5058fb7a26e606441356452f6b176a5f6bc51bd906890b1c0c0059b24dab087a

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 21:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1383cc8ff27380604cfe4ffbd13177bf.exe
Size

40KB
MD5

1383cc8ff27380604cfe4ffbd13177bf
SHA1

5424565a43eb86ea39251df6bfbfd344c3a7a6a1
SHA256

5058fb7a26e606441356452f6b176a5f6bc51bd906890b1c0c0059b24dab087a
SHA512

6bf71d1d8cc34ae3e0b431d36085d36888e665dd7b60d3affd31edc7180a4abe19ac62324f91dd7e33f571d39b816b53455c4650ba074235e0cbb4b545eb16e3
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHq6SP:aqk/Zdic/qjh8w19JDHq6SP

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2204	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000141e6-6.dat	upx
behavioral1/memory/2204-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-374-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-649-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-784-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-868-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-1209-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-1343-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-1519-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-1817-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-2321-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-2500-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2204-2531-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	1383cc8ff27380604cfe4ffbd13177bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	1383cc8ff27380604cfe4ffbd13177bf.exe
File opened for modification	C:\Windows\java.exe	1383cc8ff27380604cfe4ffbd13177bf.exe
File created	C:\Windows\java.exe	1383cc8ff27380604cfe4ffbd13177bf.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	1383cc8ff27380604cfe4ffbd13177bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	1383cc8ff27380604cfe4ffbd13177bf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1383cc8ff27380604cfe4ffbd13177bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	1383cc8ff27380604cfe4ffbd13177bf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	1383cc8ff27380604cfe4ffbd13177bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	1383cc8ff27380604cfe4ffbd13177bf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	1383cc8ff27380604cfe4ffbd13177bf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	1383cc8ff27380604cfe4ffbd13177bf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2204	1700	1383cc8ff27380604cfe4ffbd13177bf.exe	28
PID 1700 wrote to memory of 2204	1700	1383cc8ff27380604cfe4ffbd13177bf.exe	28
PID 1700 wrote to memory of 2204	1700	1383cc8ff27380604cfe4ffbd13177bf.exe	28
PID 1700 wrote to memory of 2204	1700	1383cc8ff27380604cfe4ffbd13177bf.exe	28

C:\Users\Admin\AppData\Local\Temp\1383cc8ff27380604cfe4ffbd13177bf.exe
"C:\Users\Admin\AppData\Local\Temp\1383cc8ff27380604cfe4ffbd13177bf.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13cdc989347fc263260b0e4e20aa0aa4

SHA1
54ac44029a46f2f5a93fa861f7a80a8da5bc5036

SHA256
98e28c3ecac006fb5cd928caf9c28bea708bc777d9425e2ac7adbad2cbf8a618

SHA512
ba1a62450f492bcdb3c468b6e0997d4c9aa58125a4a0c25a020d4921c95e05d5bc0362ed0958c5f277e3703c05a3f86f80631cc2dcdfd64d13238376b4cfbf98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb9cd70255c6b5b9ea657c07e8413a9c

SHA1
621f3e1205570530f870d8ee7fba059e0eca72c8

SHA256
e0ab09027c29f4aae825f27d97504d301b2a08a38a80c44f0e7ec8759aeb7a19

SHA512
a464c0754e0119f9da1aa1dfeeb4ad59b634ee20002c31e9a429c74c20bd1d0b8fc3d692dbf5b90fc3de2413a3a8dc8265ecdebd2135392792d394d40f5836b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
feb846a81ab0e75c94fd38ff08a80670

SHA1
548849b499e7efecca359023d1d7b58316a141a7

SHA256
91013aad12460b5ba959d01c773040aaad9fcdf31b55b4e89aa53ca78cf0aefa

SHA512
637d97086c1a39f6f8da0d3310020ce66f15c90bceedbbeda77efff08e532e5c118664af6c29479afdf6c463301fcea5cadf3cd53b80eb283ee3092d1d93aa4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
adb2bcf48b6afef4e1ba0ff619c46bf1

SHA1
59a1a62d60464cac981f5d81a5eb4eb13c48a3dd

SHA256
c0094aee00cd87b5256c1aa67a9e572fd57abb2789579fb49e85bcdcf65676fd

SHA512
bc97da127c0088433c30beb8f9ed91560852182c64cc62438c478784d97c6c18e917cea8ceaed3a8e5da81c9e8a35f795791d6e2b6db016133f0b3c28be7137e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d22ea210985d9ffee16b4540bd17b4b

SHA1
989d4d201a0a1cadd7aedd9caa5b560cc7b45c2d

SHA256
dbfcc94da0f65febbfd9881ef320dea4f9e067b3d0d6ee1ec7e8bcc2fcda0ec0

SHA512
451b2c4c96c30b04bcaf9d677fcd3435b3baeb211d296c2e4e4eac3b340208ea62ae276bb008d32a10185c714b069a73efa2d7e81e3ef687a1bf514a971ba3a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07c31bfade228aeb382a5e033382ed47

SHA1
ce7b27eb0e8e1808484b750cf23341bb3dbf71c3

SHA256
a4d862786931a14605de2fe6229b4a75621b87f4b7e7b88fbc07038a096c98a9

SHA512
41f83035f63517763bee784bfc4986b001c9cee83e77b0ba3185591d5a88c8f9ffb0c75f30a00c364de1bfb65bf093c0392b4f6ee1445e5452c89a7e5b2851c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00ec5e7cba92d4506d8a9e39d0522b3c

SHA1
926d7ad7f205f55dae0f7cec256bbb797ea1d604

SHA256
602b7bf58d6d0ac9c1eed03b984b08f88dd83099e75f3fe6fad1325947345f72

SHA512
67b932c697bcfefd5ef01516d9519115e3e30649637ee2f36c6bf85190b10ea0f230a7ae5cf83f32eb3910e9f4552bd739c3f5891ad272b6098dcb15ea5736c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
938a93e4858a36d6c6d7ef0381f3cc02

SHA1
8d8d6326a037f84df1f69ecd28be28600db7bccf

SHA256
d4f614aa2cc2ec5621310bc741f5cfc4a7a8598359c6fae7a0799c173648d445

SHA512
3286328da59078ec29f51c57a625fa87761569f0f4d99b0722d3140a95fb58aee638f5ad6e384400d3281a42b69ea21c1d44d164a7cbd96e803596191703853d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2a7a3a76f8bdf24e08f6f8060b18c00

SHA1
0dc5e07bdc2551c87024cdbcfa172b2eb965d782

SHA256
3484aaad96bb6b8b6089e242b4b96a4b0347e3f64d44d3cc26914156a3e3fbd8

SHA512
7ea57fe4aac17ee42da46e30a90e0643803bc01e17e0fc5bc27ec828c976ec1a08d412b000744959d3122426071d66c5d98d9a8287915adeb2c4f447cad7bd61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ddb40616afd1f09c7ed65ffe19b375b

SHA1
07273b8a14d0698d7b66d940aa0eaf1c8d53f548

SHA256
0dd2c9a7a94ab261bbe772ac8ec8edbe8e337f305776b724c343d9e4b706f313

SHA512
4c2279fea7724338ce3406f231d7a4835b2791ef22bc688035f54a84562c4f19415510a7d015528ec1f7ab6f6ff24c45a6d64d6017d473ed3090e6ad6697d836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a39b0acc5f5bb13c01597be7290503a0

SHA1
120f678bf7f219c9e03cc39e2c873b4148b4751d

SHA256
8745cf0992ac9dd6a3e5aee83e4e4400a9dc08ef1175850eb39680974ff9e238

SHA512
9ffd17d6e7f6b57f28c3a2902f921ec75971a9c456488b8440686cc9603535c06685e01e91a3e3cb7c1bb38af9b4de7e10ab6741ac907109ffcb8cfb9c7b334d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
854f90b1e97b05d2cebde3f2a0414421

SHA1
327cf5df1913ca30ae34cfe08a086a521dfd2731

SHA256
b6fb0292d54e10007915e2a73e709e8557d64f5945c600f3896aea1e8beaf95d

SHA512
5439106a3197fd3be96d36450e2f7f8c0f3f146469fd6ba14f55c068363f40311a5e4574fde1a8f98ff4c8b5ad8f15cf6886e119bf9abe289692d04029b28167

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
69eb14a4952c8ea05c2b1ba6075e819c

SHA1
8a2e5e976e3af221cde43bf2e7483aa6b7c733e2

SHA256
90b3698f591df93342d3b4cf4419c2e5f812ff0594b8b0ab3d69299edcd4737b

SHA512
e84fae9e9fb4b5fc8f3f74cd4b94a5bf1fd62c89e60866fd82c5d2fbea85e10db80a35beab325fc1cfdff68667d17353f1a4e28943a9b138f7efa3872b98765b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QASU0MN\default[2].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QASU0MN\default[5].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3QASU0MN\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GWWXM75N\default[9].htm

Filesize
305B

MD5
46e42f26c7218d036d9d0608bfc83bbe

SHA1
9d6b068eaed89ceedda9e02e59cffdbdb8eb0207

SHA256
5578c64b4212b92c66773c8a2734fb1bcdc9a97d809417589262a5daefa866ef

SHA512
4fcc58402739d520c04d65b54584c4f0267779d244a73b22a2ed3bc502ae991524a7aaf768e30fdaa7c88803270f8494195ebf7aefec51624eeaab80df47083b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU3BD8SP\defaultC7VUXHNV.htm

Filesize
304B

MD5
8251fff4df202c8d6dd6aaf34f4838ea

SHA1
fa88f08dfdeaff6b86873d447fd26cb7d83a694d

SHA256
a17db628f6bdbf4cdc6fe029542404867306406510dbbdb57a047a75ac294962

SHA512
e9c0fe2a920377777bdda16a8744cf80d15e1d1b3c94b704f8a4c4cf54d2529ede4aea8a2d6d38f4e3c4d02f602edfed659db6613ac7c374e5214a201f16a3b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU3BD8SP\default[1].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU3BD8SP\default[3].htm

Filesize
303B

MD5
0a53779b07f9c9c56ef169499851915e

SHA1
281bf81610dae812be159f95a0858f88f9b96637

SHA256
b946117d346ecf850135aae1ac65b368f4effd806bf5180ecd3c585f1324dbd1

SHA512
5a5016dcdeef68be7115eafee0a6844e3cc868fa04f353980d924fca7394962d919d8dece40b15b7ddcc867f956fc8c0e522b68688ca409f1671c39e42973dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q7CMXWLB\default[3].htm

Filesize
305B

MD5
f84538b33a071d01320a46b057aef921

SHA1
e7b43145855c43f8c5d43a9b39e707885c17294e

SHA256
e5a764c9c517f97e07ee2c8e1296e5f68ef436ea513eefb639fc40dffac6e1fc

SHA512
eff4fdc3ad9ba8f40b99b3e4f856546b5f2b17d0e715f4529a0c7f9e3150964a2b1625c0f734b643ff4496cfd9d256aa096c7e2c4e1911e6262dc9fd869dca5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q7CMXWLB\default[4].htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q7CMXWLB\default[7].htm

Filesize
305B

MD5
28d3586cf0fecdada411e6598d0d24b9

SHA1
87f72f1d3f9eb8682c25d9ffc0397064489903ff

SHA256
3f9df02aa51466baf3b4089857c0c9f84b40e8506a4322f3836ce2b995552593

SHA512
41e79f5946cbf77ec84555acb9cffecaeada064855c41a46b56c3102f0fb406a627d84347ac14a74768db87e93e68ca534887a32d4cf220e013ce24bfdfab0cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q7CMXWLB\default[8].htm

Filesize
304B

MD5
3483bf8f41c9a3b9c4acd2c9be5d8d00

SHA1
fe960cf9b9744217b295ed86f66e80c58c4d6052

SHA256
9b402b64c9cddf2ce4c139df23fd6354b51bb218706076d0b6ed1c128df25535

SHA512
1df7f496dcd70238c3982e595964b552548a7100f3b238a65476cc57fb10e3e1d82c19ffc3f4d61ead29657623665126f3e09561bc0feb39f3aa189f603757db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q7CMXWLB\default[8].htm

Filesize
315B

MD5
e510f9586fd45ddb7f0c00cc01b5bb78

SHA1
0f49be1ea6f9228f7fa5877a74df5913d500f44c

SHA256
06dc56e918b87be102dbef5a82c2b9e572d2e4dd4e778026ab8aa59ec58c454c

SHA512
4a6cd27994a9bab95b152bd6be520dfa186b3b067345a350ced80933757ce875bf53cdaf3413ddf1ed14968adc233f7cb6bb2fcda0fa19c4d68e2e9d86416b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA4C3.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EAB.tmp

Filesize
40KB

MD5
02bcde96d0d28f715a2190a8d6759277

SHA1
69d98fa204d16516e12fa7b2cb79f0b2a377598e

SHA256
3ee8d33e27a5aeb7f3ae54b9fcd01f982d0f4da4d7a63f11bfc1a931c5af7af5

SHA512
52c360e1a0dd0e43b91969cb7d0dc2cf5ddced446c93753a4c76a9f0649cf3004b4400a14c441cbb4a450ff71e7ec1bf571ef70af877c9cdaa1314809cef75e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
b5d47f1468f630b190bc0d422745baa0

SHA1
670d313c396d7ea23146d10875faef0c82343cb8

SHA256
091a8af58b9c40b50069e58e13d3ab5503e3f077452bb151d815be40ea12cb19

SHA512
0c996505ecad320d6b163cd9f57b04ff61bda9aef9b16419c55369acedc382da92836906f7f74016fd0707514abc9703cbde392c8f1473315c59b26bda47034c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ff37640ca66d115878eb7b33cee2a3a7

SHA1
4682df4639f2194eff2be3c01b52bf1bad44e90a

SHA256
5b4cd003fc52f84bfd49270aa56dc53e708c6bda237708d48d9a2ebf03d124f4

SHA512
a80ba72444363bacf90eb8a06e0a8aa5ac2a7c00657e59d2e59a071235784b94096f01de07ed13aa17c4753aafba2a9dcde91c603ec2cc8045f0288ef2cc8a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
06d07b7f8e695802bd1d341d8665821d

SHA1
7091dfe2b90930d5d774fb3c419251b651a1a6fc

SHA256
563eb29dfe27856c0d1f8067763c1e904fd6a40be185735323187d3525167c7f

SHA512
68c161d158d314abec3cfda309adb56beeddda8b157719d2458ddc6100bc7b0f064ce5d039e4362e529a6ba0b1f9ce414379b437e1438612d69587a9b887bdf6

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1700-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1700-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1700-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1700-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1700-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/2204-1817-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-868-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-1519-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-374-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-784-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-2321-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-1209-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-2500-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-2531-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-1343-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-649-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads