6c3ff8a91d6a6df9352489be1700475528af64cec22fbcfd5c9cbe6c862c3441

Analysis

max time kernel
143s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 13:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b54943a7e20f8ae65bf06cc932a2cba.exe
Size

2.7MB
MD5

5b54943a7e20f8ae65bf06cc932a2cba
SHA1

14f2735cb23eb657232adbee66ac383a1ce093ca
SHA256

6c3ff8a91d6a6df9352489be1700475528af64cec22fbcfd5c9cbe6c862c3441
SHA512

ad8320e0fbeb3baf200913bc01aad6b9769545daa7f9497ff09fec26b10c2e2979b5b48885f1e5880a11613df321906a69ca0962b79ad54b1ea1f5716ff48ac4
SSDEEP

12288:9lhTqkew1rdDJ+3seY8laVi6ZjdIrmTHSbkamx6t/WQnezoSR:9KkdPeNs0e3HqROhj

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2336	wjWmZa.exe
2688	wjWmZa.exe

Loads dropped DLL 6 IoCs

pid	Process
2216	5b54943a7e20f8ae65bf06cc932a2cba.exe
2216	5b54943a7e20f8ae65bf06cc932a2cba.exe
2216	5b54943a7e20f8ae65bf06cc932a2cba.exe
2216	5b54943a7e20f8ae65bf06cc932a2cba.exe
2216	5b54943a7e20f8ae65bf06cc932a2cba.exe
2336	wjWmZa.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-0-0x0000000000400000-0x00000000006AD000-memory.dmp	upx
behavioral1/files/0x000c0000000126a2-20.dat	upx
behavioral1/files/0x000c0000000126a2-22.dat	upx
behavioral1/files/0x000c0000000126a2-24.dat	upx
behavioral1/files/0x000c0000000126a2-32.dat	upx
behavioral1/files/0x000c0000000126a2-30.dat	upx
behavioral1/files/0x000c0000000126a2-27.dat	upx
behavioral1/memory/2216-37-0x0000000000400000-0x00000000006AD000-memory.dmp	upx
behavioral1/files/0x000c0000000126a2-36.dat	upx
behavioral1/files/0x000c0000000126a2-43.dat	upx
behavioral1/files/0x000c0000000126a2-42.dat	upx
behavioral1/memory/2336-41-0x0000000000400000-0x00000000006AD000-memory.dmp	upx
behavioral1/memory/2336-48-0x0000000000400000-0x00000000006AD000-memory.dmp	upx
behavioral1/files/0x000c0000000126a2-45.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\vvn\\wjWmZa.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 2688	2336	wjWmZa.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	wjWmZa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wjWmZa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wjWmZa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wjWmZa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wjWmZa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wjWmZa.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2216	5b54943a7e20f8ae65bf06cc932a2cba.exe
2336	wjWmZa.exe
2688	wjWmZa.exe
2688	wjWmZa.exe
2688	wjWmZa.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1020	2216	5b54943a7e20f8ae65bf06cc932a2cba.exe	28
PID 2216 wrote to memory of 1020	2216	5b54943a7e20f8ae65bf06cc932a2cba.exe	28
PID 2216 wrote to memory of 1020	2216	5b54943a7e20f8ae65bf06cc932a2cba.exe	28
PID 2216 wrote to memory of 1020	2216	5b54943a7e20f8ae65bf06cc932a2cba.exe	28
PID 1020 wrote to memory of 2120	1020	cmd.exe	30
PID 1020 wrote to memory of 2120	1020	cmd.exe	30
PID 1020 wrote to memory of 2120	1020	cmd.exe	30
PID 1020 wrote to memory of 2120	1020	cmd.exe	30
PID 2216 wrote to memory of 2336	2216	5b54943a7e20f8ae65bf06cc932a2cba.exe	31
PID 2216 wrote to memory of 2336	2216	5b54943a7e20f8ae65bf06cc932a2cba.exe	31
PID 2216 wrote to memory of 2336	2216	5b54943a7e20f8ae65bf06cc932a2cba.exe	31
PID 2216 wrote to memory of 2336	2216	5b54943a7e20f8ae65bf06cc932a2cba.exe	31
PID 2336 wrote to memory of 2688	2336	wjWmZa.exe	32
PID 2336 wrote to memory of 2688	2336	wjWmZa.exe	32
PID 2336 wrote to memory of 2688	2336	wjWmZa.exe	32
PID 2336 wrote to memory of 2688	2336	wjWmZa.exe	32
PID 2336 wrote to memory of 2688	2336	wjWmZa.exe	32
PID 2336 wrote to memory of 2688	2336	wjWmZa.exe	32
PID 2336 wrote to memory of 2688	2336	wjWmZa.exe	32
PID 2336 wrote to memory of 2688	2336	wjWmZa.exe	32
PID 2336 wrote to memory of 2688	2336	wjWmZa.exe	32

C:\Users\Admin\AppData\Local\Temp\5b54943a7e20f8ae65bf06cc932a2cba.exe
"C:\Users\Admin\AppData\Local\Temp\5b54943a7e20f8ae65bf06cc932a2cba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sEUpm.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2120
- C:\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe
  "C:\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe
    "C:\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab70A0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7100.tmp

Filesize
9KB

MD5
931f59968d1fda6fde19c00af02269da

SHA1
237abe6a0f500581234e0ddb3a613c860501bafc

SHA256
db7e91c7c1c55d48d095e3007c7f1f4c33b6f1690e029f3f477355422cbe5da6

SHA512
38bfb4d56299b1819e89ac7e1abf4dc29fee3ecb228e406a4bfb60fdf6f150250755c7163f35466a0be910983faa6384fc32b71e1c1874496d8b70c6f7142df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEUpm.bat

Filesize
137B

MD5
207bacd6dabb769f3c2751f74a59e2aa

SHA1
c081965aabb0e16aaac584b08820d4bd6b2e40a6

SHA256
7b92b3818a50b0ae978fb035bedea2f42b097855fb2ac1ac8482c2b8e5cdbe91

SHA512
4e2c1042950b99a101b18c7b7361b0b09be9a9bef1f91ec1abaa6ea6408905729d1d52c41f5e9a6b035b938286cdb8f96e8f5871060ae4c56d7846e7673d67a2

Download Submit
C:\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe

Filesize
1.7MB

MD5
d76717588b0dd35c51e0379dfb55b582

SHA1
53603cd72058c8ae3a71bef0b9ee8bc06875d260

SHA256
89833ab92e4eefd7261b19bbb5c0715f17827f109e686fdfb938b5ff3c2b88f6

SHA512
d47009eca4ea88e1ea47697f48cda6652e0273bdcfedabeac67962641f7860ebb63d815aa7cd5109b8dde2417d09f12b472bce03c0577ca1dcba44ddf5c9b7df

Download Submit
C:\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe

Filesize
980KB

MD5
5fd462c588504292894f1d464d875239

SHA1
963446671c1763620f330fe875eeb2259ed3a9c1

SHA256
144cb776420918c6f8a7213835c439e41e67f35f914d0c2999791337b9cc8c1e

SHA512
f938512941c8abc7d21c136aa2e38e542d68bce1389cf27b1239a490bb8429226bf9613e9101d64f4537695e8033f8b61b8fc0717c9787ff9e20124181ce6973

Download Submit
C:\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe

Filesize
700KB

MD5
bd6acd054d0bcdbded38fdf6d35637b7

SHA1
df4539c7070cd9dda8bdc815c42d9f7855931603

SHA256
432d4f3310b31632e8fba18947edff1be20da952a1d0a613c5a1dbdbcd46c9e2

SHA512
ae57ddb169913b8f5cf6e11ea1a35f44059083e1ac47e29d7ce395e8138061cdc60a49b4e69c0640e550fea82a4e4da0470f70b38f936c2272b4a529d5548a66

Download Submit
C:\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe

Filesize
1.2MB

MD5
6d4c74aff2ea576aa91932cb35b37bcf

SHA1
e8403421769573ecdd4f69086385fcc6520807f8

SHA256
b06371e0338c13f2fa6379861b44bb6388b2f06c7f48452ba50df22f3bb3fad9

SHA512
8249a50378d3ba27b42eda1f8f95da00fa022408bc6b38762a8f6bcc0c9133dc0d2a2839bbceae0df3eb49cea926bbf8ba1aa6d471e0d948e23b0473a18080aa

Download Submit
\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe

Filesize
128KB

MD5
12b08d60901b84398a3f5f0cd6623853

SHA1
ddd5329dc12201a5a615accc32c7aa3033eca4a5

SHA256
f6dbc554ae6e1f76524fa6ec1b79906fe378eb55098872ca006b94efd159a253

SHA512
95eedb479fa1058bf5c03fa4216f8414f1e6e76246edf81c6b9b02400fe1722291cf0afaf1925b57c5a8f488cf4d4c0ad8daf3283c1682acc2fa78b58a214f14

Download Submit
\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe

Filesize
1.8MB

MD5
7717f47753e28919428aa25ae7846adb

SHA1
56df0b5a0cca3d1598cf0b299cef57d626db5a38

SHA256
d729bbdb093f5cd40e4dd606480a1dc76718936b456f376659d0176f6a32571a

SHA512
2dd9e06a055713e9af4f349fc67a2f8e0277312a7925d87605eb8a9c4935194016d0b0684c77b26ffcc370b9b2670599dc85d652b441b67b9fcd7cb7a9e9e902

Download Submit
\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe

Filesize
1.6MB

MD5
87d06c117cfa9abb773733dcf92aeb92

SHA1
0ffa6916f2eab24457cdf016ce3cb6d2cb02a189

SHA256
f4cf6e23bd6b38345704e99f3ba5802c440ab66d65b9a0db4719109dcad7536c

SHA512
eb51d92344bbf167a9c213edff5027b5da6a14d8d2c5940fd8d875dd732a4acb5077faf75b02916f129589df0da062282b3dad07c6bc30c3bef768ca748ea809

Download Submit
\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe

Filesize
996KB

MD5
ac0917443b325d53e9430d5acbfce220

SHA1
2eccc05886a8adb6248e5463ea155d9572847c42

SHA256
e212e31977cd8866db908092a778aa11181587683156f0b8911e9b5583c810bb

SHA512
05453e79e873c59beacb3c7c29d2460f8bff01061bfa7e10b8079c21572af7d59a5680a336dc9b6eec230d9d62b68c807be6ab20b279c42e6e8e32b0e25531d0

Download Submit
\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe

Filesize
1.2MB

MD5
cd8bafcf2c0f571f6b816661b9569732

SHA1
47df1a28b04cd35df5e62c4cc913e127bfc26336

SHA256
f57dd31c86c89fda80824fa34db3da73e27b5e6ff73a10895c3d8c6cebfd3675

SHA512
61eee9e02570a72e7f27e89246872704e95b17d639d8b2c204d3a1ca56359e4e5445d49554f4693d593a5e521167aef45666b6ce263001f109a9cbb63e5f008b

Download Submit
\Users\Admin\AppData\Roaming\vvn\wjWmZa.exe

Filesize
1.2MB

MD5
a20c2b6b098e18c57ccc29308a3311bc

SHA1
bfe52f9459cc6a6b93c9b49ebe7eaee0e008d83b

SHA256
1da06bfb0b0890239b6efddf44632a59135f66ea7b40790275bb4ee1881b02a5

SHA512
1d8cd2b56d8e1ef858f8b5efa8acb1378a221e97150eb539dcf57950876b42064c6c53926d4bdda1d7b1c26551f914f84dc271d7b2f7cee90ca5601832cf0acf

Download Submit
memory/2216-37-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2216-38-0x0000000002EB0000-0x000000000315D000-memory.dmp

Filesize
2.7MB

Download
memory/2216-0-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2216-35-0x0000000002EB0000-0x000000000315D000-memory.dmp

Filesize
2.7MB

Download
memory/2216-34-0x0000000002EB0000-0x000000000315D000-memory.dmp

Filesize
2.7MB

Download
memory/2216-113-0x0000000002EB0000-0x000000000315D000-memory.dmp

Filesize
2.7MB

Download
memory/2336-41-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2336-48-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2688-44-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-112-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads