Overview
overview
10Static
static
7samples3.zip
windows7-x64
1samples3.zip
windows10-2004-x64
105cf6eee9b...b3.exe
windows7-x64
105cf6eee9b...b3.exe
windows10-2004-x64
10d332c0478...a7.exe
windows7-x64
90d332c0478...a7.exe
windows10-2004-x64
90fd8500fde...1e.exe
windows7-x64
10fd8500fde...1e.exe
windows10-2004-x64
111edf9436a...ed.pdf
windows7-x64
111edf9436a...ed.pdf
windows10-2004-x64
119a640415b...5c.exe
windows7-x64
1019a640415b...5c.exe
windows10-2004-x64
1033aa57b04b...cb.exe
windows7-x64
633aa57b04b...cb.exe
windows10-2004-x64
63643464a22...19.exe
windows7-x64
33643464a22...19.exe
windows10-2004-x64
337e2f97755...26.exe
windows7-x64
137e2f97755...26.exe
windows10-2004-x64
154cd11236f...ff.exe
windows7-x64
654cd11236f...ff.exe
windows10-2004-x64
655bc661ad4...8c.exe
windows7-x64
955bc661ad4...8c.exe
windows10-2004-x64
7603d665f09...68.exe
windows7-x64
1603d665f09...68.exe
windows10-2004-x64
16ea27a0861...7e.exe
windows7-x64
16ea27a0861...7e.exe
windows10-2004-x64
373af283fcb...0c.exe
windows7-x64
873af283fcb...0c.exe
windows10-2004-x64
87e41197b74...67.exe
windows7-x64
97e41197b74...67.exe
windows10-2004-x64
9a878fed055...99.exe
windows7-x64
3a878fed055...99.exe
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-01-2024 15:27
Behavioral task
behavioral1
Sample
samples3.zip
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
samples3.zip
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
05cf6eee9b0b2c049cec8ce775de0636ade55f23a51dc833170f09445719abb3.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
05cf6eee9b0b2c049cec8ce775de0636ade55f23a51dc833170f09445719abb3.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
0fd8500fdef116abae01a1dcfed2db9784bbcb753488710aa1048f2aa0fd111e.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
0fd8500fdef116abae01a1dcfed2db9784bbcb753488710aa1048f2aa0fd111e.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
11edf9436a9205c88c2a815cf6ebfb0a7a42eb150a2649766b3bb30350ee35ed.pdf
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
11edf9436a9205c88c2a815cf6ebfb0a7a42eb150a2649766b3bb30350ee35ed.pdf
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
19a640415bb2bbc2f2624c204f6c5771b908b6c54b88976eb0daa76a29af255c.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
19a640415bb2bbc2f2624c204f6c5771b908b6c54b88976eb0daa76a29af255c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
33aa57b04bbdcf9617ed334dda4aee9502be652771899c75937f0e1223c7e2cb.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
33aa57b04bbdcf9617ed334dda4aee9502be652771899c75937f0e1223c7e2cb.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
3643464a225aa2ad5c9c9657d4fd05b943fdd9c04ca36b9d3610a04332909d19.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
3643464a225aa2ad5c9c9657d4fd05b943fdd9c04ca36b9d3610a04332909d19.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
37e2f977559a58cb33f7128ad7699a5c4f7c0013d8d83b1eda93a59ae35ba526.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
37e2f977559a58cb33f7128ad7699a5c4f7c0013d8d83b1eda93a59ae35ba526.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
603d665f09a9a199a4b5b9f8d1841a07ae9c525f275fc54c7cb15953d73ff568.exe
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
603d665f09a9a199a4b5b9f8d1841a07ae9c525f275fc54c7cb15953d73ff568.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
6ea27a08617ed35f8340fcc9eda5ccd7316eed9b192e3a7efd4cd5e1b8a4fc7e.exe
Resource
win7-20231129-en
Behavioral task
behavioral26
Sample
6ea27a08617ed35f8340fcc9eda5ccd7316eed9b192e3a7efd4cd5e1b8a4fc7e.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
73af283fcb06a9ea35ea6ad24b62b302459594f4b09dbba2d74001bf90ab020c.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
73af283fcb06a9ea35ea6ad24b62b302459594f4b09dbba2d74001bf90ab020c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
7e41197b74e2dcc6c0563d4b71a4ad16293909889ce4f1c5ab214bdd59088667.exe
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
7e41197b74e2dcc6c0563d4b71a4ad16293909889ce4f1c5ab214bdd59088667.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral31
Sample
a878fed05519b4e0898e26a79cc646c0bb7b9e380c94f06baecc750f0ab97b99.exe
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
a878fed05519b4e0898e26a79cc646c0bb7b9e380c94f06baecc750f0ab97b99.exe
Resource
win10v2004-20231222-en
General
-
Target
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe
-
Size
92KB
-
MD5
6c482e3d0fdc8af0182d543371ca5176
-
SHA1
e4de59423b77477cc593b7f31d08252107444524
-
SHA256
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7
-
SHA512
ed217f7c2a0b0ca7716c0c04dc369598371d997590437f70ce68147276ef0cc8e3539306abcd5d16266dc5d4a6b984eab9e8fc5348dc2f6607ddea3eed4e0411
-
SSDEEP
1536:ReybNDac/BiUkGgxjDUsFFtZjSrHOUTS6r17Y4HbmxwRwW:lNDgUm5Fi6Uu6r17p7zV
Malware Config
Signatures
-
Renames multiple (9950) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
LshO:exepid process 2908 LshO:exe -
Executes dropped EXE 3 IoCs
Processes:
LshO:exe59a6z0.exeYw3:exepid process 2908 LshO:exe 2732 59a6z0.exe 2840 Yw3:exe -
Loads dropped DLL 6 IoCs
Processes:
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.execmd.exe59a6z0.exepid process 2964 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe 2964 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe 1728 cmd.exe 1728 cmd.exe 2732 59a6z0.exe 2732 59a6z0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yhk7Q0 = "C:\\Users\\Admin\\AppData\\Local\\vLWK\\zbFFHX.exe" 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Yw3:exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI Yw3:exe -
Drops file in Program Files directory 64 IoCs
Processes:
Yw3:exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif Yw3:exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json Yw3:exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho Yw3:exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar.locked Yw3:exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt Yw3:exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00010_.WMF Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304861.WMF.locked Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTLVBA.DLL.readme_txt Yw3:exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe Yw3:exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML Yw3:exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.readme_txt Yw3:exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar.readme_txt Yw3:exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah.readme_txt Yw3:exe File created C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL.readme_txt Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08868_.WMF.readme_txt Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ADD.GIF.locked Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosefont.gif.readme_txt Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG.locked Yw3:exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.readme_txt Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Trek.eftx.readme_txt Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.SqlServerCe.dll Yw3:exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.locked Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apex.thmx.readme_txt Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg Yw3:exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt Yw3:exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml.locked Yw3:exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis.locked Yw3:exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll Yw3:exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\micaut.dll Yw3:exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdaosp.dll Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF.readme_txt Yw3:exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.readme_txt Yw3:exe File opened for modification C:\Program Files\Java\jre7\bin\javafx-font.dll Yw3:exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt.locked Yw3:exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.locked Yw3:exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui.locked Yw3:exe File opened for modification C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_TexturedBlue.gif Yw3:exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt.readme_txt Yw3:exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf.locked Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG.readme_txt Yw3:exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt Yw3:exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.readme_txt Yw3:exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar.locked Yw3:exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBCN6.CHM.locked Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00120_.GIF Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172067.WMF.locked Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304853.WMF.readme_txt Yw3:exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30B.GIF.readme_txt Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR15F.GIF.locked Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNoteUI.dll Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATALOG.XML.readme_txt Yw3:exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll.readme_txt Yw3:exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.readme_txt Yw3:exe File opened for modification C:\Program Files\Java\jre7\bin\j2pcsc.dll.locked Yw3:exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\vlc.mo.readme_txt Yw3:exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107192.WMF Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PACBELL.NET.XML.locked Yw3:exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll Yw3:exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0098497.WMF.readme_txt Yw3:exe File opened for modification C:\Program Files\Java\jre7\lib\zi\PST8PDT.readme_txt Yw3:exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui Yw3:exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
NTFS ADS 2 IoCs
Processes:
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe59a6z0.exedescription ioc process File created C:\Users\Admin\AppData\Local\LshO:exe 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe File created C:\Users\Admin\AppData\Local\Yw3:exe 59a6z0.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.execmd.exeLshO:exe59a6z0.exedescription pid process target process PID 2964 wrote to memory of 1728 2964 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe cmd.exe PID 2964 wrote to memory of 1728 2964 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe cmd.exe PID 2964 wrote to memory of 1728 2964 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe cmd.exe PID 2964 wrote to memory of 1728 2964 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe cmd.exe PID 2964 wrote to memory of 2908 2964 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe LshO:exe PID 2964 wrote to memory of 2908 2964 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe LshO:exe PID 2964 wrote to memory of 2908 2964 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe LshO:exe PID 2964 wrote to memory of 2908 2964 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe LshO:exe PID 1728 wrote to memory of 2732 1728 cmd.exe 59a6z0.exe PID 1728 wrote to memory of 2732 1728 cmd.exe 59a6z0.exe PID 1728 wrote to memory of 2732 1728 cmd.exe 59a6z0.exe PID 1728 wrote to memory of 2732 1728 cmd.exe 59a6z0.exe PID 2908 wrote to memory of 2812 2908 LshO:exe net.exe PID 2908 wrote to memory of 2812 2908 LshO:exe net.exe PID 2908 wrote to memory of 2812 2908 LshO:exe net.exe PID 2908 wrote to memory of 2812 2908 LshO:exe net.exe PID 2732 wrote to memory of 2840 2732 59a6z0.exe Yw3:exe PID 2732 wrote to memory of 2840 2732 59a6z0.exe Yw3:exe PID 2732 wrote to memory of 2840 2732 59a6z0.exe Yw3:exe PID 2732 wrote to memory of 2840 2732 59a6z0.exe Yw3:exe PID 2908 wrote to memory of 2304 2908 LshO:exe net.exe PID 2908 wrote to memory of 2304 2908 LshO:exe net.exe PID 2908 wrote to memory of 2304 2908 LshO:exe net.exe PID 2908 wrote to memory of 2304 2908 LshO:exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Yw3:exeC:\Users\Admin\AppData\Local\Yw3:exe 3 C:\Users\Admin\AppData\Local\VvDMxU\59a6z0.exe1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2840
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view1⤵
- Discovers systems in the same network
PID:2812
-
C:\Users\Admin\AppData\Local\VvDMxU\59a6z0.exeC:\Users\Admin\AppData\Local\VvDMxU\59a6z0.exe 21⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2732
-
C:\Users\Admin\AppData\Local\LshO:exeC:\Users\Admin\AppData\Local\LshO:exe 1 C:\Users\Admin\AppData\Local\Temp\0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view \\CALKHSYM2⤵
- Discovers systems in the same network
PID:2304
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\VvDMxU\59a6z0.exe 21⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728
-
C:\Users\Admin\AppData\Local\Temp\0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe"C:\Users\Admin\AppData\Local\Temp\0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\LshO:exeFilesize
92KB
MD56c482e3d0fdc8af0182d543371ca5176
SHA1e4de59423b77477cc593b7f31d08252107444524
SHA2560d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7
SHA512ed217f7c2a0b0ca7716c0c04dc369598371d997590437f70ce68147276ef0cc8e3539306abcd5d16266dc5d4a6b984eab9e8fc5348dc2f6607ddea3eed4e0411
-
\Users\Admin\AppData\Local\LshOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2732-30-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2732-23-0x0000000000250000-0x0000000000256000-memory.dmpFilesize
24KB
-
memory/2840-3258-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2840-14899-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2840-47087-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2908-182-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2964-0-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2964-1-0x0000000000260000-0x0000000000266000-memory.dmpFilesize
24KB
-
memory/2964-15-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB