djvu | 0f4d1e6a36a2f6fc4e29b9134a49a081b305501bb6394367f2f48a0387b02c68

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toolspub1.exe
Size

237KB
MD5

fbba6e587d5700e84b4badbd6fcb3123
SHA1

6f4c4e6b88e7cbf87dc70427513a39725ee3110d
SHA256

0f4d1e6a36a2f6fc4e29b9134a49a081b305501bb6394367f2f48a0387b02c68
SHA512

d76e5b8adb3c01c85b1dd297f53518a47f90668aa73759461d94cf957f6b73a132fa57eac0b0feda4d6a2187e7c1b11ec5ccd662505e3b91f0e57cfa047a732b
SSDEEP

3072:ctBS+BisPLWLi80S9pikUD0I54tP1frogEO1u5Nwinh0/b9r:4LMi80+p5UH54N18g4winh

Score

10^/10

djvu povertystealer redline smokeloader logsdiller cloud (tg: @logsdillabot)pub1 yt&team cloud backdoor discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdpo
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

45.15.156.60:12050

Extracted

Family

redline

Botnet

YT&TEAM CLOUD

185.172.128.33:8924

Signatures

Detect Poverty Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1140-155-0x0000000000630000-0x000000000099D000-memory.dmp	family_povertystealer

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3432-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3432-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3432-28-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3432-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4920-24-0x0000000004980000-0x0000000004A9B000-memory.dmp	family_djvu
behavioral2/memory/3432-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3068-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3068-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3068-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3864-79-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral2/memory/848-120-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/4300-76-0x0000000004B50000-0x0000000004BB4000-memory.dmp	net_reactor
behavioral2/memory/4300-70-0x0000000002510000-0x0000000002574000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ABC2.exe23B5.exework.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	ABC2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	23B5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	work.exe

Deletes itself 1 IoCs

Processes:

pid process

3412

pid	process
3412

Executes dropped EXE 12 IoCs

Processes:

9AE8.exeABC2.exeABC2.exeConhost.exeABC2.exeB325.exeC825.exebjijufr1F20.exe23B5.exework.exefesa.exe

pid	process
3212	9AE8.exe
4920	ABC2.exe
3432	ABC2.exe
948	Conhost.exe
3068	ABC2.exe
3116	B325.exe
4300	C825.exe
3528	bjijufr
876	1F20.exe
4616	23B5.exe
3664	work.exe
1140	fesa.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3536 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3536	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ABC2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1953212a-9e3b-4cb2-8be4-c21cb1417111\\ABC2.exe\" --AutoStart"	ABC2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 api.2ip.ua
30 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

fesa.exe

pid process

1140 fesa.exe
1140 fesa.exe

flow	ioc
29	api.2ip.ua
30	api.2ip.ua

pid	process
1140	fesa.exe
1140	fesa.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ABC2.exeConhost.exeC825.exe1F20.exe

description	pid	process	target process
PID 4920 set thread context of 3432	4920	ABC2.exe	ABC2.exe
PID 948 set thread context of 3068	948	Conhost.exe	ABC2.exe
PID 4300 set thread context of 3864	4300	C825.exe	RegAsm.exe
PID 876 set thread context of 848	876	1F20.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process

3768 3068 WerFault.exe
3268 3116 WerFault.exe B325.exe

pid	pid_target	process
3768	3068	WerFault.exe
3268	3116	WerFault.exe	B325.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe9AE8.exebjijufr

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9AE8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9AE8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bjijufr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bjijufr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9AE8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bjijufr

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub1.exe

pid	process
860	toolspub1.exe
860	toolspub1.exe
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

toolspub1.exe9AE8.exebjijufr

pid process

860 toolspub1.exe
3212 9AE8.exe
3528 bjijufr

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

RegAsm.exeRegAsm.exe

description	pid	process
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeDebugPrivilege	3864	RegAsm.exe
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeDebugPrivilege	848	RegAsm.exe
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fesa.exe

pid process

1140 fesa.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3412

pid	process
1140	fesa.exe

pid	process
3412

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ABC2.exeABC2.exeConhost.exeC825.exe1F20.exe23B5.execmd.exe

description	pid	process	target process
PID 3412 wrote to memory of 3212	3412		9AE8.exe
PID 3412 wrote to memory of 3212	3412		9AE8.exe
PID 3412 wrote to memory of 3212	3412		9AE8.exe
PID 3412 wrote to memory of 4920	3412		ABC2.exe
PID 3412 wrote to memory of 4920	3412		ABC2.exe
PID 3412 wrote to memory of 4920	3412		ABC2.exe
PID 4920 wrote to memory of 3432	4920	ABC2.exe	ABC2.exe
PID 4920 wrote to memory of 3432	4920	ABC2.exe	ABC2.exe
PID 4920 wrote to memory of 3432	4920	ABC2.exe	ABC2.exe
PID 4920 wrote to memory of 3432	4920	ABC2.exe	ABC2.exe
PID 4920 wrote to memory of 3432	4920	ABC2.exe	ABC2.exe
PID 4920 wrote to memory of 3432	4920	ABC2.exe	ABC2.exe
PID 4920 wrote to memory of 3432	4920	ABC2.exe	ABC2.exe
PID 4920 wrote to memory of 3432	4920	ABC2.exe	ABC2.exe
PID 4920 wrote to memory of 3432	4920	ABC2.exe	ABC2.exe
PID 4920 wrote to memory of 3432	4920	ABC2.exe	ABC2.exe
PID 3432 wrote to memory of 3536	3432	ABC2.exe	icacls.exe
PID 3432 wrote to memory of 3536	3432	ABC2.exe	icacls.exe
PID 3432 wrote to memory of 3536	3432	ABC2.exe	icacls.exe
PID 3432 wrote to memory of 948	3432	ABC2.exe	Conhost.exe
PID 3432 wrote to memory of 948	3432	ABC2.exe	Conhost.exe
PID 3432 wrote to memory of 948	3432	ABC2.exe	Conhost.exe
PID 948 wrote to memory of 3068	948	Conhost.exe	ABC2.exe
PID 948 wrote to memory of 3068	948	Conhost.exe	ABC2.exe
PID 948 wrote to memory of 3068	948	Conhost.exe	ABC2.exe
PID 948 wrote to memory of 3068	948	Conhost.exe	ABC2.exe
PID 948 wrote to memory of 3068	948	Conhost.exe	ABC2.exe
PID 948 wrote to memory of 3068	948	Conhost.exe	ABC2.exe
PID 948 wrote to memory of 3068	948	Conhost.exe	ABC2.exe
PID 948 wrote to memory of 3068	948	Conhost.exe	ABC2.exe
PID 948 wrote to memory of 3068	948	Conhost.exe	ABC2.exe
PID 948 wrote to memory of 3068	948	Conhost.exe	ABC2.exe
PID 3412 wrote to memory of 3116	3412		B325.exe
PID 3412 wrote to memory of 3116	3412		B325.exe
PID 3412 wrote to memory of 3116	3412		B325.exe
PID 3412 wrote to memory of 4300	3412		C825.exe
PID 3412 wrote to memory of 4300	3412		C825.exe
PID 3412 wrote to memory of 4300	3412		C825.exe
PID 4300 wrote to memory of 3864	4300	C825.exe	RegAsm.exe
PID 4300 wrote to memory of 3864	4300	C825.exe	RegAsm.exe
PID 4300 wrote to memory of 3864	4300	C825.exe	RegAsm.exe
PID 4300 wrote to memory of 3864	4300	C825.exe	RegAsm.exe
PID 4300 wrote to memory of 3864	4300	C825.exe	RegAsm.exe
PID 4300 wrote to memory of 3864	4300	C825.exe	RegAsm.exe
PID 4300 wrote to memory of 3864	4300	C825.exe	RegAsm.exe
PID 4300 wrote to memory of 3864	4300	C825.exe	RegAsm.exe
PID 3412 wrote to memory of 876	3412		1F20.exe
PID 3412 wrote to memory of 876	3412		1F20.exe
PID 3412 wrote to memory of 876	3412		1F20.exe
PID 876 wrote to memory of 848	876	1F20.exe	RegAsm.exe
PID 876 wrote to memory of 848	876	1F20.exe	RegAsm.exe
PID 876 wrote to memory of 848	876	1F20.exe	RegAsm.exe
PID 876 wrote to memory of 848	876	1F20.exe	RegAsm.exe
PID 876 wrote to memory of 848	876	1F20.exe	RegAsm.exe
PID 876 wrote to memory of 848	876	1F20.exe	RegAsm.exe
PID 876 wrote to memory of 848	876	1F20.exe	RegAsm.exe
PID 876 wrote to memory of 848	876	1F20.exe	RegAsm.exe
PID 3412 wrote to memory of 4616	3412		23B5.exe
PID 3412 wrote to memory of 4616	3412		23B5.exe
PID 3412 wrote to memory of 4616	3412		23B5.exe
PID 4616 wrote to memory of 2876	4616	23B5.exe	cmd.exe
PID 4616 wrote to memory of 2876	4616	23B5.exe	cmd.exe
PID 4616 wrote to memory of 2876	4616	23B5.exe	cmd.exe
PID 2876 wrote to memory of 3664	2876	cmd.exe	work.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:860

C:\Users\Admin\AppData\Local\Temp\9AE8.exe
C:\Users\Admin\AppData\Local\Temp\9AE8.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3212

C:\Users\Admin\AppData\Local\Temp\ABC2.exe
C:\Users\Admin\AppData\Local\Temp\ABC2.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1953212a-9e3b-4cb2-8be4-c21cb1417111" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:3536

C:\Users\Admin\AppData\Local\Temp\ABC2.exe
"C:\Users\Admin\AppData\Local\Temp\ABC2.exe" --Admin IsNotAutoStart IsNotTask
2⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\ABC2.exe
"C:\Users\Admin\AppData\Local\Temp\ABC2.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
PID:3068

C:\Users\Admin\AppData\Local\Temp\ABC2.exe
C:\Users\Admin\AppData\Local\Temp\ABC2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3068 -ip 3068
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 568
1⤵
- Program crash
PID:3768

C:\Users\Admin\AppData\Local\Temp\B325.exe
C:\Users\Admin\AppData\Local\Temp\B325.exe
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 376
2⤵
- Program crash
PID:3268

C:\Users\Admin\AppData\Local\Temp\C825.exe
C:\Users\Admin\AppData\Local\Temp\C825.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3116 -ip 3116
1⤵
PID:3660

C:\Users\Admin\AppData\Roaming\bjijufr
C:\Users\Admin\AppData\Roaming\bjijufr
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Users\Admin\AppData\Local\Temp\1F20.exe
C:\Users\Admin\AppData\Local\Temp\1F20.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Local\Temp\23B5.exe
C:\Users\Admin\AppData\Local\Temp\23B5.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3664

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1953212a-9e3b-4cb2-8be4-c21cb1417111\ABC2.exe
Filesize
300KB

MD5
624c4521409d5f8e7a35d853b2f49556

SHA1
4ffe925336bdf6f7a477075a7b873feab742c235

SHA256
1e2c176239bb2fab8954fa63026be03719e01659c66515d6943d5805e6122140

SHA512
7f6b7453ad76a2deb4c36bd80e3ee4153cb67541ccc46f39d7ccb9ddd150326ec2dbf08a1477940a486daeed874366c64c3897ab5c46c3ccfb6f042314a2c499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F20.exe
Filesize
170KB

MD5
87e7b7a947fad4a9cb71a00d422e935c

SHA1
8d964fd963de9f22b06753f4caca3b9e56d2f096

SHA256
d4012c67b81a62c8b76c433bef191b31fbfa62f91da2b9697691b8ae01bebe58

SHA512
cadbe753cfc616795777f66f7e93cc8bb1f30c3d42b7790af7dd736b16027c15d18827fba2714cba4330373d59cf515c7b2ab64f2041050a752872f5f5e8b581

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F20.exe
Filesize
216KB

MD5
a84549d0e58dbde11cdab6efa831306f

SHA1
5ed7a8874ead62b84680a38d6c06a28c846af81c

SHA256
8cef8e6c70334a0ee44b2236b492b4cb16a3c9db92f6fa8e88c7f2867fb5ad15

SHA512
234fe8974620d21fb29c18d7e6772e286df94c98fcdfbee416d2d3bba01b7530b9d1ecfeec30cd37379e4cef920d598d383e2c596f6ceb38ff8018e97e955e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\23B5.exe
Filesize
68KB

MD5
c980d1869332edf882256cb6d51e089c

SHA1
480b189d58d40bc1fef1919c24855237d9f43df5

SHA256
8c271013e7db7775350ebd868523dd359305a8f2d393e2d850c1ffe87a60d6a9

SHA512
213e476d8fdf3f4e6fa6bd6f48bc05563f8648e875c8aa9caf7c75dcd2298040a40183b93b6f41b9a6e0cc66e46d6f537d5d1e309bc0085d4ed2675a070941ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\23B5.exe
Filesize
61KB

MD5
c212295eed015c61fa0052151fcb6726

SHA1
be62288fcbe448c290a7512acd7e45cdebe30093

SHA256
b1f7629ef088c7c5d6d15a759e30406d8ef322c687cbd45038ed91bc8f0dfde2

SHA512
be61d09ddff418493da456930e5d37708cb54d11db7add2c4b986498bb598cf95dd4a662e7a6e71c1d0247adbdd917697490e462d905ccbc843f7abbbcea4fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AE8.exe
Filesize
195KB

MD5
8964bdf1cad5e8d2173b3846ccd59c3b

SHA1
8ac64990d1952c7a177a69c4b74b16f71463092d

SHA256
606ef06f18aa9b46d0f2a65a569db9492a5dc9ecb5be731ed723d5a6bf797db7

SHA512
525819d892f98c32c8f5b19d2da38b89b031ceb5aa8e595ebe1a4e9176b56ba91eb39c19ae2806dedae0d32b451aad40f7c1695e9d44212bcf1e9cf379cb62d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AE8.exe
Filesize
237KB

MD5
fbba6e587d5700e84b4badbd6fcb3123

SHA1
6f4c4e6b88e7cbf87dc70427513a39725ee3110d

SHA256
0f4d1e6a36a2f6fc4e29b9134a49a081b305501bb6394367f2f48a0387b02c68

SHA512
d76e5b8adb3c01c85b1dd297f53518a47f90668aa73759461d94cf957f6b73a132fa57eac0b0feda4d6a2187e7c1b11ec5ccd662505e3b91f0e57cfa047a732b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AE8.exe
Filesize
156KB

MD5
98c70d8db7e5226d690757f7faed8612

SHA1
663c828f29bd2a6ef2b944b2c585fe1ed5719119

SHA256
988a1cf781e531157442f81392e545221c0066f02c71e5d8e98f671c3241efcb

SHA512
81641d62b6a0d3e6c8e5570e4739eae2dbd72f9636c981035465881dd78645133e86e62301516f82b6b0b80b8a9ba4c9b1bf5eaf0a350acefc9201c92027d849

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABC2.exe
Filesize
407KB

MD5
95285ee4827bde8dd672f1f23bf41201

SHA1
c42a6eb1a1ffeb51832d10354a2dc000dde68dc3

SHA256
f78985605ba91679e58c73828472aea421f6f78932bdaa16b0bfb8d51cb0d995

SHA512
f54175c54177939688c84ef7877eabbd823abbfc74bfb44b45569d31c64948770330e34e9d8b64fabffde56234a14375854aabd3577404d58eeee97b1e3c0694

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABC2.exe
Filesize
564KB

MD5
f970a0cb7603d70942b957fd10d16b3f

SHA1
196bcf30a716f66e075748fb6cfeba03c2b9bb77

SHA256
e777f58ff115ac6470e7c9d5ad4fbb439bd2dcd05d88859dc2b6627b8f6b10a9

SHA512
22580a281237b7e9614a0619a29554ece3e1f66dab61ff71bab51f98c37d1ed8df5af7861d646c0166f81f1caf55769da178350fe9c90f669c09a582c4dc8c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABC2.exe
Filesize
262KB

MD5
0f34de9629516ba0f5c5f82212952356

SHA1
eed7be8d8fdebe7eac808d2746932e8eb681fb0b

SHA256
e30f3c7132746244127564f37f04d678bb2b940a2aa47cbe0a76631e38fb8640

SHA512
f14268f80b7087eb2c3ace6936986fd8cca96ee261a7074c35a15fc76fb5b52340c6fe0eccc56ba0554930f1b6d41dd8d69e19adf8ae1e84f6dadc81349c549f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABC2.exe
Filesize
168KB

MD5
73f09228d6e9548c6da2c9ca5006c735

SHA1
f413a7913a534412732b9b9519b5250cfefec806

SHA256
dc54eed4023ae81d97af9eb37970c85dc53850e1368a0e1213e96aaf0123c636

SHA512
f1fb405ee0683e750eb6831f9181edd36a07636e920520debaab187d1b6c344a89801177f6f1d5a8d410240ca7c30dafd1228f65bcabef48e63753349d05623f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABC2.exe
Filesize
50KB

MD5
596cff7f42f78cceedd0f86199559c6e

SHA1
eba4e4d2831ed53976bd3bc4b9cf01bbafd218ca

SHA256
e0c282a68c7d4e083348abfea1bd6ae0b4f0499bf04b0baebab331b40b327bd0

SHA512
f2e0ab9d871bafef003492101e14554cf1ec3690667474626d4cbc02e85511126c47d7183be4a2091d0968f49fef47033cfd3683c6af05b98ac6297a72be536f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B325.exe
Filesize
45KB

MD5
037bd2ee1322481d856e84399a5e17c0

SHA1
62ab850a8a8a6e41c253615d5505c71052c324ef

SHA256
6b58fd5db388297e92217309687515e123aafcead28ead33eb22fe7723f9b5cf

SHA512
2a447fb230bf7e2be6d626032fa26476f76012061512b55a582cc454847fb6f857578a576f23801b22d1f40d94723a7cba0b2d86d16142ee40fbf365fd1c4776

Download Submit
C:\Users\Admin\AppData\Local\Temp\B325.exe
Filesize
57KB

MD5
5eb411422635e65f4ecd2d9a696d06df

SHA1
68bc4e069557c4b1ab7e39c67ea0efad4012435f

SHA256
76fb8d15d3fa6e20e44992077633bbf284bc3a2f90711e2a4725213ff662c506

SHA512
73ae8ec12601aaaa1e3c0d8577bf397890b7a967c6744e548672972a87ce1e77742f343c5c1dc1b6f9428a24c4b2e4bd8fcdf6f0aa757996dbdb66a54209ccd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\C825.exe
Filesize
65KB

MD5
bf4fd284d6feab69af0978ef8394a6d1

SHA1
213f2fab18a6230c78958a7941aa0bb90d6a2526

SHA256
588a2fd8e3b045d88e92e7d1db4d5ffb345234031399b872ac203794b5514aac

SHA512
be567e1247518c63d52721f4de157e01dd6a225df8784ca54276e0f15eb542dcada727475f32ea8fb98bf8f7fdb25a734caef71037bae69dab0668795a981834

Download Submit
C:\Users\Admin\AppData\Local\Temp\C825.exe
Filesize
216KB

MD5
d5cffa0fe14e5f729791e385ac6e0c85

SHA1
d75d6b40d7abc4cb26b4e48b4817915c6e00da85

SHA256
566782d3f3662b44ce9896ce63b8efd778fafdfc3b5a77cca2bde18b3b580f6c

SHA512
88264a00e9fcce23843321b2f3a521c9a649e427dc1ad91cb01cae4797a3e9c46633dd7d8cbd6be103267d626e844ca9805c8dfe1a44ace5c8c1772e6cd3389a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
5KB

MD5
e0c9c674d464a7a512d77194b1635ccc

SHA1
fc9244ed001eb768c7b4523b965e1db615327a3d

SHA256
b40161a94fd049a29a164ca1c01c9d804af57691545991f13212c508f773efb8

SHA512
7f4b17e52044557628549dae93ad675c5c83be4348c863c17295b42abd870aa806d7b31a8c72a355d752721744b7d5d319c491269436002da197bccf5435070d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
149KB

MD5
77203fd086ddb54a52368315407525ac

SHA1
eb677d152f389e1720cb93db31c833398b8e55ad

SHA256
e60a7e8dba48e66e887046f725b2789983d8383b3bb94162033e1e80455f763b

SHA512
74da1f3100b0fb5c4c1889b3ab652c59f9ed098e3db354b2cd2e0ab6a66bba89b934dd3c20ac7c5202bc60d3e4f7ad8fdebe59d26ef41060093de50dc4fdde52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
Filesize
43KB

MD5
c7dce035b72556bcf6ad9d42e23d2fa0

SHA1
88e53afb18aee69c2c5ae1d163a34a4b1329e365

SHA256
86a6b9563244d23b3969ec6210c8702628ae57afd8b52e64885dbe31180c0a18

SHA512
dd73638e81e167c88cbb3c5ef8b78948d142847ea57250e4ef46997842f294bc89482c7c1c6febd35d393d267b744d2196ceb60a32956d03ffc6305033e3d116

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
Filesize
57KB

MD5
5cff174c5f5c030e8cff64fcb92556be

SHA1
13f647450e795f8c93852ec919d540ce98a124bc

SHA256
d4979af2d3440b3fc9aeb2f5e768e52a726aa86945f5541eecd9e465686545d5

SHA512
044ca7f550f56267357c998fa9933e7cc3396e1ecf7bd9730c1e539267fa5984ceef615b26bd4a441946e46bd4ebce67f3ef812ea836518d2c2fd0db474c876d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
Filesize
55KB

MD5
7c633cd2bd6e77c5026bc6157d4504cf

SHA1
dc3e3d6eb9e485a6c64ce702ca0f7f9f593bf789

SHA256
3010ac055a54c12ec029399f5d6f1c28f3f63d988ae9f654809f0ccd3f0451b9

SHA512
a076d2e5b5403bc82aa9a26523d0dbd8fc008bfd9aedb4cd17712480276b31b6c7c9a24c9216c5a468d528efee36ce6298c510e98377b6774913044845ce8514

Download Submit
C:\Users\Admin\AppData\Roaming\bjijufr
Filesize
118KB

MD5
66ff3ac0ab77acb520c9696d3620f0f0

SHA1
238ab777af82fc5811e9eacd23102740f6916717

SHA256
226c78f720b568485091766816d2526f4ae00e59cb8c6e4e0405c1c9f537847a

SHA512
6a5fa8914144ef8cfd8ba5f01690052560273ca52a8b6b0b1c2d0b6989496f0563fc6412f6590c0c31db409c04ad6047b4a0b194f2463f4d9ce0a308b9004ad6

Download Submit
memory/848-127-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/848-126-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/848-156-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/848-120-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/848-128-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download
memory/860-3-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/860-2-0x00000000030D0000-0x00000000030DB000-memory.dmp

Filesize
44KB

Download
memory/860-1-0x0000000002B80000-0x0000000002C80000-memory.dmp

Filesize
1024KB

Download
memory/860-5-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/876-124-0x0000000002790000-0x0000000004790000-memory.dmp

Filesize
32.0MB

Download
memory/876-158-0x0000000002790000-0x0000000004790000-memory.dmp

Filesize
32.0MB

Download
memory/876-125-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/876-116-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/876-117-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/876-115-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/948-48-0x0000000002F90000-0x0000000003028000-memory.dmp

Filesize
608KB

Download
memory/1140-155-0x0000000000630000-0x000000000099D000-memory.dmp

Filesize
3.4MB

Download
memory/1140-154-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1140-153-0x0000000000630000-0x000000000099D000-memory.dmp

Filesize
3.4MB

Download
memory/3068-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3068-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3068-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3116-62-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

Filesize
1024KB

Download
memory/3116-93-0x0000000000400000-0x0000000002B4C000-memory.dmp

Filesize
39.3MB

Download
memory/3116-65-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/3116-63-0x0000000003030000-0x00000000030B8000-memory.dmp

Filesize
544KB

Download
memory/3116-64-0x0000000000400000-0x0000000002B4C000-memory.dmp

Filesize
39.3MB

Download
memory/3212-17-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/3212-40-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/3212-16-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

Filesize
1024KB

Download
memory/3412-39-0x0000000007690000-0x00000000076A6000-memory.dmp

Filesize
88KB

Download
memory/3412-107-0x0000000003000000-0x0000000003016000-memory.dmp

Filesize
88KB

Download
memory/3412-4-0x0000000002F00000-0x0000000002F16000-memory.dmp

Filesize
88KB

Download
memory/3432-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3432-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3432-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3432-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3432-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3528-104-0x0000000002E50000-0x0000000002F50000-memory.dmp

Filesize
1024KB

Download
memory/3528-105-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/3528-108-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/3864-94-0x0000000006360000-0x00000000063C6000-memory.dmp

Filesize
408KB

Download
memory/3864-88-0x00000000066F0000-0x0000000006D08000-memory.dmp

Filesize
6.1MB

Download
memory/3864-82-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/3864-79-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3864-85-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/3864-86-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/3864-87-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/3864-92-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

Filesize
304KB

Download
memory/3864-90-0x0000000005820000-0x0000000005832000-memory.dmp

Filesize
72KB

Download
memory/3864-89-0x00000000061E0000-0x00000000062EA000-memory.dmp

Filesize
1.0MB

Download
memory/3864-100-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/3864-97-0x0000000007B80000-0x00000000080AC000-memory.dmp

Filesize
5.2MB

Download
memory/3864-96-0x0000000007480000-0x0000000007642000-memory.dmp

Filesize
1.8MB

Download
memory/3864-95-0x0000000007160000-0x00000000071B0000-memory.dmp

Filesize
320KB

Download
memory/3864-91-0x0000000005A80000-0x0000000005ABC000-memory.dmp

Filesize
240KB

Download
memory/4300-75-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/4300-84-0x0000000002680000-0x0000000004680000-memory.dmp

Filesize
32.0MB

Download
memory/4300-70-0x0000000002510000-0x0000000002574000-memory.dmp

Filesize
400KB

Download
memory/4300-74-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4300-106-0x0000000002680000-0x0000000004680000-memory.dmp

Filesize
32.0MB

Download
memory/4300-76-0x0000000004B50000-0x0000000004BB4000-memory.dmp

Filesize
400KB

Download
memory/4300-73-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4300-72-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4300-71-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4300-83-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4920-23-0x0000000003030000-0x00000000030C4000-memory.dmp

Filesize
592KB

Download
memory/4920-24-0x0000000004980000-0x0000000004A9B000-memory.dmp

Filesize
1.1MB

Download