0895e59903e8b2cec85df53120f4f241a1fa2856316bc8deeaff1da0fc30e7be

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
18/11/2023, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8d6d743488b116344fdd07c3b55e7890.exe
Size

29KB
MD5

8d6d743488b116344fdd07c3b55e7890
SHA1

28a8ceda2d756359b6c44ef833f5a2c1c1695a4e
SHA256

0895e59903e8b2cec85df53120f4f241a1fa2856316bc8deeaff1da0fc30e7be
SHA512

a562ff0e5a02cf6f6d7658f405bdacf599299063595d4a6993c6fe6dc622543b016b1df64176168983bd0045387050cc9b9be7c3494077baf2192d245b345e92
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Dh:AEwVs+0jNDY1qi/qN

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2516	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2544-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x00080000000120ee-7.dat	upx
behavioral1/files/0x00080000000120ee-6.dat	upx
behavioral1/memory/2516-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2544-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2516-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2516-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2516-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2516-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2516-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2516-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2516-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2516-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2516-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2516-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2516-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-71.dat	upx
behavioral1/memory/2544-451-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2516-452-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2544-1062-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2516-1063-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2544-1631-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2516-1632-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.8d6d743488b116344fdd07c3b55e7890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	NEAS.8d6d743488b116344fdd07c3b55e7890.exe
File created	C:\Windows\java.exe	NEAS.8d6d743488b116344fdd07c3b55e7890.exe
File created	C:\Windows\services.exe	NEAS.8d6d743488b116344fdd07c3b55e7890.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	NEAS.8d6d743488b116344fdd07c3b55e7890.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.8d6d743488b116344fdd07c3b55e7890.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.8d6d743488b116344fdd07c3b55e7890.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.8d6d743488b116344fdd07c3b55e7890.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	NEAS.8d6d743488b116344fdd07c3b55e7890.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.8d6d743488b116344fdd07c3b55e7890.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.8d6d743488b116344fdd07c3b55e7890.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.8d6d743488b116344fdd07c3b55e7890.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2516	2544	NEAS.8d6d743488b116344fdd07c3b55e7890.exe	28
PID 2544 wrote to memory of 2516	2544	NEAS.8d6d743488b116344fdd07c3b55e7890.exe	28
PID 2544 wrote to memory of 2516	2544	NEAS.8d6d743488b116344fdd07c3b55e7890.exe	28
PID 2544 wrote to memory of 2516	2544	NEAS.8d6d743488b116344fdd07c3b55e7890.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.8d6d743488b116344fdd07c3b55e7890.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8d6d743488b116344fdd07c3b55e7890.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
641cc196300f63bb1fa3cf031db1f068

SHA1
d5a3ba9138bd494dffbe0b3d7c48adcb38656711

SHA256
28327337dc21ceae766d740396bd2053db9c7ba4e1ee3e82a40b3cd3a3ec823d

SHA512
6bbc0cebd23c16514e7a0e83ed20bbfa9c352ab021cb62f854e02d01005da2067cf85e268629a1727a05d1d963046f6aaa41e2a82820b7c31271c4bf169c4ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4eeee35e18cff06a2df3d9f439418f9a

SHA1
456fb08d881bfaf1a275c838e5d96752bf5d9bc6

SHA256
20ed31e4dbb0c6e1102cf7c9a8636f35c4bdc81172814e54a639226d00b1d22f

SHA512
9520babc2798d6a8d825aff662f932207991db67643277136069a109ffdd84691e3382af833c7b58e652c787956c01f135ca8c08eae004c053f4bb03bbc492f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d54b22990f37617fea855bb6971345b

SHA1
34472acc3e6b1b31721ac26d99cb58d04d5b9f5e

SHA256
259a131a7e9756679f10d76ecbf059647724d7ad17a4cfabc7dfd7e98051f200

SHA512
99da3117e7b4c7bd5b062c50479b0380bcb0eb7a33ee409dbec15d35a5cd78ffceb377144c2810caf74e220e42b220cfb8acbf618509a02b965b92ba058f61dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a95bb9c0c148e87abcd07c30c0065083

SHA1
da0e488309dae81da9a6bf0530dd8104ad5599b5

SHA256
479b9363211cd5f9f47b7803c6b33699ecf5aa869d87022854e4e924aa7ed183

SHA512
c924cc80b12992e365d417d32514d61e267f0bffa90bcc40ee0b10a096f77a7c5686c279601a1fbf7f3bff823cb4db714845470c89e48bc3be9ec08a65e2fe8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1eab4a007cd440c9baa7a48a55db7280

SHA1
770358e9c7fcda61d982858ff3ae16076db52735

SHA256
48be6392b7388ab7490db932b499207168276eeb7f6375a8e5a8bdf96153227c

SHA512
376b747ee2abfc222e130d5d39d4d883cba300c4d8f9b66d041e02ba0f7558f28526513758060d79a336232482e615aa98eb3df6a492480ea54c1f39797a8bd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66c9cd5361abfd3bf0b0badf52444a31

SHA1
78de0b71ab365849f768a11347c06f40a13ec83f

SHA256
c61a11a54e2677f6d6c31a773e52c93fdb2b9c76541da03b6bae0bdab7d7b2b1

SHA512
abc602dcf9a6c0ffe478b0f12c0f18d144c3649df4bd1a4ee4798854a54f98fc4f03ab320d425575428bda5282242479aaac336769cb26b284893e5cd570828a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4962d09030c7874a61cb360837c7132c

SHA1
67c26dcb9e413e20c9f359b197aee1411bb3aff9

SHA256
7746cf06edc4ae2d4653cb0f46c9f1f254af1d1178ca47975a29b505a50e9c69

SHA512
374798800362ef2c3ac9a8a7dff101d15856ee1b61cd02c1613c373a007d042b10fbd239ad6986bc74471b4eb977fc3251a3529a2b7a70782b0d4de84595b79c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f738ee9ea216a7beb257fb46c1509530

SHA1
ae64e5e6b3c3a2caa92f23a42af4238b9443db04

SHA256
20bc24caff4f607ba7d24e4ead0ed1f6fd37cb9f8364208bf143cabb16033009

SHA512
77e277235ee66b635d76ba71efca1d334179b4e28028df3a686e0ab4a38e6194a82657333dd96d94e6a4821da210cf933ce8d5853598146f670ce0fcef60b8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bf01cf84c8c1e0023cf6ef599b90a06

SHA1
a8578d9b677f46d13262fbced91ea4064d1b88bb

SHA256
7280452da7f83399f4059b8bf5a6ad9823ad0af7b762ab953b8bf882a2d59c87

SHA512
2163a57b2a58b6b4972200d2083337351801453df97e75c2ee443fe98360b68ef15b77bc4b5c8158af46dd48e5a594dade662363205f191b6d41ee36b250f622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d992a4edfb0a96620bdb01e64f1f31e4

SHA1
b12d6085b4409daee582f91d68c4588bce9b34e7

SHA256
20803a4d0e94daa65a7403af298040e585a0afda8f2c883a83e197e1cc0f2099

SHA512
a642033a5d0f9bc0b240da45ef4737f2616c1d319cec779646a127bb9168091b63c6855ecfd75c079194cb457b7e67800e1391a59147feb84d4a9b1481932c9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79fc6a16023a1b6cfa3ad18f8f20441c

SHA1
9935da2b55de7aee43454c5c60859f0e966b2631

SHA256
060e700d4d14e11b4e234e4efe3df5e7a14847a57edea68e757aacc42982397b

SHA512
0879c26071fc77d6f968161f41181f70fb48957e0557ab446e3b7806f638c8deb569267e2e2e6e61e06f3b2096bf384c77d25691b2ff3449f6bd3c1622c923f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
828e02439181cfd430c7cfb373308e49

SHA1
505c34ea24d51e7e5e386b579523ee8733f02efb

SHA256
661ca9915e89a7b674a021e9362fa3e54385a4fa79e6d6931cc9508fefee70f1

SHA512
a502b625d684a30c91e9026a259f4d1074862206815423d48e6879576626693e681aa69d198160d968034b3a9f1730e9f2a3a3732b519b1c3a36e4441bb987d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2ba34d1239bde20ffdc32e9c57f89c61

SHA1
cd871508e2c31b7b6d17f854cc33cfef87cf3979

SHA256
c314c67485fc2f5d57e5192ba9ae7aa398db601328aed734d2720d2bea7cef7a

SHA512
f849bd804d2830e2f7daf7b3c7c9ca7e33996df054bb017e86e43f6c3128a75a52141f1921863be9ea9de60712fec6cf4d2203af9ddf8c5bda2729a442f499cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e5b20d8d91d8988453cb85d20c6a9e5

SHA1
fd212347c70433a7d4a54d4a20a16e4c94ade71a

SHA256
48a8509675ddfca9f9241f07a7b414161a60c9f4a9c717839f34aa343b3a85fe

SHA512
e37c8d25d50eb2e527bcf391402920f5107ed830a3dc7b73fee51f5df7db1cda84abdea35f253a7a9ba69abe50d5ab595db910a65e498303852a59dce639cb71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60fd176e4870b11b97bfd001551525e9

SHA1
b18e9f8a3e9bf85c49161b0765b0dc06afd8753d

SHA256
4c47b2733405386d5696889764a671f1dfe094aac7ed9b343378b105e405d04b

SHA512
cb5e2ec2490a96abf9638a45b536d291fdb9911037e630d3f8cffaff722f99b7ee8dd7482b089d643ceef2fcd723ac655a8d939de5ae582fc05c1c1c36ba69e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7fb1d25dd000dc1b5d39ee51854ae67

SHA1
85ee5d5d15d7ed9fa3003195d5690f8cdf55e243

SHA256
2ac003b6646523b510660cbf736aee88713feb72bab38c89c2eea1da785e26bd

SHA512
356245540747d2ae2dcc381e364ac50800a35caeeec6f56b343120ac7b4fe40c6ab0786d2278a4434444241df78a0a071d62e233c8fa01875140f541d9dc9c0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2dc424bc24dab4ed84fe0b00f208446

SHA1
29703e485469c04711a0e6fff0f702f55d99d5c1

SHA256
feeae9f5447f2ea140cdb9394e9ada3d09ed23b058e5c451a62fb25c45f0a81e

SHA512
a538532e95b8172cf5c3882be8764ba412cea9885f9981105a5186d444a15c008f10e23a73f5afc0f3a2db8c2cf59dbd3a9995908193d0db31f0f15a603a38b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76081da063a3a27323e5a3834b0cc5c8

SHA1
b9305805cbc869225a1d336facc0c8e299a18fae

SHA256
043d0a348d26361c1cdb033cecf34cf4f621bf07b84ff83b46d7dbb25fe9f505

SHA512
8f1821c2d8c1bafd8cc87ef749afe552931b817e290adc6c2093911af44fb1a9a53ddc235ed8f292c3cbe8052eaa683504289bdebc508849c0122472531cb2e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
485afb89cd63070003efbdb91719bfb9

SHA1
9f1a1a17f755840ee0a40a1993a3872f594d6b68

SHA256
eae68c475ab799fb4468cdfd7e5febca245e026d8919a84a47ad8173656f4100

SHA512
f10cbf74dcf4b6df665e19b0dd48af5256667a0b9ed11046ec216ff289a6eecc8b2eb01d18f08aec9f0195199d0764478c66074aaab77f754e7298a2307fe9fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TORT3465\default[4].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZDJKTMWH\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1688.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1689.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC8.tmp

Filesize
29KB

MD5
70cf3faff8b877b833502a57441afa12

SHA1
a693ae89a700c69f05d6800ddcfb499f2a049353

SHA256
ea8bd462d553205fba792976172b0b063692a14477a817cf136c0f4fa01ff5bb

SHA512
0bd7a8eb7e07a49189da7ba450762a79d8317a3ce8d46d53bd2c9791218a685e075a70ee9993d1c0d3552e134dd26476330d463de6998ce599e369f305c36b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucuAhcog.log

Filesize
256B

MD5
30106aea71510951d6ba0a758a68ae54

SHA1
853780d1557dcd149ab45ad8473d4c0de57de917

SHA256
b9c9e4064d631158de61e23070813871b08540873d29a6490c30efb7ecabecc4

SHA512
eab27a64888e96d4bf15e03e06e6a37c451c2397a175dbab0016e41c8b44fc21772ffca38e308ef059cfaf354d4bc2f4ca768e2a5f621292f2ddd1f781149aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
97cec469cefab4ea813282b7993d7c9e

SHA1
c54c9fd987a5e8b5eca7718bc90db29c41c029c4

SHA256
7f9f478463927984196f45ffe91d37a957434c08606ca1aaac6af11203a47f18

SHA512
04aaae0eaac81f9165fd413ed3c623d92f008fdcded6e834041aee5bc52c58e9ba61a9c7dadf3516c80345cd576200817bf487251e92910d118c4521bb2199c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
1d74f1d8ddbe61f28a8312ddd17a5dec

SHA1
d98ad3e9e9456b24d7eb9759e83db72237c03da3

SHA256
2db38d57fa300b8d3cb0d1618b304ecee367cc27e35f69d59ee59c19718eed32

SHA512
f4dd23a29410437617932eaf142d1d3faa16aecce12be9770b3af0c9c684068adb7bf57b8268bbec3b6c82e9bc25c1e8609cc37f85197f2caf3c279fa57e0ba0

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2516-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-1632-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-452-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-1063-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2516-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2544-25-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2544-24-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2544-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-1062-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2544-451-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-10-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2544-1631-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2544-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads