b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881

Analysis

max time kernel
125s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
Size

797KB
MD5

dcd83bc2a230d56c8503fe376c79b507
SHA1

481a19082db5f6f1b97467aa95815e50987ae4fe
SHA256

b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881
SHA512

a4adc1636c9a5f3cab90e5db784e87490df286b97cee284099556b03d555dd636dcff0fc8b761314b62edb5e02e134b6e1313e85d256fd0dc96fd9ac04ee1a01
SSDEEP

12288:g72bnI+kL72bnI+kDO472bnI+kL72bnI+kDOMYh:g72z072z3472z072z3MYh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1376	avscan.exe
1384	avscan.exe
804	hosts.exe
1540	hosts.exe
2032	avscan.exe
1948	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
1376	avscan.exe
1540	hosts.exe
1540	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
File created	\??\c:\windows\W_X_C.bat	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1700	REG.exe
1320	REG.exe
1912	REG.exe
560	REG.exe
1680	REG.exe
1384	REG.exe
1832	REG.exe
1836	REG.exe
1472	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1376	avscan.exe
1540	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
1376	avscan.exe
1384	avscan.exe
1540	hosts.exe
804	hosts.exe
2032	avscan.exe
1948	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1472	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	26
PID 1524 wrote to memory of 1472	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	26
PID 1524 wrote to memory of 1472	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	26
PID 1524 wrote to memory of 1472	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	26
PID 1524 wrote to memory of 1376	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	28
PID 1524 wrote to memory of 1376	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	28
PID 1524 wrote to memory of 1376	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	28
PID 1524 wrote to memory of 1376	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	28
PID 1376 wrote to memory of 1384	1376	avscan.exe	29
PID 1376 wrote to memory of 1384	1376	avscan.exe	29
PID 1376 wrote to memory of 1384	1376	avscan.exe	29
PID 1376 wrote to memory of 1384	1376	avscan.exe	29
PID 1376 wrote to memory of 2020	1376	avscan.exe	30
PID 1376 wrote to memory of 2020	1376	avscan.exe	30
PID 1376 wrote to memory of 2020	1376	avscan.exe	30
PID 1376 wrote to memory of 2020	1376	avscan.exe	30
PID 1524 wrote to memory of 1980	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	31
PID 1524 wrote to memory of 1980	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	31
PID 1524 wrote to memory of 1980	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	31
PID 1524 wrote to memory of 1980	1524	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	31
PID 1980 wrote to memory of 804	1980	cmd.exe	35
PID 1980 wrote to memory of 804	1980	cmd.exe	35
PID 1980 wrote to memory of 804	1980	cmd.exe	35
PID 1980 wrote to memory of 804	1980	cmd.exe	35
PID 2020 wrote to memory of 1540	2020	cmd.exe	34
PID 2020 wrote to memory of 1540	2020	cmd.exe	34
PID 2020 wrote to memory of 1540	2020	cmd.exe	34
PID 2020 wrote to memory of 1540	2020	cmd.exe	34
PID 2020 wrote to memory of 896	2020	cmd.exe	37
PID 2020 wrote to memory of 896	2020	cmd.exe	37
PID 2020 wrote to memory of 896	2020	cmd.exe	37
PID 2020 wrote to memory of 896	2020	cmd.exe	37
PID 1980 wrote to memory of 756	1980	cmd.exe	36
PID 1980 wrote to memory of 756	1980	cmd.exe	36
PID 1980 wrote to memory of 756	1980	cmd.exe	36
PID 1980 wrote to memory of 756	1980	cmd.exe	36
PID 1540 wrote to memory of 2032	1540	hosts.exe	38
PID 1540 wrote to memory of 2032	1540	hosts.exe	38
PID 1540 wrote to memory of 2032	1540	hosts.exe	38
PID 1540 wrote to memory of 2032	1540	hosts.exe	38
PID 1540 wrote to memory of 1960	1540	hosts.exe	39
PID 1540 wrote to memory of 1960	1540	hosts.exe	39
PID 1540 wrote to memory of 1960	1540	hosts.exe	39
PID 1540 wrote to memory of 1960	1540	hosts.exe	39
PID 1960 wrote to memory of 1948	1960	cmd.exe	41
PID 1960 wrote to memory of 1948	1960	cmd.exe	41
PID 1960 wrote to memory of 1948	1960	cmd.exe	41
PID 1960 wrote to memory of 1948	1960	cmd.exe	41
PID 1960 wrote to memory of 956	1960	cmd.exe	42
PID 1960 wrote to memory of 956	1960	cmd.exe	42
PID 1960 wrote to memory of 956	1960	cmd.exe	42
PID 1960 wrote to memory of 956	1960	cmd.exe	42
PID 1376 wrote to memory of 560	1376	avscan.exe	43
PID 1376 wrote to memory of 560	1376	avscan.exe	43
PID 1376 wrote to memory of 560	1376	avscan.exe	43
PID 1376 wrote to memory of 560	1376	avscan.exe	43
PID 1540 wrote to memory of 1912	1540	hosts.exe	45
PID 1540 wrote to memory of 1912	1540	hosts.exe	45
PID 1540 wrote to memory of 1912	1540	hosts.exe	45
PID 1540 wrote to memory of 1912	1540	hosts.exe	45
PID 1376 wrote to memory of 1680	1376	avscan.exe	47
PID 1376 wrote to memory of 1680	1376	avscan.exe	47
PID 1376 wrote to memory of 1680	1376	avscan.exe	47
PID 1376 wrote to memory of 1680	1376	avscan.exe	47

C:\Users\Admin\AppData\Local\Temp\b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
"C:\Users\Admin\AppData\Local\Temp\b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1472
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:956
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1912
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1700
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1320
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1832
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:896
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:560
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1680
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1384
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:804
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.6MB

MD5
a812dada69d3432dc9276f8360e3b999

SHA1
0e971d2bcc62052e86e855e9aab9c5ed187cc955

SHA256
f1cce6ae1ada7621885aa729ab56345a36abe99553544a9053e1c410cbaa31a0

SHA512
9e874f86a5cc291627b11074c8f5f437ab99c480eebc1e3e065b4da896117335c525d0561da302d34bd05ca31be19334e4994277259d351fa4dd030b179eae54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.2MB

MD5
c43d45636d0131fb749b184c22d31ddc

SHA1
e360df15f22b0a6dc504ec18bcc857a8d8486d5e

SHA256
bb0db1daf424a209c0a361d7f7011f0436b3baf67aaa2b01b7205182a7898429

SHA512
cf00e17700c818c9d633c2b07acecaed385e227068f941e589af6c5d7c58d6ac2cab1cce5597f8a4fe1f0069631d719786e289ede210dd734bc509e0fe2d5752

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.2MB

MD5
c43d45636d0131fb749b184c22d31ddc

SHA1
e360df15f22b0a6dc504ec18bcc857a8d8486d5e

SHA256
bb0db1daf424a209c0a361d7f7011f0436b3baf67aaa2b01b7205182a7898429

SHA512
cf00e17700c818c9d633c2b07acecaed385e227068f941e589af6c5d7c58d6ac2cab1cce5597f8a4fe1f0069631d719786e289ede210dd734bc509e0fe2d5752

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
4.7MB

MD5
abc7a1152b35187c010785028ab60f2f

SHA1
b7db6415b2bc66f9f4e05a1b42255a5e4c3c4e22

SHA256
560bde67cc7ac39a1ba74aaf71e5c00a23cf122f4da6aa3626698afe9c7d9b4a

SHA512
fab6e2cf61eca2ee38266fe1cbcaa357c9f393d8ef0389e2191e3c5aa3df462bee614e8ee297c96345f74b3a2e08e89de63f7fbd79dd2743e30eb2f9dd7e2086

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
6.3MB

MD5
28f55a39f457ee2f33ee9041ca9c8248

SHA1
57b3fe3301e1af31d325cbfb0ff2c0a798bd093f

SHA256
a1cd83f2c49c0eb88006b08fee7cb636da6b899628679f121d3f44e0fdcd34d0

SHA512
b73f443e9a50ad715e2bfe80b089b23d98b4369980efb89e3968a0385ff36020f80bef64ad5544a5f41e924d584b8921d24e19815ab75da29656ab8dbfbc848c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
6.3MB

MD5
141598a2dfbb7bfed7ac45b47e38c5f4

SHA1
a54544c195e5da535d4048edcd84bcade9bf0cf7

SHA256
4adde24f90d4aa7f65aa65c62b41cec2855e4bd733f934f278a03d059a90d2ee

SHA512
2522a67c34806879994494200d6fa0e60323022c2853eb87355a8eb5b106fca9d59938c9b86f7c453e3391256c9ec2ce1563c8aeb6340264e1efad642d02aee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
0d6b56e1747af9e629ad9aedad7d97a5

SHA1
6143f2411031456b0af339a4495757497e6ce633

SHA256
00491d0c48dc94f290440241f9ac97cc0974230e28255c895e713e0212b08a00

SHA512
4e82c9f23ddb0203121475c0dfc0a93538c7db9eb717bf4d63bd82e3ff8f29e25b1a5f762b42dd68d6aa37ebad48bc74e97c28c02b904f72a35067e723b8f9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
0d6b56e1747af9e629ad9aedad7d97a5

SHA1
6143f2411031456b0af339a4495757497e6ce633

SHA256
00491d0c48dc94f290440241f9ac97cc0974230e28255c895e713e0212b08a00

SHA512
4e82c9f23ddb0203121475c0dfc0a93538c7db9eb717bf4d63bd82e3ff8f29e25b1a5f762b42dd68d6aa37ebad48bc74e97c28c02b904f72a35067e723b8f9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
0d6b56e1747af9e629ad9aedad7d97a5

SHA1
6143f2411031456b0af339a4495757497e6ce633

SHA256
00491d0c48dc94f290440241f9ac97cc0974230e28255c895e713e0212b08a00

SHA512
4e82c9f23ddb0203121475c0dfc0a93538c7db9eb717bf4d63bd82e3ff8f29e25b1a5f762b42dd68d6aa37ebad48bc74e97c28c02b904f72a35067e723b8f9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
0d6b56e1747af9e629ad9aedad7d97a5

SHA1
6143f2411031456b0af339a4495757497e6ce633

SHA256
00491d0c48dc94f290440241f9ac97cc0974230e28255c895e713e0212b08a00

SHA512
4e82c9f23ddb0203121475c0dfc0a93538c7db9eb717bf4d63bd82e3ff8f29e25b1a5f762b42dd68d6aa37ebad48bc74e97c28c02b904f72a35067e723b8f9ba

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efab902a61f6cddc318bb5818c2f2e0

SHA1
9608751279ae04ba710d84c61e3937c12950b393

SHA256
a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

SHA512
aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

Download Submit
C:\Windows\hosts.exe

Filesize
797KB

MD5
5a315332d416190be6629ca91851c697

SHA1
564f17c2abbca1b4fee5564c3c35beb033dcda5f

SHA256
2cfda18b6e9cd1cddbcb578cbaaa663be70a589619cc0421b62c6553a13cc686

SHA512
950b69024356be9ecdabe49ac926d5df72ee500eebbae766459df93959bccc4248253459131ac59d50824b8018a6cebf5a1b2b465ef24d9f5500e6b1347cca4d

Download Submit
C:\Windows\hosts.exe

Filesize
797KB

MD5
5a315332d416190be6629ca91851c697

SHA1
564f17c2abbca1b4fee5564c3c35beb033dcda5f

SHA256
2cfda18b6e9cd1cddbcb578cbaaa663be70a589619cc0421b62c6553a13cc686

SHA512
950b69024356be9ecdabe49ac926d5df72ee500eebbae766459df93959bccc4248253459131ac59d50824b8018a6cebf5a1b2b465ef24d9f5500e6b1347cca4d

Download Submit
C:\Windows\hosts.exe

Filesize
797KB

MD5
5a315332d416190be6629ca91851c697

SHA1
564f17c2abbca1b4fee5564c3c35beb033dcda5f

SHA256
2cfda18b6e9cd1cddbcb578cbaaa663be70a589619cc0421b62c6553a13cc686

SHA512
950b69024356be9ecdabe49ac926d5df72ee500eebbae766459df93959bccc4248253459131ac59d50824b8018a6cebf5a1b2b465ef24d9f5500e6b1347cca4d

Download Submit
C:\Windows\hosts.exe

Filesize
797KB

MD5
5a315332d416190be6629ca91851c697

SHA1
564f17c2abbca1b4fee5564c3c35beb033dcda5f

SHA256
2cfda18b6e9cd1cddbcb578cbaaa663be70a589619cc0421b62c6553a13cc686

SHA512
950b69024356be9ecdabe49ac926d5df72ee500eebbae766459df93959bccc4248253459131ac59d50824b8018a6cebf5a1b2b465ef24d9f5500e6b1347cca4d

Download Submit
C:\windows\hosts.exe

Filesize
797KB

MD5
5a315332d416190be6629ca91851c697

SHA1
564f17c2abbca1b4fee5564c3c35beb033dcda5f

SHA256
2cfda18b6e9cd1cddbcb578cbaaa663be70a589619cc0421b62c6553a13cc686

SHA512
950b69024356be9ecdabe49ac926d5df72ee500eebbae766459df93959bccc4248253459131ac59d50824b8018a6cebf5a1b2b465ef24d9f5500e6b1347cca4d

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
0d6b56e1747af9e629ad9aedad7d97a5

SHA1
6143f2411031456b0af339a4495757497e6ce633

SHA256
00491d0c48dc94f290440241f9ac97cc0974230e28255c895e713e0212b08a00

SHA512
4e82c9f23ddb0203121475c0dfc0a93538c7db9eb717bf4d63bd82e3ff8f29e25b1a5f762b42dd68d6aa37ebad48bc74e97c28c02b904f72a35067e723b8f9ba

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
0d6b56e1747af9e629ad9aedad7d97a5

SHA1
6143f2411031456b0af339a4495757497e6ce633

SHA256
00491d0c48dc94f290440241f9ac97cc0974230e28255c895e713e0212b08a00

SHA512
4e82c9f23ddb0203121475c0dfc0a93538c7db9eb717bf4d63bd82e3ff8f29e25b1a5f762b42dd68d6aa37ebad48bc74e97c28c02b904f72a35067e723b8f9ba

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
0d6b56e1747af9e629ad9aedad7d97a5

SHA1
6143f2411031456b0af339a4495757497e6ce633

SHA256
00491d0c48dc94f290440241f9ac97cc0974230e28255c895e713e0212b08a00

SHA512
4e82c9f23ddb0203121475c0dfc0a93538c7db9eb717bf4d63bd82e3ff8f29e25b1a5f762b42dd68d6aa37ebad48bc74e97c28c02b904f72a35067e723b8f9ba

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
0d6b56e1747af9e629ad9aedad7d97a5

SHA1
6143f2411031456b0af339a4495757497e6ce633

SHA256
00491d0c48dc94f290440241f9ac97cc0974230e28255c895e713e0212b08a00

SHA512
4e82c9f23ddb0203121475c0dfc0a93538c7db9eb717bf4d63bd82e3ff8f29e25b1a5f762b42dd68d6aa37ebad48bc74e97c28c02b904f72a35067e723b8f9ba

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
0d6b56e1747af9e629ad9aedad7d97a5

SHA1
6143f2411031456b0af339a4495757497e6ce633

SHA256
00491d0c48dc94f290440241f9ac97cc0974230e28255c895e713e0212b08a00

SHA512
4e82c9f23ddb0203121475c0dfc0a93538c7db9eb717bf4d63bd82e3ff8f29e25b1a5f762b42dd68d6aa37ebad48bc74e97c28c02b904f72a35067e723b8f9ba

Download Submit
memory/1524-56-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1524-58-0x0000000074001000-0x0000000074003000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads