0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54

Analysis

max time kernel
52s
max time network
148s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe
Size

490KB
MD5

6730e7c6e485f78d49ea6d09f4e54284
SHA1

170648fd01ef4b8ba87bdeab049cde93b66232f2
SHA256

0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54
SHA512

a477d3e15642b7bb72ca76f21fd771a9bb2f1df4d6276ea3aaa6e444669625145f2f2ccd2a5f67209f4ab919c7c76bfc12fef9f9b72903002de7c7fea1fa552a
SSDEEP

12288:NHXbLcPhdKPG0pdR3RKly3aqvVHjYQVnY+SOWcs0zZ:NHrWGGlMT9HMQy+SOWcs0z

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\npf.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\npf.sys	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
992	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe
948	real.exe
1320	svch0st.exe
1552	tem.exe

Loads dropped DLL 14 IoCs

pid	Process
1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe
1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe
1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe
1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe
948	real.exe
948	real.exe
948	real.exe
948	real.exe
1552	tem.exe
1320	svch0st.exe
1320	svch0st.exe
952	WerFault.exe
952	WerFault.exe
952	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vook.sys	svch0st.exe
File opened for modification	C:\Windows\SysWOW64\vook.sys	svch0st.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File created	C:\Windows\bwaw.dll	svch0st.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
952	1320	WerFault.exe	28

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	svch0st.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	svch0st.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	632	rundll32.exe
Token: SeRestorePrivilege	632	rundll32.exe
Token: SeRestorePrivilege	632	rundll32.exe
Token: SeRestorePrivilege	632	rundll32.exe
Token: SeRestorePrivilege	632	rundll32.exe
Token: SeRestorePrivilege	632	rundll32.exe
Token: SeRestorePrivilege	632	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
992	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
992	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
992	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe
992	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe
1320	svch0st.exe
992	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe
948	real.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 992	1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	26
PID 1352 wrote to memory of 992	1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	26
PID 1352 wrote to memory of 992	1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	26
PID 1352 wrote to memory of 992	1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	26
PID 1352 wrote to memory of 948	1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	27
PID 1352 wrote to memory of 948	1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	27
PID 1352 wrote to memory of 948	1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	27
PID 1352 wrote to memory of 948	1352	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	27
PID 948 wrote to memory of 1320	948	real.exe	28
PID 948 wrote to memory of 1320	948	real.exe	28
PID 948 wrote to memory of 1320	948	real.exe	28
PID 948 wrote to memory of 1320	948	real.exe	28
PID 1320 wrote to memory of 320	1320	svch0st.exe	29
PID 1320 wrote to memory of 320	1320	svch0st.exe	29
PID 1320 wrote to memory of 320	1320	svch0st.exe	29
PID 1320 wrote to memory of 320	1320	svch0st.exe	29
PID 320 wrote to memory of 632	320	cmd.exe	32
PID 320 wrote to memory of 632	320	cmd.exe	32
PID 320 wrote to memory of 632	320	cmd.exe	32
PID 320 wrote to memory of 632	320	cmd.exe	32
PID 320 wrote to memory of 632	320	cmd.exe	32
PID 320 wrote to memory of 632	320	cmd.exe	32
PID 320 wrote to memory of 632	320	cmd.exe	32
PID 948 wrote to memory of 1552	948	real.exe	33
PID 948 wrote to memory of 1552	948	real.exe	33
PID 948 wrote to memory of 1552	948	real.exe	33
PID 948 wrote to memory of 1552	948	real.exe	33
PID 632 wrote to memory of 1172	632	rundll32.exe	34
PID 632 wrote to memory of 1172	632	rundll32.exe	34
PID 632 wrote to memory of 1172	632	rundll32.exe	34
PID 632 wrote to memory of 1172	632	rundll32.exe	34
PID 1172 wrote to memory of 1476	1172	runonce.exe	35
PID 1172 wrote to memory of 1476	1172	runonce.exe	35
PID 1172 wrote to memory of 1476	1172	runonce.exe	35
PID 1172 wrote to memory of 1476	1172	runonce.exe	35
PID 1320 wrote to memory of 952	1320	svch0st.exe	38
PID 1320 wrote to memory of 952	1320	svch0st.exe	38
PID 1320 wrote to memory of 952	1320	svch0st.exe	38
PID 1320 wrote to memory of 952	1320	svch0st.exe	38

C:\Users\Admin\AppData\Local\Temp\0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe
"C:\Users\Admin\AppData\Local\Temp\0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe
  "C:\Users\Admin\AppData\Local\Temp\qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:992
- C:\Users\Admin\AppData\Local\Temp\real.exe
  "C:\Users\Admin\AppData\Local\Temp\real.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\svch0st.exe
    "C:\Users\Admin\AppData\Local\Temp\svch0st.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c _wpcap_.bat
      4⤵
      Drops file in Drivers directory
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\_wpcap_.inf
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:1476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1496
      4⤵
      Loads dropped DLL
      Program crash
      PID:952
- - C:\Users\Admin\AppData\Local\Temp\tem.exe
    "C:\Users\Admin\AppData\Local\Temp\tem.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1552

C:\Windows\system32\ctfmon.exe
ctfmon.exe
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UserTemp.dll

Filesize
56KB

MD5
e8a0472f5e9c72a63ef2413fb1d8f643

SHA1
3c3c04711ee2b422a9e210e5b741cc7d9c68d026

SHA256
9bdfd7507b5217818bc725853bafd887c7d09c1a1ba5b8659e918ad1c50119de

SHA512
23c34097328f534bbf57b361158b83e317b3f3126b62e76b01b870887436c6707a91c45671272f94d391a51a96f692c5da6b3b8990c4db1c5e53e24b28e57eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\WanPacket.dll

Filesize
60KB

MD5
12aa2da30d1d2889511b4c1d14fb99b9

SHA1
e6d09e7581565d5e83563e23027784348fd188ca

SHA256
3064ea133646c4dbfbe750abbf836492a016b319783bc8166825e0783fd6e462

SHA512
6a732791d1c54098b4b143e03d21ecdd360d1b629d10afc442eeed5e7aae7ad877019f7a1bcf354d9d563f66083fbb9a66b1fde1ab34ac125d188a8f226e9ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_wpcap_.bat

Filesize
159B

MD5
372f15133b73a0e987967b10e2831c99

SHA1
e316a79fb7710fd025a92b4a729eb5673dc76abe

SHA256
af40c90cae9231d22eb0aa8b65c1326c5e025bde495804356dc1786fb0252d2b

SHA512
1aedd6c4deddcfa28e091f55f03944da7f90a5252b1b535d2a446c4cdbe06117575c5e34326b2042b0c54ad045ebe01ed848e2509e0d8ec38a5429c233a6565a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_wpcap_.inf

Filesize
216B

MD5
f70ffd2ad84beff11224c979d680c39c

SHA1
ac253f1e7c600b837100b82ff27b7e3fb45b9ec6

SHA256
e1789abdf113497512319ae9ace50c4f7ebea905e7bfab302dc77351cf0ddc76

SHA512
3c627a1f04e2444acf78c2e763a589b0e10d058881e398dca50e57a6882f1c1a453283cf03c9e058ede6db4240658261a10a702af5e1a2ce13c3148ec5663477

Download Submit
C:\Users\Admin\AppData\Local\Temp\npf.sys

Filesize
31KB

MD5
d21fee8db254ba762656878168ac1db6

SHA1
a394b1bc33a3c678e4b6b3c55373468e6afa7b28

SHA256
3694aa2145af617c47a7b506bd3d22824659ca3bf1680d220892cac4bd0fc846

SHA512
c6e366be16e5614313c8ec394cbeda11df8cd57726fec2249db5d7d0f4266a38e2bc7873b9ea38e820bdf96e6e14619d9e6f2092dcbed4932389ec89bd0c2204

Download Submit
C:\Users\Admin\AppData\Local\Temp\packet.dll

Filesize
80KB

MD5
ab652dab12afdad853fd59207dd2d68b

SHA1
0969ebf80723c3f5889dc9d9b94872d4b474c89e

SHA256
19c6e6603021586092dcedf5592865cdda5cae1ee1db00343cdd523e399b0d65

SHA512
c5fd05fd866fcf17ec1173a049ea03db01301a3fa9073dfeafb6bc11a56f716eb9385fc1ceec7a80f41c1673aea5ba00dc6f8b6c41883c366a27c2d61ad24e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe

Filesize
131KB

MD5
2635509cd067a0fd64669124ffd044bc

SHA1
256087ef39efac57959542d4ae75282b3def1879

SHA256
db09d660280c58b0353843e760b59d81a55870c3ab520626b683be56276595ee

SHA512
2938d6b5a96ab7f5ff7b7a180d268f57f7b07ebe4a1dd91e012be5b36aa443af94785b308b7537bc45bdb708cc16d9f73c9e61322ee912b958c430f266023c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\real.exe

Filesize
273KB

MD5
ba40eaba3bf9aa79295506b7f1b2235e

SHA1
7cd2a220b88831034546fdbe0c9e2c1fe4cf0e9b

SHA256
3c5b37d57a3416e3c9af83d41eca2bf035399a36f5da9e4207083c2da84c2bba

SHA512
84b5b3bfeb07e00ed1c50ea32c6fc7eafb6f12ced4aa17919e17ec087a1f63a8ceb4f007e794b1920719927bc1a271a4e5d56a9c8c2137301144fcd5c6bd6bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\svch0st.exe

Filesize
120KB

MD5
8dc50fbe6781238e5dfa16691bc13149

SHA1
525fc6ce388850c7ca8117cedc91c823e90573f4

SHA256
5b77c31dc0754feb083c6b2a99a9eb4ebe29d751209509a21113ce09d9f3c2fc

SHA512
cb993ece1b88e54e0ebba61ccd04bdec847958c2106dab5cd4c481915c3975f172690331ba8d5b668ddd9945a1a1929f2ff5ad356da280012cc8ea701403a3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem.exe

Filesize
25KB

MD5
bbc43447dfb941aaf22201c21b5cfd18

SHA1
a96dcfded13ad03cd4f28dcf54b2c00a866df1e5

SHA256
cac2824745aef60cf3a998bb3317df9cb018fc9061ac19c762a774af3004b8c3

SHA512
df52813362f24fde43c4a7c5d18225cca601c5fbfee0c17801098abdca886b1864e3c38bd6f3ac28a4bed5bf69b4879b8f86fb418e1335eb39d3f5bf84489e3a

Download Submit
C:\Windows\bwaw.dll

Filesize
36KB

MD5
3588fb3313d5d6ab7a055dc42790db0a

SHA1
1adbbca1521e72a6ab096ddfd31f4918139b9fa3

SHA256
08ed46ec794adce770e9783fc431c8322b3dda40d97158dc5d463b4591581d32

SHA512
332fdfdfcc6f3faf2746e72901d73c8302b60dc8d1bd5d794be82b72819c65c727e288442f2d40867ccf1f3c8aefcbd2bc2a8451fb8efcd4fda02b65fff4bda0

Download Submit
\Users\Admin\AppData\Local\Temp\packet.dll

Filesize
80KB

MD5
ab652dab12afdad853fd59207dd2d68b

SHA1
0969ebf80723c3f5889dc9d9b94872d4b474c89e

SHA256
19c6e6603021586092dcedf5592865cdda5cae1ee1db00343cdd523e399b0d65

SHA512
c5fd05fd866fcf17ec1173a049ea03db01301a3fa9073dfeafb6bc11a56f716eb9385fc1ceec7a80f41c1673aea5ba00dc6f8b6c41883c366a27c2d61ad24e56

Download Submit
\Users\Admin\AppData\Local\Temp\qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe

Filesize
131KB

MD5
2635509cd067a0fd64669124ffd044bc

SHA1
256087ef39efac57959542d4ae75282b3def1879

SHA256
db09d660280c58b0353843e760b59d81a55870c3ab520626b683be56276595ee

SHA512
2938d6b5a96ab7f5ff7b7a180d268f57f7b07ebe4a1dd91e012be5b36aa443af94785b308b7537bc45bdb708cc16d9f73c9e61322ee912b958c430f266023c27

Download Submit
\Users\Admin\AppData\Local\Temp\qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe

Filesize
131KB

MD5
2635509cd067a0fd64669124ffd044bc

SHA1
256087ef39efac57959542d4ae75282b3def1879

SHA256
db09d660280c58b0353843e760b59d81a55870c3ab520626b683be56276595ee

SHA512
2938d6b5a96ab7f5ff7b7a180d268f57f7b07ebe4a1dd91e012be5b36aa443af94785b308b7537bc45bdb708cc16d9f73c9e61322ee912b958c430f266023c27

Download Submit
\Users\Admin\AppData\Local\Temp\real.exe

Filesize
273KB

MD5
ba40eaba3bf9aa79295506b7f1b2235e

SHA1
7cd2a220b88831034546fdbe0c9e2c1fe4cf0e9b

SHA256
3c5b37d57a3416e3c9af83d41eca2bf035399a36f5da9e4207083c2da84c2bba

SHA512
84b5b3bfeb07e00ed1c50ea32c6fc7eafb6f12ced4aa17919e17ec087a1f63a8ceb4f007e794b1920719927bc1a271a4e5d56a9c8c2137301144fcd5c6bd6bad

Download Submit
\Users\Admin\AppData\Local\Temp\real.exe

Filesize
273KB

MD5
ba40eaba3bf9aa79295506b7f1b2235e

SHA1
7cd2a220b88831034546fdbe0c9e2c1fe4cf0e9b

SHA256
3c5b37d57a3416e3c9af83d41eca2bf035399a36f5da9e4207083c2da84c2bba

SHA512
84b5b3bfeb07e00ed1c50ea32c6fc7eafb6f12ced4aa17919e17ec087a1f63a8ceb4f007e794b1920719927bc1a271a4e5d56a9c8c2137301144fcd5c6bd6bad

Download Submit
\Users\Admin\AppData\Local\Temp\svch0st.exe

Filesize
120KB

MD5
8dc50fbe6781238e5dfa16691bc13149

SHA1
525fc6ce388850c7ca8117cedc91c823e90573f4

SHA256
5b77c31dc0754feb083c6b2a99a9eb4ebe29d751209509a21113ce09d9f3c2fc

SHA512
cb993ece1b88e54e0ebba61ccd04bdec847958c2106dab5cd4c481915c3975f172690331ba8d5b668ddd9945a1a1929f2ff5ad356da280012cc8ea701403a3fe

Download Submit
\Users\Admin\AppData\Local\Temp\svch0st.exe

Filesize
120KB

MD5
8dc50fbe6781238e5dfa16691bc13149

SHA1
525fc6ce388850c7ca8117cedc91c823e90573f4

SHA256
5b77c31dc0754feb083c6b2a99a9eb4ebe29d751209509a21113ce09d9f3c2fc

SHA512
cb993ece1b88e54e0ebba61ccd04bdec847958c2106dab5cd4c481915c3975f172690331ba8d5b668ddd9945a1a1929f2ff5ad356da280012cc8ea701403a3fe

Download Submit
\Users\Admin\AppData\Local\Temp\svch0st.exe

Filesize
120KB

MD5
8dc50fbe6781238e5dfa16691bc13149

SHA1
525fc6ce388850c7ca8117cedc91c823e90573f4

SHA256
5b77c31dc0754feb083c6b2a99a9eb4ebe29d751209509a21113ce09d9f3c2fc

SHA512
cb993ece1b88e54e0ebba61ccd04bdec847958c2106dab5cd4c481915c3975f172690331ba8d5b668ddd9945a1a1929f2ff5ad356da280012cc8ea701403a3fe

Download Submit
\Users\Admin\AppData\Local\Temp\svch0st.exe

Filesize
120KB

MD5
8dc50fbe6781238e5dfa16691bc13149

SHA1
525fc6ce388850c7ca8117cedc91c823e90573f4

SHA256
5b77c31dc0754feb083c6b2a99a9eb4ebe29d751209509a21113ce09d9f3c2fc

SHA512
cb993ece1b88e54e0ebba61ccd04bdec847958c2106dab5cd4c481915c3975f172690331ba8d5b668ddd9945a1a1929f2ff5ad356da280012cc8ea701403a3fe

Download Submit
\Users\Admin\AppData\Local\Temp\svch0st.exe

Filesize
120KB

MD5
8dc50fbe6781238e5dfa16691bc13149

SHA1
525fc6ce388850c7ca8117cedc91c823e90573f4

SHA256
5b77c31dc0754feb083c6b2a99a9eb4ebe29d751209509a21113ce09d9f3c2fc

SHA512
cb993ece1b88e54e0ebba61ccd04bdec847958c2106dab5cd4c481915c3975f172690331ba8d5b668ddd9945a1a1929f2ff5ad356da280012cc8ea701403a3fe

Download Submit
\Users\Admin\AppData\Local\Temp\tem.exe

Filesize
25KB

MD5
bbc43447dfb941aaf22201c21b5cfd18

SHA1
a96dcfded13ad03cd4f28dcf54b2c00a866df1e5

SHA256
cac2824745aef60cf3a998bb3317df9cb018fc9061ac19c762a774af3004b8c3

SHA512
df52813362f24fde43c4a7c5d18225cca601c5fbfee0c17801098abdca886b1864e3c38bd6f3ac28a4bed5bf69b4879b8f86fb418e1335eb39d3f5bf84489e3a

Download Submit
\Users\Admin\AppData\Local\Temp\tem.exe

Filesize
25KB

MD5
bbc43447dfb941aaf22201c21b5cfd18

SHA1
a96dcfded13ad03cd4f28dcf54b2c00a866df1e5

SHA256
cac2824745aef60cf3a998bb3317df9cb018fc9061ac19c762a774af3004b8c3

SHA512
df52813362f24fde43c4a7c5d18225cca601c5fbfee0c17801098abdca886b1864e3c38bd6f3ac28a4bed5bf69b4879b8f86fb418e1335eb39d3f5bf84489e3a

Download Submit
\Users\Admin\AppData\Local\Temp\usertemp.dll

Filesize
56KB

MD5
e8a0472f5e9c72a63ef2413fb1d8f643

SHA1
3c3c04711ee2b422a9e210e5b741cc7d9c68d026

SHA256
9bdfd7507b5217818bc725853bafd887c7d09c1a1ba5b8659e918ad1c50119de

SHA512
23c34097328f534bbf57b361158b83e317b3f3126b62e76b01b870887436c6707a91c45671272f94d391a51a96f692c5da6b3b8990c4db1c5e53e24b28e57eff

Download Submit
\Users\Admin\AppData\Local\Temp\wanpacket.dll

Filesize
60KB

MD5
12aa2da30d1d2889511b4c1d14fb99b9

SHA1
e6d09e7581565d5e83563e23027784348fd188ca

SHA256
3064ea133646c4dbfbe750abbf836492a016b319783bc8166825e0783fd6e462

SHA512
6a732791d1c54098b4b143e03d21ecdd360d1b629d10afc442eeed5e7aae7ad877019f7a1bcf354d9d563f66083fbb9a66b1fde1ab34ac125d188a8f226e9ca0

Download Submit
memory/320-71-0x0000000000000000-mapping.dmp

Download
memory/632-73-0x0000000000000000-mapping.dmp

Download
memory/948-91-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/948-108-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/948-103-0x0000000002730000-0x0000000002784000-memory.dmp

Filesize
336KB

Download
memory/948-87-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/948-102-0x0000000002730000-0x0000000002743000-memory.dmp

Filesize
76KB

Download
memory/948-62-0x0000000000000000-mapping.dmp

Download
memory/948-92-0x0000000002730000-0x0000000002784000-memory.dmp

Filesize
336KB

Download
memory/948-106-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/948-105-0x0000000002730000-0x0000000002743000-memory.dmp

Filesize
76KB

Download
memory/948-109-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/952-116-0x0000000000000000-mapping.dmp

Download
memory/992-100-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/992-79-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/992-101-0x00000000003A0000-0x00000000003C0000-memory.dmp

Filesize
128KB

Download
memory/992-57-0x0000000000000000-mapping.dmp

Download
memory/992-120-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1172-84-0x0000000000000000-mapping.dmp

Download
memory/1320-98-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/1320-115-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/1320-99-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/1320-123-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/1320-97-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1320-122-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/1320-96-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1320-112-0x0000000002460000-0x0000000002475000-memory.dmp

Filesize
84KB

Download
memory/1320-121-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1320-67-0x0000000000000000-mapping.dmp

Download
memory/1352-78-0x00000000028B0000-0x0000000002902000-memory.dmp

Filesize
328KB

Download
memory/1352-76-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1352-77-0x00000000028B0000-0x0000000002902000-memory.dmp

Filesize
328KB

Download
memory/1352-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1352-85-0x00000000028B0000-0x0000000002944000-memory.dmp

Filesize
592KB

Download
memory/1352-83-0x00000000028B0000-0x0000000002944000-memory.dmp

Filesize
592KB

Download
memory/1352-107-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1476-94-0x0000000000000000-mapping.dmp

Download
memory/1552-82-0x0000000000000000-mapping.dmp

Download
memory/1552-93-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads