Behavioral Report

Analysis

max time kernel
158s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

specialsurprise.exe
Size

9MB
MD5

b05fbd1bfd40e5632c36341d1f4cae47
SHA1

383df2dfd995236db0c5abcf84d867f2117215e7
SHA256

d090c4b65f8f3145301e612f6007996c2408a140fbfd09b608cee3d4a273ff26
SHA512

a40b4c4738675cb15007aca628fbf3a3a920a37e8a20c986e58539c58a4f31e6160825446fabed862793034b7072c90d33d622de5e3b8ba1b043cc519e1467aa
SSDEEP

196608:HB5HVbnvf/tlSZSKWdPcYpdo5V30UsnzKTFQCZ+nE2bZq3WFGuUa:DVrnVlitW0MowTnzwFv+ZqGFdl

Score

10^/10

bootkit evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

gdifuncs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

gdifuncs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

gdifuncs.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gdifuncs.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

mbr.exeMainWindow.exegdifuncs.exe

pid process

1964 mbr.exe
428 MainWindow.exe
1956 gdifuncs.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

mbr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 mbr.exe

pid	process
1964	mbr.exe
428	MainWindow.exe
1956	gdifuncs.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 4 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

Processes:

gdifuncs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gdifuncs.exe

pid	process
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe
1956	gdifuncs.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEgdifuncs.exe

description	pid	process
Token: 33	832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	832	AUDIODG.EXE
Token: 33	832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	832	AUDIODG.EXE
Token: SeDebugPrivilege	1956	gdifuncs.exe
Token: SeDebugPrivilege	1956	gdifuncs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

2028 NOTEPAD.EXE
1856 NOTEPAD.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MainWindow.exe

pid process

428 MainWindow.exe

pid	process
2028	NOTEPAD.EXE
1856	NOTEPAD.EXE

pid	process
428	MainWindow.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

specialsurprise.exewscript.execmd.exe

description	pid	process	target process
PID 2040 wrote to memory of 572	2040	specialsurprise.exe	wscript.exe
PID 2040 wrote to memory of 572	2040	specialsurprise.exe	wscript.exe
PID 2040 wrote to memory of 572	2040	specialsurprise.exe	wscript.exe
PID 2040 wrote to memory of 572	2040	specialsurprise.exe	wscript.exe
PID 572 wrote to memory of 1964	572	wscript.exe	mbr.exe
PID 572 wrote to memory of 1964	572	wscript.exe	mbr.exe
PID 572 wrote to memory of 1964	572	wscript.exe	mbr.exe
PID 572 wrote to memory of 1964	572	wscript.exe	mbr.exe
PID 572 wrote to memory of 996	572	wscript.exe	cmd.exe
PID 572 wrote to memory of 996	572	wscript.exe	cmd.exe
PID 572 wrote to memory of 996	572	wscript.exe	cmd.exe
PID 996 wrote to memory of 1508	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1508	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1508	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1744	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1744	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1744	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1316	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1316	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1316	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1572	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1572	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1572	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1880	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1880	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1880	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 628	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 628	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 628	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 2028	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 2028	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 2028	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1976	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1976	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1976	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 584	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 584	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 584	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1056	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1056	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1056	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 2036	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 2036	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 2036	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 2012	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 2012	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 2012	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1988	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1988	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1988	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1212	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1212	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1212	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1116	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1116	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1116	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1208	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1208	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1208	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1364	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1364	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 1364	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 2008	996	cmd.exe	rundll32.exe
PID 996 wrote to memory of 2008	996	cmd.exe	rundll32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

gdifuncs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe
"C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe"
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\FD72.tmp\FD73.tmp\FD74.vbs //Nologo
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe
"C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe"
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1964

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FD72.tmp\tools.cmd" "
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
- Sets desktop wallpaper using registry
PID:1508

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1744

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1056

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:2036

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:944

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:824

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1332

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1920

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1172

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1752

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:2016

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1320

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1600

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1604

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1596

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1496

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1648

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1100

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:980

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1784

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:924

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:2004

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:2008

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1364

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1208

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1116

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1212

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1988

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:2012

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:584

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1976

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:2028

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:628

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1880

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1572

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
PID:1316

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe
"C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe"
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:428

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe
"C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe"
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1956

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
PID:1524

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt
- Suspicious use of FindShellTrayWindow
PID:1856

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt
PID:268

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt
- Suspicious use of FindShellTrayWindow
PID:2028

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
PID:2448

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Bootkit

T1067

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\FD72.tmp\FD73.tmp\FD74.vbs
Filesize
2KB

MD5
b893c34dd666c3c4acef2e2974834a10

SHA1
2664e328e76c324fd53fb9f9cb64c24308472e82

SHA256
984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc

SHA512
98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe
Filesize
92KB

MD5
7c92316762d584133b9cabf31ab6709b

SHA1
7ad040508cef1c0fa5edf45812b7b9cd16259474

SHA256
01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298

SHA512
f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe
Filesize
92KB

MD5
7c92316762d584133b9cabf31ab6709b

SHA1
7ad040508cef1c0fa5edf45812b7b9cd16259474

SHA256
01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298

SHA512
f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\bg.bmp
Filesize
2MB

MD5
ce45a70d3cc2941a147c09264fc1cda5

SHA1
44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9

SHA256
eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac

SHA512
d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe
Filesize
120KB

MD5
e254e9598ee638c01e5ccc40e604938b

SHA1
541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d

SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63

SHA512
92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe
Filesize
120KB

MD5
e254e9598ee638c01e5ccc40e604938b

SHA1
541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d

SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63

SHA512
92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mainbgtheme.wav
Filesize
19MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe
Filesize
1MB

MD5
33bd7d68378c2e3aa4e06a6a85879f63

SHA1
00914180e1add12a7f6d03de29c69ad6da67f081

SHA256
6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05

SHA512
b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe
Filesize
1MB

MD5
33bd7d68378c2e3aa4e06a6a85879f63

SHA1
00914180e1add12a7f6d03de29c69ad6da67f081

SHA256
6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05

SHA512
b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\tools.cmd
Filesize
2KB

MD5
397c1a185b596e4d6a4a36c4bdcbd3b2

SHA1
054819dae87cee9b1783b09940a52433b63f01ae

SHA256
56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f

SHA512
c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c

Download Submit
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt
Filesize
26B

MD5
bb6d68d7181108015cd381c28360dfc4

SHA1
192c34b9cba6f9c4b742f2b70d9731b8ba2ac764

SHA256
aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317

SHA512
e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

Download Submit
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt
Filesize
26B

MD5
bb6d68d7181108015cd381c28360dfc4

SHA1
192c34b9cba6f9c4b742f2b70d9731b8ba2ac764

SHA256
aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317

SHA512
e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

Download Submit
C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav
Filesize
19MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
\??\c:\bg.bmp
Filesize
2MB

MD5
ce45a70d3cc2941a147c09264fc1cda5

SHA1
44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9

SHA256
eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac

SHA512
d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

Download Submit
memory/1956-298-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-305-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-295-0x0000000001190000-0x00000000011B2000-memory.dmp

Filesize
136KB

Download
memory/1956-299-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-300-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-301-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-302-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-303-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-304-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-296-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-306-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-307-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-308-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-309-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-310-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-311-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1956-312-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1964-275-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2448-314-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Downloads