55c2faf7a200fe2db176dd0a7c43bd8f97d4a485814d6b105855ae7adfadcb32

Analysis

max time kernel
566s
max time network
1210s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BruteL4 DDOS Tool.exe
Size

12.0MB
MD5

7469696e71e96dd67ce6c5f59c2e77c7
SHA1

a26de444a133d56eb51f5bac21fb2f925b5ee37a
SHA256

55c2faf7a200fe2db176dd0a7c43bd8f97d4a485814d6b105855ae7adfadcb32
SHA512

7702b5c08999a52816ff0176efe14f7d3c3808081337077f4fd4154cd29d3641aca5508d37c10e44d1980f835c868e9f2d3c71fda23f89c9ff80ca0f238f4c4c
SSDEEP

393216:J+aZeyhEOh8pJpdEYTzuaj5DDKEeuuODGfTc:MahEe8pVEY3uaJWEhuODGw

Score

10^/10

evasion pyinstaller themida trojan upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

BruteL4-DDOS.exe

description pid process target process

PID 4520 created 3144 4520 BruteL4-DDOS.exe Explorer.EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

BruteL4-DDOS.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BruteL4-DDOS.exe
Downloads MZ/PE file

description	pid	process	target process
PID 4520 created 3144	4520	BruteL4-DDOS.exe	Explorer.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BruteL4-DDOS.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BruteL4-DDOS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BruteL4-DDOS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BruteL4-DDOS.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BruteL4-DDOS.exeBruteL4 DDOS Tool.exeBruteL4-DDOS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	BruteL4-DDOS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	BruteL4 DDOS Tool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	BruteL4-DDOS.exe

Drops startup file 2 IoCs

Processes:

crack.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe

Executes dropped EXE 6 IoCs

Processes:

crack.exeBruteL4-DDOS.exeBruteL4-DDOS.exeBruteL4DDOS.exeBruteL4DDOS.exeMpDlpCmd.exe

pid process

5012 crack.exe
4520 BruteL4-DDOS.exe
1120 BruteL4-DDOS.exe
2432 BruteL4DDOS.exe
4664 BruteL4DDOS.exe
688 MpDlpCmd.exe
Loads dropped DLL 6 IoCs

Processes:

BruteL4DDOS.exe

pid process

4664 BruteL4DDOS.exe
4664 BruteL4DDOS.exe
4664 BruteL4DDOS.exe
4664 BruteL4DDOS.exe
4664 BruteL4DDOS.exe
4664 BruteL4DDOS.exe

pid	process
5012	crack.exe
4520	BruteL4-DDOS.exe
1120	BruteL4-DDOS.exe
2432	BruteL4DDOS.exe
4664	BruteL4DDOS.exe
688	MpDlpCmd.exe

pid	process
4664	BruteL4DDOS.exe
4664	BruteL4DDOS.exe
4664	BruteL4DDOS.exe
4664	BruteL4DDOS.exe
4664	BruteL4DDOS.exe
4664	BruteL4DDOS.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\BruteL4-DDOS.exe	themida
C:\Users\Admin\Desktop\BruteL4-DDOS.exe	themida
behavioral1/memory/4520-160-0x00007FF756F80000-0x00007FF757F8C000-memory.dmp	themida
behavioral1/memory/4520-161-0x00007FF756F80000-0x00007FF757F8C000-memory.dmp	themida
C:\Users\Admin\Desktop\BruteL4-DDOS.exe	themida
behavioral1/memory/4520-233-0x00007FF756F80000-0x00007FF757F8C000-memory.dmp	themida
behavioral1/memory/1120-378-0x00007FF756F80000-0x00007FF757F8C000-memory.dmp	themida

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI24322\python310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24322\python310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24322\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24322\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24322\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24322\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_ctypes.pyd	upx
behavioral1/memory/4664-271-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp	upx
behavioral1/memory/4664-272-0x00007FFE7E620000-0x00007FFE7E644000-memory.dmp	upx
behavioral1/memory/4664-274-0x00007FFE84E10000-0x00007FFE84E1F000-memory.dmp	upx
behavioral1/memory/4664-276-0x00007FFE84DD0000-0x00007FFE84DDD000-memory.dmp	upx
behavioral1/memory/4664-275-0x00007FFE7E5C0000-0x00007FFE7E5D9000-memory.dmp	upx
behavioral1/memory/4664-381-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp	upx
behavioral1/memory/4664-387-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp	upx
behavioral1/memory/4664-393-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp	upx
behavioral1/memory/4664-399-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp	upx
behavioral1/memory/4664-405-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp	upx
behavioral1/memory/4664-411-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

BruteL4-DDOS.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BruteL4-DDOS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BruteL4-DDOS.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs

Processes:

BruteL4-DDOS.exeBruteL4-DDOS.exeMpDlpCmd.exe

pid	process
4520	BruteL4-DDOS.exe
1120	BruteL4-DDOS.exe
1120	BruteL4-DDOS.exe
1120	BruteL4-DDOS.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
1120	BruteL4-DDOS.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

BruteL4-DDOS.exe

description pid process target process

PID 4520 set thread context of 1120 4520 BruteL4-DDOS.exe BruteL4-DDOS.exe

description	pid	process	target process
PID 4520 set thread context of 1120	4520	BruteL4-DDOS.exe	BruteL4-DDOS.exe

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\BruteL4DDOS.exe	pyinstaller
C:\Users\Admin\Desktop\BruteL4DDOS.exe	pyinstaller
C:\Users\Admin\Desktop\BruteL4DDOS.exe	pyinstaller
C:\Users\Admin\Desktop\BruteL4DDOS.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

BruteL4 DDOS Tool.exeBruteL4-DDOS.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	BruteL4 DDOS Tool.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	BruteL4 DDOS Tool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	BruteL4-DDOS.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

crack.exe

pid process

5012 crack.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

BruteL4-DDOS.exeMpDlpCmd.exe

pid process

1120 BruteL4-DDOS.exe
1120 BruteL4-DDOS.exe
1120 BruteL4-DDOS.exe
688 MpDlpCmd.exe
688 MpDlpCmd.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

BruteL4 DDOS Tool.exe

pid process

4084 BruteL4 DDOS Tool.exe

pid	process
5012	crack.exe

pid	process
1120	BruteL4-DDOS.exe
1120	BruteL4-DDOS.exe
1120	BruteL4-DDOS.exe
688	MpDlpCmd.exe
688	MpDlpCmd.exe

pid	process
4084	BruteL4 DDOS Tool.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BruteL4-DDOS.exe

description	pid	process
Token: SeDebugPrivilege	1120	BruteL4-DDOS.exe
Token: SeIncreaseQuotaPrivilege	1120	BruteL4-DDOS.exe
Token: SeSecurityPrivilege	1120	BruteL4-DDOS.exe
Token: SeTakeOwnershipPrivilege	1120	BruteL4-DDOS.exe
Token: SeLoadDriverPrivilege	1120	BruteL4-DDOS.exe
Token: SeSystemProfilePrivilege	1120	BruteL4-DDOS.exe
Token: SeSystemtimePrivilege	1120	BruteL4-DDOS.exe
Token: SeProfSingleProcessPrivilege	1120	BruteL4-DDOS.exe
Token: SeIncBasePriorityPrivilege	1120	BruteL4-DDOS.exe
Token: SeCreatePagefilePrivilege	1120	BruteL4-DDOS.exe
Token: SeBackupPrivilege	1120	BruteL4-DDOS.exe
Token: SeRestorePrivilege	1120	BruteL4-DDOS.exe
Token: SeShutdownPrivilege	1120	BruteL4-DDOS.exe
Token: SeDebugPrivilege	1120	BruteL4-DDOS.exe
Token: SeSystemEnvironmentPrivilege	1120	BruteL4-DDOS.exe
Token: SeRemoteShutdownPrivilege	1120	BruteL4-DDOS.exe
Token: SeUndockPrivilege	1120	BruteL4-DDOS.exe
Token: SeManageVolumePrivilege	1120	BruteL4-DDOS.exe
Token: 33	1120	BruteL4-DDOS.exe
Token: 34	1120	BruteL4-DDOS.exe
Token: 35	1120	BruteL4-DDOS.exe
Token: 36	1120	BruteL4-DDOS.exe
Token: SeIncreaseQuotaPrivilege	1120	BruteL4-DDOS.exe
Token: SeSecurityPrivilege	1120	BruteL4-DDOS.exe
Token: SeTakeOwnershipPrivilege	1120	BruteL4-DDOS.exe
Token: SeLoadDriverPrivilege	1120	BruteL4-DDOS.exe
Token: SeSystemProfilePrivilege	1120	BruteL4-DDOS.exe
Token: SeSystemtimePrivilege	1120	BruteL4-DDOS.exe
Token: SeProfSingleProcessPrivilege	1120	BruteL4-DDOS.exe
Token: SeIncBasePriorityPrivilege	1120	BruteL4-DDOS.exe
Token: SeCreatePagefilePrivilege	1120	BruteL4-DDOS.exe
Token: SeBackupPrivilege	1120	BruteL4-DDOS.exe
Token: SeRestorePrivilege	1120	BruteL4-DDOS.exe
Token: SeShutdownPrivilege	1120	BruteL4-DDOS.exe
Token: SeDebugPrivilege	1120	BruteL4-DDOS.exe
Token: SeSystemEnvironmentPrivilege	1120	BruteL4-DDOS.exe
Token: SeRemoteShutdownPrivilege	1120	BruteL4-DDOS.exe
Token: SeUndockPrivilege	1120	BruteL4-DDOS.exe
Token: SeManageVolumePrivilege	1120	BruteL4-DDOS.exe
Token: 33	1120	BruteL4-DDOS.exe
Token: 34	1120	BruteL4-DDOS.exe
Token: 35	1120	BruteL4-DDOS.exe
Token: 36	1120	BruteL4-DDOS.exe
Token: SeIncreaseQuotaPrivilege	1120	BruteL4-DDOS.exe
Token: SeSecurityPrivilege	1120	BruteL4-DDOS.exe
Token: SeTakeOwnershipPrivilege	1120	BruteL4-DDOS.exe
Token: SeLoadDriverPrivilege	1120	BruteL4-DDOS.exe
Token: SeSystemProfilePrivilege	1120	BruteL4-DDOS.exe
Token: SeSystemtimePrivilege	1120	BruteL4-DDOS.exe
Token: SeProfSingleProcessPrivilege	1120	BruteL4-DDOS.exe
Token: SeIncBasePriorityPrivilege	1120	BruteL4-DDOS.exe
Token: SeCreatePagefilePrivilege	1120	BruteL4-DDOS.exe
Token: SeBackupPrivilege	1120	BruteL4-DDOS.exe
Token: SeRestorePrivilege	1120	BruteL4-DDOS.exe
Token: SeShutdownPrivilege	1120	BruteL4-DDOS.exe
Token: SeDebugPrivilege	1120	BruteL4-DDOS.exe
Token: SeSystemEnvironmentPrivilege	1120	BruteL4-DDOS.exe
Token: SeRemoteShutdownPrivilege	1120	BruteL4-DDOS.exe
Token: SeUndockPrivilege	1120	BruteL4-DDOS.exe
Token: SeManageVolumePrivilege	1120	BruteL4-DDOS.exe
Token: 33	1120	BruteL4-DDOS.exe
Token: 34	1120	BruteL4-DDOS.exe
Token: 35	1120	BruteL4-DDOS.exe
Token: 36	1120	BruteL4-DDOS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

BruteL4 DDOS Tool.exeBruteL4-DDOS.exeMpDlpCmd.exe

pid process

4084 BruteL4 DDOS Tool.exe
4084 BruteL4 DDOS Tool.exe
1120 BruteL4-DDOS.exe
688 MpDlpCmd.exe

pid	process
4084	BruteL4 DDOS Tool.exe
4084	BruteL4 DDOS Tool.exe
1120	BruteL4-DDOS.exe
688	MpDlpCmd.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

BruteL4 DDOS Tool.exeBruteL4-DDOS.exeBruteL4DDOS.exeBruteL4DDOS.execmd.exeBruteL4-DDOS.exe

description	pid	process	target process
PID 4084 wrote to memory of 5012	4084	BruteL4 DDOS Tool.exe	crack.exe
PID 4084 wrote to memory of 5012	4084	BruteL4 DDOS Tool.exe	crack.exe
PID 4520 wrote to memory of 1120	4520	BruteL4-DDOS.exe	BruteL4-DDOS.exe
PID 4520 wrote to memory of 1120	4520	BruteL4-DDOS.exe	BruteL4-DDOS.exe
PID 4520 wrote to memory of 1120	4520	BruteL4-DDOS.exe	BruteL4-DDOS.exe
PID 4520 wrote to memory of 1120	4520	BruteL4-DDOS.exe	BruteL4-DDOS.exe
PID 4520 wrote to memory of 1120	4520	BruteL4-DDOS.exe	BruteL4-DDOS.exe
PID 4520 wrote to memory of 1120	4520	BruteL4-DDOS.exe	BruteL4-DDOS.exe
PID 4520 wrote to memory of 1120	4520	BruteL4-DDOS.exe	BruteL4-DDOS.exe
PID 4520 wrote to memory of 1120	4520	BruteL4-DDOS.exe	BruteL4-DDOS.exe
PID 4520 wrote to memory of 1120	4520	BruteL4-DDOS.exe	BruteL4-DDOS.exe
PID 4520 wrote to memory of 2432	4520	BruteL4-DDOS.exe	BruteL4DDOS.exe
PID 4520 wrote to memory of 2432	4520	BruteL4-DDOS.exe	BruteL4DDOS.exe
PID 2432 wrote to memory of 4664	2432	BruteL4DDOS.exe	BruteL4DDOS.exe
PID 2432 wrote to memory of 4664	2432	BruteL4DDOS.exe	BruteL4DDOS.exe
PID 4664 wrote to memory of 3300	4664	BruteL4DDOS.exe	cmd.exe
PID 4664 wrote to memory of 3300	4664	BruteL4DDOS.exe	cmd.exe
PID 4664 wrote to memory of 1372	4664	BruteL4DDOS.exe	cmd.exe
PID 4664 wrote to memory of 1372	4664	BruteL4DDOS.exe	cmd.exe
PID 1372 wrote to memory of 1188	1372	cmd.exe	mode.com
PID 1372 wrote to memory of 1188	1372	cmd.exe	mode.com
PID 4664 wrote to memory of 3104	4664	BruteL4DDOS.exe	cmd.exe
PID 4664 wrote to memory of 3104	4664	BruteL4DDOS.exe	cmd.exe
PID 1120 wrote to memory of 688	1120	BruteL4-DDOS.exe	MpDlpCmd.exe
PID 1120 wrote to memory of 688	1120	BruteL4-DDOS.exe	MpDlpCmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\BruteL4 DDOS Tool.exe
"C:\Users\Admin\AppData\Local\Temp\BruteL4 DDOS Tool.exe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\Desktop\crack.exe
"C:\Users\Admin\Desktop\crack.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:5012

C:\Users\Admin\Desktop\BruteL4-DDOS.exe
"C:\Users\Admin\Desktop\BruteL4-DDOS.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\Desktop\BruteL4DDOS.exe
"C:\Users\Admin\Desktop\BruteL4DDOS.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\Desktop\BruteL4DDOS.exe
"C:\Users\Admin\Desktop\BruteL4DDOS.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
5⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Brute - by billythegoat356
5⤵
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mode 140, 40
5⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\Desktop\BruteL4-DDOS.exe
"C:\Users\Admin\Desktop\BruteL4-DDOS.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120

C:\ProgramData\microsoft\MpDlpCmd.exe
"C:\ProgramData\microsoft\MpDlpCmd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:688

C:\Windows\system32\mode.com
mode 140, 40
1⤵
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\MpDlpCmd.exe
Filesize
3.3MB

MD5
300668bc6b9a15cc237e63ceadfac756

SHA1
c8341efe0d0b8e9f7fe4e6ff28436b873c91795a

SHA256
f61131d97d797df46306bbd969043ceb702ac1d74b0486a4cbb5bacac1b6e43c

SHA512
f754d6e09cc8055122333eb0137dbfbeac7900480dc38c9e1f037962d516c59f433ed682950f1fe4889043145c4ef6ac763cbb1a6edec122ac2ea57b4f4bb69e

Download Submit
C:\ProgramData\Microsoft\MpDlpCmd.exe
Filesize
3.3MB

MD5
300668bc6b9a15cc237e63ceadfac756

SHA1
c8341efe0d0b8e9f7fe4e6ff28436b873c91795a

SHA256
f61131d97d797df46306bbd969043ceb702ac1d74b0486a4cbb5bacac1b6e43c

SHA512
f754d6e09cc8055122333eb0137dbfbeac7900480dc38c9e1f037962d516c59f433ed682950f1fe4889043145c4ef6ac763cbb1a6edec122ac2ea57b4f4bb69e

Download Submit
C:\ProgramData\microsoft\MpDlpCmd.exe
Filesize
3.3MB

MD5
300668bc6b9a15cc237e63ceadfac756

SHA1
c8341efe0d0b8e9f7fe4e6ff28436b873c91795a

SHA256
f61131d97d797df46306bbd969043ceb702ac1d74b0486a4cbb5bacac1b6e43c

SHA512
f754d6e09cc8055122333eb0137dbfbeac7900480dc38c9e1f037962d516c59f433ed682950f1fe4889043145c4ef6ac763cbb1a6edec122ac2ea57b4f4bb69e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BruteL4-DDOS.exe.log
Filesize
859B

MD5
6e11a15fe4491ead2a94f64d3467be38

SHA1
9a8329fb71ddc89dae9aa174c0b44a1f646efd63

SHA256
087cf6355ae9fc71eea2493b30c6b10a6775f3dd68b2cb5e07fcc13461b74248

SHA512
6154e320e2556aef177fc5bfb4e5fe8fabe324af736b89db4db41e6dd51658f7f6a7d0f73c24dc6ccdc4edf14023f4a1ecd0908abac5b82cebd038a93b2fc106

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\VCRUNTIME140.dll
Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\VCRUNTIME140.dll
Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_ctypes.pyd
Filesize
54KB

MD5
e28acb3e65ad0b0f56bbfa07a5524289

SHA1
a36cebfed6887d32fc005cd74da22648e7ec8e6c

SHA256
269a4c6d8deeb6cf5739573c71d1cfe1398f8d1a1508d1149efa926fd49138c9

SHA512
527e1ab1638090e5c5f005a319d548c9bf0a530389ab82e4fe314cc7a6ac59ba74715b6e38a90f82ad3acd32533c0285b90f8b4b3b89b55ed31a8235ee835284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_ctypes.pyd
Filesize
54KB

MD5
e28acb3e65ad0b0f56bbfa07a5524289

SHA1
a36cebfed6887d32fc005cd74da22648e7ec8e6c

SHA256
269a4c6d8deeb6cf5739573c71d1cfe1398f8d1a1508d1149efa926fd49138c9

SHA512
527e1ab1638090e5c5f005a319d548c9bf0a530389ab82e4fe314cc7a6ac59ba74715b6e38a90f82ad3acd32533c0285b90f8b4b3b89b55ed31a8235ee835284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_socket.pyd
Filesize
38KB

MD5
79ca909a112bf7e02eebbeb24c7fea66

SHA1
5c3724b1b715365b2754f91e73d044b2673f3903

SHA256
f5aa56e1e206c680d02f398a9eeeb9e9986246178f616c59494c09aaf24d71d3

SHA512
227fa2adcd9b9fd8058fe09c2918ef8e1ada50b5b58fc7898a0851086160f83a4fab8b934979a1e2d28449f30b0a689c2c096ea1c70779fb6b1daef564f9b980

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_socket.pyd
Filesize
38KB

MD5
79ca909a112bf7e02eebbeb24c7fea66

SHA1
5c3724b1b715365b2754f91e73d044b2673f3903

SHA256
f5aa56e1e206c680d02f398a9eeeb9e9986246178f616c59494c09aaf24d71d3

SHA512
227fa2adcd9b9fd8058fe09c2918ef8e1ada50b5b58fc7898a0851086160f83a4fab8b934979a1e2d28449f30b0a689c2c096ea1c70779fb6b1daef564f9b980

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\base_library.zip
Filesize
812KB

MD5
eb130a9177f630bc33d7e510ed81d9d2

SHA1
c33dae854285d5367e8c87899e1a168abeca8d18

SHA256
987165c5cc33442df85d8ab8c3f66e2805070e0b526801b88434f48ed04b3a2f

SHA512
17feb5a3468a4883730fb17251ac7604c9ba376ce871ebbf4a034144626a63caf415bc6bed6cfca518b37c9840231cfdfccc17ca4833b3ef23b32499444b8474

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\libffi-7.dll
Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\libffi-7.dll
Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\python310.dll
Filesize
1.4MB

MD5
b607df83392febab3f5745b79dc26c57

SHA1
58c4b08575afbca1cf21e0995ca9048290241ebd

SHA256
6a21dc896a78c961eac3dad70a9addc289c6c8449fe5c09b37adf12310e06b0e

SHA512
a341b1b1a725a6df59d3b0f8e1afd3c8d39b63d682f297321ac59418f1f8089b3caca8374dcf453a09e77c53f0f47e889b965b9f3d0ec9dd5b8cff8839838d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\python310.dll
Filesize
1.4MB

MD5
b607df83392febab3f5745b79dc26c57

SHA1
58c4b08575afbca1cf21e0995ca9048290241ebd

SHA256
6a21dc896a78c961eac3dad70a9addc289c6c8449fe5c09b37adf12310e06b0e

SHA512
a341b1b1a725a6df59d3b0f8e1afd3c8d39b63d682f297321ac59418f1f8089b3caca8374dcf453a09e77c53f0f47e889b965b9f3d0ec9dd5b8cff8839838d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\select.pyd
Filesize
21KB

MD5
6b060423e9286414cd6529d4ae6fcda5

SHA1
41f0f83c395a936b313001307cbbe2f01224fa35

SHA256
6ee51b502c418c8a6d3e5c13f22bee6f72503043ac33b4f1ac01adf7531557ae

SHA512
04256d6fb99296c6b3c29fd69b0f90ac1eb8a25c2e7750b3fda4a145d5d9bc7a6e5d5b3691c0784c810f3e7cea3f080325d6cec2901ed206b57dcf1b6777e4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\select.pyd
Filesize
21KB

MD5
6b060423e9286414cd6529d4ae6fcda5

SHA1
41f0f83c395a936b313001307cbbe2f01224fa35

SHA256
6ee51b502c418c8a6d3e5c13f22bee6f72503043ac33b4f1ac01adf7531557ae

SHA512
04256d6fb99296c6b3c29fd69b0f90ac1eb8a25c2e7750b3fda4a145d5d9bc7a6e5d5b3691c0784c810f3e7cea3f080325d6cec2901ed206b57dcf1b6777e4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ly45jmzg.5ag.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\BruteL4-DDOS.exe
Filesize
11.5MB

MD5
cb885b1cae29af6524d341c65e486828

SHA1
ef35f45fd7378e8fd31cd60f72bde21e75d61ada

SHA256
bd95ec107878109859ff396ef71c76eb801ed4b25a167b49c8f0b8e112fbe361

SHA512
9086e5a01178134876311086b14798e17d57f960c280b019e8f7e33fb68cdc494eb9be32918ec10314d8b8dfe289281567c82d132f1a5cf98288b8f133df2cde

Download Submit
C:\Users\Admin\Desktop\BruteL4-DDOS.exe
Filesize
11.5MB

MD5
cb885b1cae29af6524d341c65e486828

SHA1
ef35f45fd7378e8fd31cd60f72bde21e75d61ada

SHA256
bd95ec107878109859ff396ef71c76eb801ed4b25a167b49c8f0b8e112fbe361

SHA512
9086e5a01178134876311086b14798e17d57f960c280b019e8f7e33fb68cdc494eb9be32918ec10314d8b8dfe289281567c82d132f1a5cf98288b8f133df2cde

Download Submit
C:\Users\Admin\Desktop\BruteL4-DDOS.exe
Filesize
11.5MB

MD5
cb885b1cae29af6524d341c65e486828

SHA1
ef35f45fd7378e8fd31cd60f72bde21e75d61ada

SHA256
bd95ec107878109859ff396ef71c76eb801ed4b25a167b49c8f0b8e112fbe361

SHA512
9086e5a01178134876311086b14798e17d57f960c280b019e8f7e33fb68cdc494eb9be32918ec10314d8b8dfe289281567c82d132f1a5cf98288b8f133df2cde

Download Submit
C:\Users\Admin\Desktop\BruteL4DDOS.exe
Filesize
5.8MB

MD5
a1c68c50488809ae7db16f2eaf42cf8a

SHA1
e82c90431a6865422d7d4a63488daffabe1082d6

SHA256
57dc721959bfc2125061178c9f098245ef4faa49446d19af48d0b055b1524d1e

SHA512
6d6e246dc8b5e545ebb5508cdb0d3ec68cb17b71b066f2cd0e80a6538e44c440a084591a726b180cace99518cfa4ad85940439b202711d1c07877cbb5cde7d9d

Download Submit
C:\Users\Admin\Desktop\BruteL4DDOS.exe
Filesize
5.8MB

MD5
a1c68c50488809ae7db16f2eaf42cf8a

SHA1
e82c90431a6865422d7d4a63488daffabe1082d6

SHA256
57dc721959bfc2125061178c9f098245ef4faa49446d19af48d0b055b1524d1e

SHA512
6d6e246dc8b5e545ebb5508cdb0d3ec68cb17b71b066f2cd0e80a6538e44c440a084591a726b180cace99518cfa4ad85940439b202711d1c07877cbb5cde7d9d

Download Submit
C:\Users\Admin\Desktop\BruteL4DDOS.exe
Filesize
5.8MB

MD5
a1c68c50488809ae7db16f2eaf42cf8a

SHA1
e82c90431a6865422d7d4a63488daffabe1082d6

SHA256
57dc721959bfc2125061178c9f098245ef4faa49446d19af48d0b055b1524d1e

SHA512
6d6e246dc8b5e545ebb5508cdb0d3ec68cb17b71b066f2cd0e80a6538e44c440a084591a726b180cace99518cfa4ad85940439b202711d1c07877cbb5cde7d9d

Download Submit
C:\Users\Admin\Desktop\BruteL4DDOS.exe
Filesize
5.8MB

MD5
a1c68c50488809ae7db16f2eaf42cf8a

SHA1
e82c90431a6865422d7d4a63488daffabe1082d6

SHA256
57dc721959bfc2125061178c9f098245ef4faa49446d19af48d0b055b1524d1e

SHA512
6d6e246dc8b5e545ebb5508cdb0d3ec68cb17b71b066f2cd0e80a6538e44c440a084591a726b180cace99518cfa4ad85940439b202711d1c07877cbb5cde7d9d

Download Submit
C:\Users\Admin\Desktop\crack.exe
Filesize
18KB

MD5
b441b71b1ce23257d6f40bd7555703ac

SHA1
961d3ae7e69b7a39edda340e93986c5a7f89c097

SHA256
eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4

SHA512
e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

Download Submit
C:\Users\Admin\Desktop\crack.exe
Filesize
18KB

MD5
b441b71b1ce23257d6f40bd7555703ac

SHA1
961d3ae7e69b7a39edda340e93986c5a7f89c097

SHA256
eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4

SHA512
e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

Download Submit
C:\Users\Admin\Desktop\crack.exe
Filesize
18KB

MD5
b441b71b1ce23257d6f40bd7555703ac

SHA1
961d3ae7e69b7a39edda340e93986c5a7f89c097

SHA256
eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4

SHA512
e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

Download Submit
memory/688-380-0x00007FF4F1300000-0x00007FF4F16D1000-memory.dmp

Filesize
3.8MB

Download
memory/688-392-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/688-331-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/688-327-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/688-379-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/688-375-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/688-386-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/688-326-0x00007FF4F1300000-0x00007FF4F16D1000-memory.dmp

Filesize
3.8MB

Download
memory/688-398-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/688-404-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/688-410-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/688-325-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/688-329-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/688-330-0x00000000009E0000-0x00000000018CF000-memory.dmp

Filesize
14.9MB

Download
memory/1120-168-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-332-0x000000001F700000-0x000000001F710000-memory.dmp

Filesize
64KB

Download
memory/1120-273-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-270-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-277-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-337-0x000000001F700000-0x000000001F710000-memory.dmp

Filesize
64KB

Download
memory/1120-278-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-279-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-280-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-374-0x000000001F700000-0x000000001F710000-memory.dmp

Filesize
64KB

Download
memory/1120-285-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-289-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-288-0x00007FFE8C310000-0x00007FFE8C320000-memory.dmp

Filesize
64KB

Download
memory/1120-257-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-299-0x0000000005BE0000-0x0000000005C02000-memory.dmp

Filesize
136KB

Download
memory/1120-300-0x000000001F700000-0x000000001F710000-memory.dmp

Filesize
64KB

Download
memory/1120-301-0x000000001F700000-0x000000001F710000-memory.dmp

Filesize
64KB

Download
memory/1120-302-0x00007FF756F80000-0x00007FF757F8C000-memory.dmp

Filesize
16.0MB

Download
memory/1120-303-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-304-0x00007FF47B950000-0x00007FF47BD21000-memory.dmp

Filesize
3.8MB

Download
memory/1120-231-0x00007FF47B950000-0x00007FF47BD21000-memory.dmp

Filesize
3.8MB

Download
memory/1120-226-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-218-0x00007FF756F80000-0x00007FF757F8C000-memory.dmp

Filesize
16.0MB

Download
memory/1120-324-0x00000000263A0000-0x0000000026B46000-memory.dmp

Filesize
7.6MB

Download
memory/1120-163-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-377-0x0000000140000000-0x0000000140CB4000-memory.dmp

Filesize
12.7MB

Download
memory/1120-378-0x00007FF756F80000-0x00007FF757F8C000-memory.dmp

Filesize
16.0MB

Download
memory/4520-232-0x00007FFE80010000-0x00007FFE80011000-memory.dmp

Filesize
4KB

Download
memory/4520-161-0x00007FF756F80000-0x00007FF757F8C000-memory.dmp

Filesize
16.0MB

Download
memory/4520-155-0x00007FF756F80000-0x00007FF757F8C000-memory.dmp

Filesize
16.0MB

Download
memory/4520-156-0x00007FFE80000000-0x00007FFE80002000-memory.dmp

Filesize
8KB

Download
memory/4520-160-0x00007FF756F80000-0x00007FF757F8C000-memory.dmp

Filesize
16.0MB

Download
memory/4520-159-0x00007FFE80030000-0x00007FFE80031000-memory.dmp

Filesize
4KB

Download
memory/4520-233-0x00007FF756F80000-0x00007FF757F8C000-memory.dmp

Filesize
16.0MB

Download
memory/4520-162-0x000000001C240000-0x000000001C250000-memory.dmp

Filesize
64KB

Download
memory/4664-381-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp

Filesize
4.4MB

Download
memory/4664-393-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp

Filesize
4.4MB

Download
memory/4664-272-0x00007FFE7E620000-0x00007FFE7E644000-memory.dmp

Filesize
144KB

Download
memory/4664-275-0x00007FFE7E5C0000-0x00007FFE7E5D9000-memory.dmp

Filesize
100KB

Download
memory/4664-274-0x00007FFE84E10000-0x00007FFE84E1F000-memory.dmp

Filesize
60KB

Download
memory/4664-387-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp

Filesize
4.4MB

Download
memory/4664-276-0x00007FFE84DD0000-0x00007FFE84DDD000-memory.dmp

Filesize
52KB

Download
memory/4664-271-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp

Filesize
4.4MB

Download
memory/4664-411-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp

Filesize
4.4MB

Download
memory/4664-399-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp

Filesize
4.4MB

Download
memory/4664-405-0x00007FFE6F900000-0x00007FFE6FD65000-memory.dmp

Filesize
4.4MB

Download
memory/5012-151-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/5012-148-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/5012-152-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download