warzonerat | 966794e8fc1be091307b4aaeee721920734278ddae04eda17f205ffada16422c

Analysis

max time kernel
144s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01/09/2023, 20:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ODEME.exe
Size

1.4MB
MD5

1afac30d0748bd539783d4346facbcb3
SHA1

5c4492047f046ee05f8f8d105f3e757180f0ff10
SHA256

966794e8fc1be091307b4aaeee721920734278ddae04eda17f205ffada16422c
SHA512

cd60b13f34d2e14b966dc0f6128f24a1ce79d8946b1bcf9176d35d93193ddf7f03d214427ad5ae75fcc67f96f20242ebc512e449e6fd1856bfb7faacdb7ddd8c
SSDEEP

24576:wNA3R5drXmDgFJ1awm2KcREhI2gdFtyxSKBXk9ZDJFABAWbDT1F4RjpTSsAgb/L+:p5UVwlihHkeC9ZfqrbDn4i6L+

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

grotomniponmyte.sytes.net:5204

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/2404-84-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2404-88-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2404-89-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2404-94-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2356-105-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2356-106-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2356-113-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat

Executes dropped EXE 7 IoCs

pid	Process
2940	dgsfgsdf.sfx.exe
1304	dgsfgsdf.exe
2428	server1.sfx.exe
1600	server1.exe
2404	server1.exe
1684	sysproces.exe
2356	sysproces.exe

Loads dropped DLL 10 IoCs

pid	Process
2704	cmd.exe
2940	dgsfgsdf.sfx.exe
2940	dgsfgsdf.sfx.exe
2940	dgsfgsdf.sfx.exe
1864	cmd.exe
2428	server1.sfx.exe
2428	server1.sfx.exe
2428	server1.sfx.exe
2428	server1.sfx.exe
2404	server1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysproces = "C:\\Users\\Admin\\Documents\\sysproces.exe"	server1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1600 set thread context of 2404	1600	server1.exe	37
PID 1684 set thread context of 2356	1684	sysproces.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	server1.exe
Token: SeDebugPrivilege	1684	sysproces.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2756	DllHost.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2704	2104	ODEME.exe	29
PID 2104 wrote to memory of 2704	2104	ODEME.exe	29
PID 2104 wrote to memory of 2704	2104	ODEME.exe	29
PID 2104 wrote to memory of 2704	2104	ODEME.exe	29
PID 2704 wrote to memory of 2940	2704	cmd.exe	31
PID 2704 wrote to memory of 2940	2704	cmd.exe	31
PID 2704 wrote to memory of 2940	2704	cmd.exe	31
PID 2704 wrote to memory of 2940	2704	cmd.exe	31
PID 2940 wrote to memory of 1304	2940	dgsfgsdf.sfx.exe	32
PID 2940 wrote to memory of 1304	2940	dgsfgsdf.sfx.exe	32
PID 2940 wrote to memory of 1304	2940	dgsfgsdf.sfx.exe	32
PID 2940 wrote to memory of 1304	2940	dgsfgsdf.sfx.exe	32
PID 1304 wrote to memory of 1864	1304	dgsfgsdf.exe	33
PID 1304 wrote to memory of 1864	1304	dgsfgsdf.exe	33
PID 1304 wrote to memory of 1864	1304	dgsfgsdf.exe	33
PID 1304 wrote to memory of 1864	1304	dgsfgsdf.exe	33
PID 1864 wrote to memory of 2428	1864	cmd.exe	35
PID 1864 wrote to memory of 2428	1864	cmd.exe	35
PID 1864 wrote to memory of 2428	1864	cmd.exe	35
PID 1864 wrote to memory of 2428	1864	cmd.exe	35
PID 2428 wrote to memory of 1600	2428	server1.sfx.exe	36
PID 2428 wrote to memory of 1600	2428	server1.sfx.exe	36
PID 2428 wrote to memory of 1600	2428	server1.sfx.exe	36
PID 2428 wrote to memory of 1600	2428	server1.sfx.exe	36
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 1600 wrote to memory of 2404	1600	server1.exe	37
PID 2404 wrote to memory of 1684	2404	server1.exe	38
PID 2404 wrote to memory of 1684	2404	server1.exe	38
PID 2404 wrote to memory of 1684	2404	server1.exe	38
PID 2404 wrote to memory of 1684	2404	server1.exe	38
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 1684 wrote to memory of 2356	1684	sysproces.exe	39
PID 2356 wrote to memory of 320	2356	sysproces.exe	40
PID 2356 wrote to memory of 320	2356	sysproces.exe	40
PID 2356 wrote to memory of 320	2356	sysproces.exe	40
PID 2356 wrote to memory of 320	2356	sysproces.exe	40
PID 2356 wrote to memory of 320	2356	sysproces.exe	40
PID 2356 wrote to memory of 320	2356	sysproces.exe	40

C:\Users\Admin\AppData\Local\Temp\ODEME.exe
"C:\Users\Admin\AppData\Local\Temp\ODEME.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwawzdg.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.sfx.exe
    dgsfgsdf.sfx.exe -pkgyttnwmkpiuthnjmdkolqhjyoNomeyjmjhgtprbnhotafugBbsddfdtuxTnBn -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe
      "C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\iloma.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Users\Admin\AppData\Roaming\server1.sfx.exe
        
        server1.sfx.exe -pghtjkluiopmhjfjgBbsdirhndgfszafugyRfvwytndkMnfkmkaloyrhnlyunhlndfdyehn -dC:\Users\Admin\AppData\Roaming
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\server1.exe
        
        "C:\Users\Admin\AppData\Roaming\server1.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\server1.exe
        
        C:\Users\Admin\AppData\Roaming\server1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Users\Admin\Documents\sysproces.exe
        
        "C:\Users\Admin\Documents\sysproces.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Users\Admin\Documents\sysproces.exe
        
        C:\Users\Admin\Documents\sysproces.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        11⤵
        
        PID:320

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe

Filesize
976KB

MD5
0c8e9299cd362ddc0b6d6ec21d0959a3

SHA1
2d952d6ed245a3698c8a2157f8e6e52805dc6d28

SHA256
73a52bc9ce0ae6c53926a8a865565e6af19c0482c2cd13c71fb7803e99eb73e5

SHA512
8e644834fa2bef5cd6a7962d472f16a200e325f9f5b6a06a9ad88204f2a5ef0a9cbe2e77a28808dcd61f859b8a2814299f294c5d268c9f9418295f035455ba48

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe

Filesize
976KB

MD5
0c8e9299cd362ddc0b6d6ec21d0959a3

SHA1
2d952d6ed245a3698c8a2157f8e6e52805dc6d28

SHA256
73a52bc9ce0ae6c53926a8a865565e6af19c0482c2cd13c71fb7803e99eb73e5

SHA512
8e644834fa2bef5cd6a7962d472f16a200e325f9f5b6a06a9ad88204f2a5ef0a9cbe2e77a28808dcd61f859b8a2814299f294c5d268c9f9418295f035455ba48

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe

Filesize
976KB

MD5
0c8e9299cd362ddc0b6d6ec21d0959a3

SHA1
2d952d6ed245a3698c8a2157f8e6e52805dc6d28

SHA256
73a52bc9ce0ae6c53926a8a865565e6af19c0482c2cd13c71fb7803e99eb73e5

SHA512
8e644834fa2bef5cd6a7962d472f16a200e325f9f5b6a06a9ad88204f2a5ef0a9cbe2e77a28808dcd61f859b8a2814299f294c5d268c9f9418295f035455ba48

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.sfx.exe

Filesize
1.5MB

MD5
ede974cca5d03f063e5f54cc166da9b2

SHA1
5cf6253caf78ab6801c53aa625c4194af13bcedc

SHA256
a20026e02904bdcf3f4f3c92d8cb60509be9681422fe3d835b9e65c4eea78359

SHA512
2bfc9bc0186da1ca8ee42ca938219b6c43653c1b95e970c41b3cd13c5563fb11458b9e25681e4a755e5c4fd475291a13a7f4281104e427e3009e5720e0de554d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgsfgsdf.sfx.exe

Filesize
1.5MB

MD5
ede974cca5d03f063e5f54cc166da9b2

SHA1
5cf6253caf78ab6801c53aa625c4194af13bcedc

SHA256
a20026e02904bdcf3f4f3c92d8cb60509be9681422fe3d835b9e65c4eea78359

SHA512
2bfc9bc0186da1ca8ee42ca938219b6c43653c1b95e970c41b3cd13c5563fb11458b9e25681e4a755e5c4fd475291a13a7f4281104e427e3009e5720e0de554d

Download Submit
C:\Users\Admin\AppData\Local\Temp\swift010.tif

Filesize
127KB

MD5
6b3831ca202119b0c2e9d67a20b1e5b3

SHA1
a339dfcc39f87defaceee7c1ea4cea8ad201ef28

SHA256
5875d3ee98bf9ccc7104fb764b38b77f237d02710ab1011908a0e0bf3dd5d78c

SHA512
a2f914e6c5f83bef2232fba67f68e1bf74df81bbb54322028a59263ef7c264fa8a98088e5185d4cb48efa6ccc6ef8015caed2a3dc7bd42ecacb0b7bcd424fa0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwawzdg.cmd

Filesize
11KB

MD5
dfba212ea164cfb7c0efa47aa66ad3a6

SHA1
6f094dfcf755460f175cde6f65e9ddabd32f68eb

SHA256
2cff60863a80ef35e98e41de0c2fd4575b7910a9263305cb5835507aba6e3844

SHA512
fb3fc1a4aae037ce64b55c28db2012975ef30adca315a8adc8df65e5e08b289eed478e277ef36c81d3bbeb7ae3cfbaa283be5fde9f0fcb4a4ebc256874dad1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwawzdg.cmd

Filesize
11KB

MD5
dfba212ea164cfb7c0efa47aa66ad3a6

SHA1
6f094dfcf755460f175cde6f65e9ddabd32f68eb

SHA256
2cff60863a80ef35e98e41de0c2fd4575b7910a9263305cb5835507aba6e3844

SHA512
fb3fc1a4aae037ce64b55c28db2012975ef30adca315a8adc8df65e5e08b289eed478e277ef36c81d3bbeb7ae3cfbaa283be5fde9f0fcb4a4ebc256874dad1fa

Download Submit
C:\Users\Admin\AppData\Roaming\iloma.bat

Filesize
11KB

MD5
828026a69b9016165c7bac87e6b7ebde

SHA1
6a84b3090ec280675aa93907baa8df7c025c04d0

SHA256
4c6d7e4ff1b563745a335c709065e2ac413394979665d702478935632ad21ec7

SHA512
8afa917d0a37da35c7476e5b0e94e311b32e000333ea8b7f00068e7ee618b4c4efb96be9dac0a3c510a80b58bc2e72bbb39713d464140dc229b5099e0c303514

Download Submit
C:\Users\Admin\AppData\Roaming\iloma.bat

Filesize
11KB

MD5
828026a69b9016165c7bac87e6b7ebde

SHA1
6a84b3090ec280675aa93907baa8df7c025c04d0

SHA256
4c6d7e4ff1b563745a335c709065e2ac413394979665d702478935632ad21ec7

SHA512
8afa917d0a37da35c7476e5b0e94e311b32e000333ea8b7f00068e7ee618b4c4efb96be9dac0a3c510a80b58bc2e72bbb39713d464140dc229b5099e0c303514

Download Submit
C:\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
C:\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
C:\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
C:\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
C:\Users\Admin\AppData\Roaming\server1.sfx.exe

Filesize
846KB

MD5
4c17aa436d9ff1899b4b34efa54d30c1

SHA1
45d2df3b61da8d06f7b4f6a171b699c371b27b90

SHA256
fac2c19956c4bea5dcd24ab2deef46df4b0151cb1caa6ee147dec046c85c1ed5

SHA512
2bac08be253531507e4ade794551f7ff99c7c2d4496225ecd62f69c903c0bc886ffeac9bb8f99852e7816306704cd37a6df30aaf49f0de31838c93fa67893aa0

Download Submit
C:\Users\Admin\AppData\Roaming\server1.sfx.exe

Filesize
846KB

MD5
4c17aa436d9ff1899b4b34efa54d30c1

SHA1
45d2df3b61da8d06f7b4f6a171b699c371b27b90

SHA256
fac2c19956c4bea5dcd24ab2deef46df4b0151cb1caa6ee147dec046c85c1ed5

SHA512
2bac08be253531507e4ade794551f7ff99c7c2d4496225ecd62f69c903c0bc886ffeac9bb8f99852e7816306704cd37a6df30aaf49f0de31838c93fa67893aa0

Download Submit
C:\Users\Admin\Documents\sysproces.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
C:\Users\Admin\Documents\sysproces.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
C:\Users\Admin\Documents\sysproces.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe

Filesize
976KB

MD5
0c8e9299cd362ddc0b6d6ec21d0959a3

SHA1
2d952d6ed245a3698c8a2157f8e6e52805dc6d28

SHA256
73a52bc9ce0ae6c53926a8a865565e6af19c0482c2cd13c71fb7803e99eb73e5

SHA512
8e644834fa2bef5cd6a7962d472f16a200e325f9f5b6a06a9ad88204f2a5ef0a9cbe2e77a28808dcd61f859b8a2814299f294c5d268c9f9418295f035455ba48

Download Submit
\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe

Filesize
976KB

MD5
0c8e9299cd362ddc0b6d6ec21d0959a3

SHA1
2d952d6ed245a3698c8a2157f8e6e52805dc6d28

SHA256
73a52bc9ce0ae6c53926a8a865565e6af19c0482c2cd13c71fb7803e99eb73e5

SHA512
8e644834fa2bef5cd6a7962d472f16a200e325f9f5b6a06a9ad88204f2a5ef0a9cbe2e77a28808dcd61f859b8a2814299f294c5d268c9f9418295f035455ba48

Download Submit
\Users\Admin\AppData\Local\Temp\dgsfgsdf.exe

Filesize
976KB

MD5
0c8e9299cd362ddc0b6d6ec21d0959a3

SHA1
2d952d6ed245a3698c8a2157f8e6e52805dc6d28

SHA256
73a52bc9ce0ae6c53926a8a865565e6af19c0482c2cd13c71fb7803e99eb73e5

SHA512
8e644834fa2bef5cd6a7962d472f16a200e325f9f5b6a06a9ad88204f2a5ef0a9cbe2e77a28808dcd61f859b8a2814299f294c5d268c9f9418295f035455ba48

Download Submit
\Users\Admin\AppData\Local\Temp\dgsfgsdf.sfx.exe

Filesize
1.5MB

MD5
ede974cca5d03f063e5f54cc166da9b2

SHA1
5cf6253caf78ab6801c53aa625c4194af13bcedc

SHA256
a20026e02904bdcf3f4f3c92d8cb60509be9681422fe3d835b9e65c4eea78359

SHA512
2bfc9bc0186da1ca8ee42ca938219b6c43653c1b95e970c41b3cd13c5563fb11458b9e25681e4a755e5c4fd475291a13a7f4281104e427e3009e5720e0de554d

Download Submit
\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
\Users\Admin\AppData\Roaming\server1.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
\Users\Admin\AppData\Roaming\server1.sfx.exe

Filesize
846KB

MD5
4c17aa436d9ff1899b4b34efa54d30c1

SHA1
45d2df3b61da8d06f7b4f6a171b699c371b27b90

SHA256
fac2c19956c4bea5dcd24ab2deef46df4b0151cb1caa6ee147dec046c85c1ed5

SHA512
2bac08be253531507e4ade794551f7ff99c7c2d4496225ecd62f69c903c0bc886ffeac9bb8f99852e7816306704cd37a6df30aaf49f0de31838c93fa67893aa0

Download Submit
\Users\Admin\Documents\sysproces.exe

Filesize
431KB

MD5
9fc201ee8dc0858eb84d692ca4ed4976

SHA1
4f4ef55ac0dcbcd6112e3fe9ddfb253f99f2f261

SHA256
0c04a2d136b665e6ed8b1556e4620fd6302aa849849bfe25b26d57c96ab8940b

SHA512
03fb4b4367d9c89381f75deea138d2aa24de516b080d2277ed25858ed412fe8d2800ada31435b70ad79dbeecabfc2a15b7477a4c2aa29aa77f0951e1aae04fec

Download Submit
memory/320-109-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/320-107-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1600-78-0x0000000000910000-0x0000000000986000-memory.dmp

Filesize
472KB

Download
memory/1600-79-0x0000000072F00000-0x00000000735EE000-memory.dmp

Filesize
6.9MB

Download
memory/1600-80-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/1600-81-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/1600-82-0x00000000008A0000-0x0000000000918000-memory.dmp

Filesize
480KB

Download
memory/1600-83-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1600-87-0x0000000072F00000-0x00000000735EE000-memory.dmp

Filesize
6.9MB

Download
memory/1684-97-0x0000000072810000-0x0000000072EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1684-100-0x0000000004B20000-0x0000000004B60000-memory.dmp

Filesize
256KB

Download
memory/1684-112-0x0000000072810000-0x0000000072EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1684-101-0x0000000000BD0000-0x0000000000C48000-memory.dmp

Filesize
480KB

Download
memory/1684-98-0x0000000001390000-0x0000000001406000-memory.dmp

Filesize
472KB

Download
memory/2104-6-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/2356-105-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2356-106-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2356-113-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2404-88-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2404-94-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2404-84-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2404-89-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2756-99-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2756-8-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2756-7-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads