79eba95155306bb40322960e71813d3e073f56dd427857ef2bd0985b6b15f733

Analysis

max time kernel
49s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e228a6ae12748e92fad02d2f32b41da.exe
Size

108KB
MD5

3e228a6ae12748e92fad02d2f32b41da
SHA1

c908a9b3f11a09931883d7725aaf6ee0764696c2
SHA256

79eba95155306bb40322960e71813d3e073f56dd427857ef2bd0985b6b15f733
SHA512

88088c7f8279d0a05e898e5aff9f369a563c08c6ed36c56af1581cac4da8a79be405e6829015f789795bf124ec487ac3904646aea6aafb6cf106e0db296df69b
SSDEEP

1536:cXoahnLiXUnpncVZRoOvnpKZb+1dG4ZsfLKBFbfcOOT8bTnNhsnXRQ:xUQwnc/RoOxKN+1dG6sLCF4OmmTNhi

Score

7^/10

adware evasion persistence stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	3e228a6ae12748e92fad02d2f32b41da.exe.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7OEUY0K9YEI.pif	3e228a6ae12748e92fad02d2f32b41da.exe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7OEUY0K9YEI.pif	3e228a6ae12748e92fad02d2f32b41da.exe.exe

Executes dropped EXE 2 IoCs

pid	Process
1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe
4632	DOK4QO3QW7.EXE

Loads dropped DLL 1 IoCs

pid	Process
2752	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3e228a6ae12748e92fad02d2f32b41da.exe.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\TG1UOP2\WPDV3.exe	3e228a6ae12748e92fad02d2f32b41da.exe
File opened for modification	C:\Program Files\TG1UOP2\WPDV3.exe	3e228a6ae12748e92fad02d2f32b41da.exe
File created	C:\Program Files\TG1UOP2\7WM4IEV6.exe	3e228a6ae12748e92fad02d2f32b41da.exe
File opened for modification	C:\Program Files\TG1UOP2\7WM4IEV6.exe	3e228a6ae12748e92fad02d2f32b41da.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WLOTCFSDJAXNJHY.txt	3e228a6ae12748e92fad02d2f32b41da.exe.exe
File created	\??\c:\windows\wlotcfsdjaxnjhy.dll	3e228a6ae12748e92fad02d2f32b41da.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe

Modifies registry class 58 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ASPFILE\SCRIPTHOSTENCODE	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR\ = "c:\\windows"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\ProgID\ = "Thunder.xunlei.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32\ = "c:\\windows\\wlotcfsdjaxnjhy.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSFILE\SCRIPTHOSTENCODE	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\VersionIndependentProgID\ = "Thunder.xunlei"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\InprocServer32\ = "c:\\windows\\wlotcfsdjaxnjhy.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\HTMLFILE\SCRIPTHOSTENCODE	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\VBSFILE\SCRIPTHOSTENCODE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2548	reg.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4812	3e228a6ae12748e92fad02d2f32b41da.exe
4812	3e228a6ae12748e92fad02d2f32b41da.exe
1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe
1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe
1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe
1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe
1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe
4632	DOK4QO3QW7.EXE
4632	DOK4QO3QW7.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 1680	4812	3e228a6ae12748e92fad02d2f32b41da.exe	92
PID 4812 wrote to memory of 1680	4812	3e228a6ae12748e92fad02d2f32b41da.exe	92
PID 4812 wrote to memory of 1680	4812	3e228a6ae12748e92fad02d2f32b41da.exe	92
PID 1680 wrote to memory of 4632	1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe	99
PID 1680 wrote to memory of 4632	1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe	99
PID 1680 wrote to memory of 4632	1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe	99
PID 1680 wrote to memory of 2752	1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe	100
PID 1680 wrote to memory of 2752	1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe	100
PID 1680 wrote to memory of 2752	1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe	100
PID 1680 wrote to memory of 2876	1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe	101
PID 1680 wrote to memory of 2876	1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe	101
PID 1680 wrote to memory of 2876	1680	3e228a6ae12748e92fad02d2f32b41da.exe.exe	101
PID 2876 wrote to memory of 2548	2876	cmd.exe	103
PID 2876 wrote to memory of 2548	2876	cmd.exe	103
PID 2876 wrote to memory of 2548	2876	cmd.exe	103
PID 2876 wrote to memory of 820	2876	cmd.exe	105
PID 2876 wrote to memory of 820	2876	cmd.exe	105
PID 2876 wrote to memory of 820	2876	cmd.exe	105
PID 2876 wrote to memory of 3464	2876	cmd.exe	106
PID 2876 wrote to memory of 3464	2876	cmd.exe	106
PID 2876 wrote to memory of 3464	2876	cmd.exe	106
PID 2876 wrote to memory of 4912	2876	cmd.exe	108
PID 2876 wrote to memory of 4912	2876	cmd.exe	108
PID 2876 wrote to memory of 4912	2876	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\3e228a6ae12748e92fad02d2f32b41da.exe
"C:\Users\Admin\AppData\Local\Temp\3e228a6ae12748e92fad02d2f32b41da.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\3e228a6ae12748e92fad02d2f32b41da.exe.exe
  C:\Users\Admin\AppData\Local\Temp\3e228a6ae12748e92fad02d2f32b41da.exe.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\DOK4QO3QW7.EXE
    "C:\DOK4QO3QW7.EXE" WLOTCFSDJAXNJHY
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4632
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "c:\windows\wlotcfsdjaxnjhy.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\0GXTOH.BAT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2548
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
      4⤵
      Modifies Internet Explorer settings
      PID:820
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s scrrun.dll
      4⤵
      Modifies registry class
      PID:3464
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s msvidctl.dll
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s jscript.dll
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
      4⤵
      PID:688
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s vbscript.dll
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s itss.dll
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
      4⤵
      PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0GXTOH.BAT

Filesize
1KB

MD5
52c972f9deb8192ccde1c648220271fa

SHA1
e4839843fc6c8d950e17c64ae31cce74e36733a3

SHA256
f44f8df295aa00d2c7668940de1c3b4eb29f8f40b4bb72a4948d2bcb5c8e5d80

SHA512
e3098da4852421126281bd93dabf13cb2e25897b8bbb71fbcc0aae41bf6cace92cbd71c78c74a77c39ab4de4cc2227e2ba53d71533333ce98cba1106d67f2075

Download Submit
C:\DOK4QO3QW7.EXE

Filesize
18KB

MD5
284ce4bcdb46ee5f52db9f03b92322ce

SHA1
326d2a3b84f7be7f67a3002afe2d6dfd615be0cb

SHA256
339f3b265a4d49461e2151bffd1c23bb520eb0f62d4be6e34b2a10bfead141c0

SHA512
976d08b4249cf1e6cd9931a02efc3c3afbb76d14c4d3e4b4e35f1768a3372d13c07fe32922a0af1f7c4055317821ab6acdfe6646ede827958f8d401035811f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e228a6ae12748e92fad02d2f32b41da.exe.exe

Filesize
64KB

MD5
eab9f568147acf44e89576978244ec32

SHA1
985586346cb0a61e3f94ded925316f091c643066

SHA256
7f95048f6d8cb41289f53f49dc609d5bc78d10d4a5ef815a72caa89b69f4cc46

SHA512
b996fe81d661eea29b6c3eb64f8b4096ebc2d35d7d2f8265af2f0ce1d0305fafc45842dae5084e977a23bcdba63320aeea87321bcc9a59e565835ec9efaaf2c5

Download Submit
\??\c:\windows\wlotcfsdjaxnjhy.dll

Filesize
28KB

MD5
63bb6a005523fdcbd61837ce779c7fe4

SHA1
1d5bb3e4ab9b51f5a57a55aa8158df674c4d5f5b

SHA256
0de62e885ab33cf593834da32fb53bf75b241b450189f652825b847b63e3dba8

SHA512
08975d3254f1e11bbc0f8c9425b494afe254ad07177ef22b203638f9942c4321a6cd7fdd12e345063b068c87e9fce9b1994368317e4b57608bf8ba1b2fdcea5e

Download Submit
\??\c:\windows\wlotcfsdjaxnjhy.txt

Filesize
64KB

MD5
38ae321054766975a9253d515db3cec4

SHA1
29e2687378650a854f6876fe152a53191cf0a70e

SHA256
880ca4ac7921c6161222f6e137626567c8951835d02be627dc72917a04d4dde0

SHA512
8f7243a98cd9b71564a982465740ffde09de680c218577f0c37779b2ded3e3a4595cfd21eb811703201b34970bc1a5e2244c02ba623d483eaf8083b9f52515b6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads