a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b

Analysis

max time kernel
149s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe
Size

37KB
MD5

6a9b56c8fd4c7770dfb41e5433c16172
SHA1

7dea721577d883078f44992c379d76a64882f044
SHA256

a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b
SHA512

f488baf1cb7300486b5a2c27693bf4993ffcd8b7122a898f9ac4cd5bec3419f7b48d1613d21ae6a806293403ec51be1dd3eba6967279167d57fe298e82554322
SSDEEP

768:8Fm6exx/Dx9WyctstBseLEDR0To3YZ0ed06vxqaHraKeM:N6KlD+y60B9LEDR06YWeRxqal

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Trojan.exe

Executes dropped EXE 1 IoCs

pid	Process
2008	Trojan.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1096	netsh.exe
1348	netsh.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	wscript.exe

Loads dropped DLL 4 IoCs

pid	Process
1640	a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe
1640	a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe
1880	wscript.exe
1880	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	wscript.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 61 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.A\CLSID	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.A\ = "ojrkpmwyngm.A"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\Implemented Categories	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\ = "mscoree.dll"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\Class = "ojrkpmwyngm.jkrgdtkxiod"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\0.0.0.0\Assembly = "ojrkpmwyngm, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe"	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\Implemented Categories	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\ProgId\ = "ojrkpmwyngm.A"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\Class = "ojrkpmwyngm.A"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\Assembly = "ojrkpmwyngm, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\ProgId	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\0.0.0.0	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.A\CLSID	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.jkrgdtkxiod\CLSID	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\0.0.0.0	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.jkrgdtkxiod	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\Assembly = "ojrkpmwyngm, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\Implemented Categories	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.jkrgdtkxiod\CLSID\ = "{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\0.0.0.0	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.jkrgdtkxiod	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\0.0.0.0\Assembly = "ojrkpmwyngm, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727"	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.A	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.A	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\RuntimeVersion = "v2.0.50727"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}\0 = ".NET Category"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\ = "ojrkpmwyngm.jkrgdtkxiod"	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\ThreadingModel = "Both"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\0.0.0.0\Class = "ojrkpmwyngm.A"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.jkrgdtkxiod\CLSID	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\ProgId	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\ProgId	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\InprocServer32\ = "mscoree.dll"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\ThreadingModel = "Both"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\RuntimeVersion = "v2.0.50727"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\0.0.0.0	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\ProgId\ = "ojrkpmwyngm.jkrgdtkxiod"	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\ProgId	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}\ = "ojrkpmwyngm.A"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\Implemented Categories	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.A\CLSID\ = "{D1668702-FF54-3DD1-ACA2-178FDA5EDF30}"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ojrkpmwyngm.jkrgdtkxiod\ = "ojrkpmwyngm.jkrgdtkxiod"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F16F49A-105F-3E1A-8163-4DF5C1B2193A}\InprocServer32\0.0.0.0\Class = "ojrkpmwyngm.jkrgdtkxiod"	Trojan.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2008	1640	a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe	28
PID 1640 wrote to memory of 2008	1640	a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe	28
PID 1640 wrote to memory of 2008	1640	a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe	28
PID 1640 wrote to memory of 2008	1640	a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe	28
PID 2008 wrote to memory of 1096	2008	Trojan.exe	29
PID 2008 wrote to memory of 1096	2008	Trojan.exe	29
PID 2008 wrote to memory of 1096	2008	Trojan.exe	29
PID 2008 wrote to memory of 1096	2008	Trojan.exe	29
PID 2008 wrote to memory of 1348	2008	Trojan.exe	30
PID 2008 wrote to memory of 1348	2008	Trojan.exe	30
PID 2008 wrote to memory of 1348	2008	Trojan.exe	30
PID 2008 wrote to memory of 1348	2008	Trojan.exe	30
PID 2008 wrote to memory of 1880	2008	Trojan.exe	33
PID 2008 wrote to memory of 1880	2008	Trojan.exe	33
PID 2008 wrote to memory of 1880	2008	Trojan.exe	33
PID 2008 wrote to memory of 1880	2008	Trojan.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Trojan.exe

C:\Users\Admin\AppData\Local\Temp\a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe
"C:\Users\Admin\AppData\Local\Temp\a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1640
- C:\Users\Admin\AppData\Local\Temp\Trojan.exe
  "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2008
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1096
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\SysWOW64\wscript.exe" "wscript.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1348
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\SysWOW64\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan.vbe"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
37KB

MD5
6a9b56c8fd4c7770dfb41e5433c16172

SHA1
7dea721577d883078f44992c379d76a64882f044

SHA256
a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b

SHA512
f488baf1cb7300486b5a2c27693bf4993ffcd8b7122a898f9ac4cd5bec3419f7b48d1613d21ae6a806293403ec51be1dd3eba6967279167d57fe298e82554322

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
37KB

MD5
6a9b56c8fd4c7770dfb41e5433c16172

SHA1
7dea721577d883078f44992c379d76a64882f044

SHA256
a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b

SHA512
f488baf1cb7300486b5a2c27693bf4993ffcd8b7122a898f9ac4cd5bec3419f7b48d1613d21ae6a806293403ec51be1dd3eba6967279167d57fe298e82554322

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.vbe

Filesize
54B

MD5
fd41c177aabd698ae4a50f161e329d26

SHA1
117422a4b7a4022a14bc5d07ea0a5b1ae7a10ebc

SHA256
1a5de68db22379417c286d7af5b983f2c77c6889e127714fa78d1994c706b5b1

SHA512
0fbf0ec3354b781e7ba5898569bd269f9c8bc5aed436f869742ae428e8209bce1d2f299948d0edd190321935a4080ffe61ed7e9dfa646cf09f763eb7325101bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe

Filesize
37KB

MD5
6a9b56c8fd4c7770dfb41e5433c16172

SHA1
7dea721577d883078f44992c379d76a64882f044

SHA256
a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b

SHA512
f488baf1cb7300486b5a2c27693bf4993ffcd8b7122a898f9ac4cd5bec3419f7b48d1613d21ae6a806293403ec51be1dd3eba6967279167d57fe298e82554322

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
37KB

MD5
6a9b56c8fd4c7770dfb41e5433c16172

SHA1
7dea721577d883078f44992c379d76a64882f044

SHA256
a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b

SHA512
f488baf1cb7300486b5a2c27693bf4993ffcd8b7122a898f9ac4cd5bec3419f7b48d1613d21ae6a806293403ec51be1dd3eba6967279167d57fe298e82554322

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
37KB

MD5
6a9b56c8fd4c7770dfb41e5433c16172

SHA1
7dea721577d883078f44992c379d76a64882f044

SHA256
a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b

SHA512
f488baf1cb7300486b5a2c27693bf4993ffcd8b7122a898f9ac4cd5bec3419f7b48d1613d21ae6a806293403ec51be1dd3eba6967279167d57fe298e82554322

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
37KB

MD5
6a9b56c8fd4c7770dfb41e5433c16172

SHA1
7dea721577d883078f44992c379d76a64882f044

SHA256
a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b

SHA512
f488baf1cb7300486b5a2c27693bf4993ffcd8b7122a898f9ac4cd5bec3419f7b48d1613d21ae6a806293403ec51be1dd3eba6967279167d57fe298e82554322

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
37KB

MD5
6a9b56c8fd4c7770dfb41e5433c16172

SHA1
7dea721577d883078f44992c379d76a64882f044

SHA256
a4519155a5f2cfde6818259b47f4371fa62e17955e62dbbbf9b13051ac39d19b

SHA512
f488baf1cb7300486b5a2c27693bf4993ffcd8b7122a898f9ac4cd5bec3419f7b48d1613d21ae6a806293403ec51be1dd3eba6967279167d57fe298e82554322

Download Submit
memory/1640-63-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1880-72-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/1880-75-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-66-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-73-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads