64\lglrf.dll

Filesize
130KB

MD5
78d4c669c1f3268b6cfc493e08df9d20

SHA1
bc54b50630a72c86d503f435459112cac1aa9989

SHA256
484e60c78e02266e8857f95511c3f2b2a7714020051b615fc5c8e6c6b1a4c5b7

SHA512
5a6b2904648337b6d32cc42f6aa45733c39f0a3590a2fb8547fc02f367fc882c046ade108e159c07d3f484e37118d4894972b1edf99546ce898f762355712a34

Download Submit
\Windows\SysWOW64\lglrf.dll

Filesize
130KB

MD5
78d4c669c1f3268b6cfc493e08df9d20

SHA1
bc54b50630a72c86d503f435459112cac1aa9989

SHA256
484e60c78e02266e8857f95511c3f2b2a7714020051b615fc5c8e6c6b1a4c5b7

SHA512
5a6b2904648337b6d32cc42f6aa45733c39f0a3590a2fb8547fc02f367fc882c046ade108e159c07d3f484e37118d4894972b1edf99546ce898f762355712a34

Download Submit
\Windows\SysWOW64\unurai.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
\Windows\SysWOW64\unurai.exe

Filesize
458KB

MD5
a45be0d070560ede89a8fe489ff23c75

SHA1
a306186ff34f3381b8b79ec05dd382a5ae71297a

SHA256
9e640592b917e6aa0108cb050fc2c30ae420f44c9abb333c58a301e60ba6309e

SHA512
1b1eae5fcfb18c951032b9ba74e5ffe8b2f2c4de203c6c7110453731793f3a4b6f94dc4eb9ed6a29b842de49493000c373e1b9ac631901087f6054e47df261e3

Download Submit
\Windows\SysWOW64\wuauclt.dll

Filesize
156KB

MD5
6451095f639ab38909988e41432f1a43

SHA1
0d5839203d8b31bb23ab5746019ea45b5545da2c

SHA256
34ce0665cbd0125173995e8051ee5a62dbadeeb6041a1da1b74811db0a41311e

SHA512
cc008c301865028adee899f80223491dd2439bcb812cc66869d1c28d1cb75427c93b3248e2718ab4abef9b5d5895e33cb4f4f3fa24cd302760055dcee4fef7e2

Download Submit
memory/1248-63-0x0000000002F70000-0x0000000003032000-memory.dmp

Filesize
776KB

Download
memory/1248-54-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1248-94-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/1248-93-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1248-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-56-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/1248-57-0x0000000002270000-0x0000000002275000-memory.dmp

Filesize
20KB

Download
memory/1248-64-0x0000000002F70000-0x0000000003032000-memory.dmp

Filesize
776KB

Download
memory/1492-79-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1492-68-0x0000000000820000-0x0000000000825000-memory.dmp

Filesize
20KB

Download
memory/1492-66-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1492-67-0x0000000000830000-0x0000000000835000-memory.dmp

Filesize
20KB

Download
memory/1492-80-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/1492-65-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1596-84-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/1596-91-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1596-92-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/1596-83-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/1596-82-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads