f75547146f5ba78088147454ca07256851c31a0c1b50c894f2fe9acba745cff7

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 08:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb172353a54e2877958a81e01fb56120.exe
Size

29KB
MD5

cb172353a54e2877958a81e01fb56120
SHA1

d00ecf6bd9054a48f55bb057b407df54c476a69f
SHA256

f75547146f5ba78088147454ca07256851c31a0c1b50c894f2fe9acba745cff7
SHA512

e53f10762d3cad9489288b8785a93c90bf897e43ab3c8b6b7293689349bde86c01fd8e71f4cbc080d3a6205ca6cfefbbe311d0c600e8753951ffa5bd41fb01d5
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/S:AEwVs+0jNDY1qi/qa

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2240	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x000b00000001226e-8.dat	upx
behavioral1/memory/2240-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000b00000001226e-7.dat	upx
behavioral1/memory/2236-3-0x00000000001B0000-0x00000000001B8000-memory.dmp	upx
behavioral1/memory/2236-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2240-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-22-0x00000000001B0000-0x00000000001B8000-memory.dmp	upx
behavioral1/memory/2240-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2240-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2240-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2240-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2240-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2240-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2240-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2240-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000600000000f661-60.dat	upx
behavioral1/memory/2236-852-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2240-853-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-863-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2240-864-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-868-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2240-869-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-873-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2240-874-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-897-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2240-898-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2240-902-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	cb172353a54e2877958a81e01fb56120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	cb172353a54e2877958a81e01fb56120.exe
File opened for modification	C:\Windows\java.exe	cb172353a54e2877958a81e01fb56120.exe
File created	C:\Windows\java.exe	cb172353a54e2877958a81e01fb56120.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	cb172353a54e2877958a81e01fb56120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	cb172353a54e2877958a81e01fb56120.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cb172353a54e2877958a81e01fb56120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	cb172353a54e2877958a81e01fb56120.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	cb172353a54e2877958a81e01fb56120.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	cb172353a54e2877958a81e01fb56120.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	cb172353a54e2877958a81e01fb56120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	cb172353a54e2877958a81e01fb56120.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2240	2236	cb172353a54e2877958a81e01fb56120.exe	28
PID 2236 wrote to memory of 2240	2236	cb172353a54e2877958a81e01fb56120.exe	28
PID 2236 wrote to memory of 2240	2236	cb172353a54e2877958a81e01fb56120.exe	28
PID 2236 wrote to memory of 2240	2236	cb172353a54e2877958a81e01fb56120.exe	28

C:\Users\Admin\AppData\Local\Temp\cb172353a54e2877958a81e01fb56120.exe
"C:\Users\Admin\AppData\Local\Temp\cb172353a54e2877958a81e01fb56120.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aea0227f47a9b19c296ea657697eef40

SHA1
f95b1027a59961ffde05f2ab7ef365ff2abce5e8

SHA256
9fa716945b0aa270963f57108de8d166ad29818f34d13020c255dc443658d9ea

SHA512
c4a4e7679ff8d62c729984cf87e6c045c2da16705b210bb82bd77227df2c204d6515b1a744b813e5f6f362bb2e4606f596187d217873635f6fab7e70c9405015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f6a3b7355c211b0e6743395f9d89cba

SHA1
b1f479ff86cadaa45279d71b6f18c34a92589a6c

SHA256
98ccb7a3cae2ee7f9940d67caecb7d485603997bdd3c842cb4d8715cff99002f

SHA512
7babbe858d01c85e5624f1188236898fd45e9d5304f072f271b2f357cac888fab26c3d6d303475be8520bfa5ddd4232bec7cd49e819e4a1c7ee56b4b58557ab8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afa9e7ddcfd2ecf885ce0e6dc45daac0

SHA1
e05a38abb59600f9fc805e4ad0fb565a9c1e5f5c

SHA256
8b3c00fd50b70302584954c2b0176fb72f68e5f7ac05038dfa256d4cf9a2d15b

SHA512
db9fd9d188c543197b5713fabe75acdc9c32acfbd6e61baa01e57ad033ea2986bcd4ef46379060d194e6c87d18207521dfea28607b13446a2e5748e4a5f2810f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afa9e7ddcfd2ecf885ce0e6dc45daac0

SHA1
e05a38abb59600f9fc805e4ad0fb565a9c1e5f5c

SHA256
8b3c00fd50b70302584954c2b0176fb72f68e5f7ac05038dfa256d4cf9a2d15b

SHA512
db9fd9d188c543197b5713fabe75acdc9c32acfbd6e61baa01e57ad033ea2986bcd4ef46379060d194e6c87d18207521dfea28607b13446a2e5748e4a5f2810f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b00698e0b99167154af4fc34e6e4cd40

SHA1
87a71efcb1e8d9a282f1140826e2c457da29581e

SHA256
cc70f2115eb1de838d7887c07f444d520200d54787e3ee224ff3a9d62008d059

SHA512
a483ec2b0d2eb47433114078da04e3fed05d0fdceabc1507d29c6b75f9111d644fc75353835cc72d03de7c6180d044dfc6bfd45a9c19cbefe244ee5c798d396a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a19cc0c7a666c92618389035cc59944

SHA1
5f5122c753bfc0ab1c6a7a86bc512724f7df3e67

SHA256
e5746d11b1ee0e11d538d039d45f7f7fafeeecca574fb9f19ad667c4a5a889ba

SHA512
1457c4bdde700aa1fe0e3bdb774f54be99f6e8837c61fc0bf61ce12b9038b334086d32d697eb3dafc01e9e0b81542a2783f2ed6d1416e3ad1aac44aebe5d7d83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60753da7a9a9bcd6df10c41dd56ba6fe

SHA1
fdc2af560014fea6171038004c28d11c7d4a3dfb

SHA256
06b0e1e31eedf69b72ef0873f0ca2d2bc4616d782d6ba25497ffb4eeb3df0591

SHA512
45dd4c115a87849b1da64446b1791ab3a530d22ca37ceb6a2ba7017c9d93057542ecbd953b9b4322aec710d9595518d957f6ef2ac5e32222f5ee116e52a314bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c64531cbb5b00e7af11e661230e32a3

SHA1
d9ae00e3d1c2e25bf6d4460e4fa5641f2e0fe8b3

SHA256
07774314177ad5cf1ffbeab47b742f62bfaa23377ce190a491d13126ee1b2f0d

SHA512
0edea5a882ad9ff51f74a90a2e0caee98d0b52d01607555eeade325be81f1ae732f9d10804e9e07d046d2b6d245e3f20fa71bd2eed5ea1b6da1a109c1a2b568b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
359dee2d13d341b57188a7a1c4570371

SHA1
d51431e9fd273d33a803ac3a5c53675d12548eda

SHA256
e07cead263d467fe9fdfe08738907dd7286fe9bce69995e1f26875df22d32a77

SHA512
6ec88266d428351769439665880346b43334f867a712ed3c64f9d00012ab4d8ad58014a0f330d7e8c69eead3f476330e8c1e897ea6de0adae358e3d9ac963741

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3827945f86c317196bad06bdab5af5e

SHA1
81678ae93f4c96ccf63af7740284f202166dcd38

SHA256
9fed26fc7a1d4dc48a7aeeaac3fbc429b40fcf7c0c0f58f5b2e3af52d8f40f4e

SHA512
87196d44dca22669188cfd65e6ff399a9e5a97ddcba6e3f4d0ef3a9c06d52f49f06e473ccf43109101b78cf2d1c99761a259990b7e69bf98ccddfeb23aa58d8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c224ec56de7893857b740c2d8a1b025d

SHA1
b67c422add6152a44a7058238bcc4df3baefab93

SHA256
7c4ca1eaa0f72d504db2f3f8e3ffb6a143e6595ae5fc44a395f82bde9019c59a

SHA512
be82cdf9d897ce602efaad7b25e0f24456f056d9554fb7427a3dd123a6748d6369d1f0245bbf37377ef720ff09823d163a48de729857c3e8edd7554a93d63807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7c04b0072e1b62609d6efd38660c188

SHA1
aa7e60eaa948e255a4496da77b79cebf907f14ff

SHA256
074ac4c0a4541bb9d1e9c4fa2ad22743c9bec27b87a399dad2682e18ca5b02e9

SHA512
0c0d7fd31a2962ae440048ab29f0243ab60aa02d141d88873f9eae7d9e34e4c60afa83e0711759cb32535d22792b2521972bb86068a47ebf76ecf74fd52cbd2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b66a3ac83e4f1f1252db6ef12d44ce8

SHA1
3d9512c46ebafd27c232239505bf5ba88c5e9bb4

SHA256
f54ed4e50dd76c2a2531bb1cdc8705643d2d44c2d1ffbb58983049c2d0876c47

SHA512
fbc5c64ffa18e0dcbee3c3dce8df16f469873e41c539c76f23d1dc94159fa8e073ecea13a6cc03e0f6aaa1ebebb64958973ead8f1bd62cf0d656c132543cc5d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
debf85bf71a71574baee1752ea8f6a90

SHA1
7725f4996b7d61ccc1ff3d34a2bcbc1df321f04e

SHA256
c47d3e114529f066c0da8cfe531bed37701b1c0e49cd3941a6f3ac0055e5bf93

SHA512
4f7f2931d01501010edc2df71647028575d26d5f8c9b177769e147de6c5c241c54b1d8ef1b770f262c383ec5ae63d1ce30b12f83930a5eae6719c7234469ffb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB100.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB190.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6DC.tmp

Filesize
29KB

MD5
a94eef0470f4c7ca3359d7c55ca1da75

SHA1
53a99df21d161478650c6951fa9e47af4ddc5c88

SHA256
5bab011858f3a8104a8d410510884e8c3e271c062b2a01cf0ac0f5d443891950

SHA512
98dc1eebc72b379c285bfd94fc822875dae32d2ca389f45e4be964490f0aaf1cdc0d97835eef3ed2e79aab57dc4510f89275320dd511fe3e63e32fac6fe5dfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
b9d77e7654063ea1655d8abb1b33f6a9

SHA1
26ddf2569c10077e78a2bc4d68e0275ff582998f

SHA256
965a393fd7e33dff428a9dc1ed0965b9e78281a13bf9f0244c8433c165e07cfa

SHA512
aa25e105d135d08e0d5f1a0d169294c49111e6eda56062561f2f851536433cb0a513ba1807eb5ce48feb3f08de131b84ca9bdfce3b9d67bcca2513c20e2daa18

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
382b1ab934313f0a3916cfc724817fc1

SHA1
3e7fb9f1b0eb83c5c2c97a62f37ff7c25bb20a4f

SHA256
17175193569e70cf3e5103ef8c016c84b4ad1b7b3a5b3764026b2aa81c5177d5

SHA512
974cdf1e5c9fb2d4c1b70169d74c80820a5c463109fe48c974dcdd6c9c7246bee1017155452929c08b8191ab51eea1c3630e8b2fe4f194d4c6f9c692b4e18c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
bcdfbbe1c8ea69e1e880b0f4ead631ef

SHA1
1af570ed957dc43ce655acd7f88faad2bb7fb268

SHA256
c9c67bbdeef391f42edca385f555c18f3a51bd726413dcfdfc23bfb0374bb500

SHA512
b6e389dde449cd91153654702f908309b2bfceeaf7bd3cc57849b8bc3fb4ad956bffe771568a324ae1238e62ba818de9b14bcc34120ef6e06e2c9b57efa92d84

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2236-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2236-868-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2236-873-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2236-863-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2236-22-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2236-852-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2236-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2236-11-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2236-3-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2236-897-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2236-26-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2240-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-864-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-853-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-869-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-874-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-898-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-902-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads