2670e495afec5ecfde3f614f64b6a18de2cf726ff593c553d83f6a37f577afab

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 19:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d1dc53c355398e1cdff020fe8a8e993.exe
Size

939KB
MD5

8d1dc53c355398e1cdff020fe8a8e993
SHA1

e1e73b78d47cb48cf3412c2aa3e7324e64f97eb8
SHA256

2670e495afec5ecfde3f614f64b6a18de2cf726ff593c553d83f6a37f577afab
SHA512

c8b256ab40f04d75d280a98983053eb7a92eda5287eb39c1ada6c1683e8c6006f284f5c229e5c89f1727796eaebc3053fc4e82ec0a83d44aadde58e7faaf703e
SSDEEP

12288:D8W6g06X0hbb7yt9WC9AVing1PCHKTsut/CAlPKGZ9fJyOq:Dfxkbb7ySIiTsut6lqfAOq

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\kernal132 = "C:\\Windows\\system32\\kernal132.exe"	exec2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	exec2.exe

Executes dropped EXE 4 IoCs

pid	Process
2824	conhost.exe
2820	exec2.exe
2260	exec1.exe
2368	kernal132.exe

Loads dropped DLL 10 IoCs

pid	Process
3044	8d1dc53c355398e1cdff020fe8a8e993.exe
3044	8d1dc53c355398e1cdff020fe8a8e993.exe
2824	conhost.exe
2824	conhost.exe
2824	conhost.exe
2824	conhost.exe
2820	exec2.exe
2820	exec2.exe
2820	exec2.exe
2368	kernal132.exe

Molebox Virtualization software 1 IoCs

Detects file using Molebox Virtualization software.

resource	yara_rule
behavioral1/files/0x000900000001410b-22.dat	molebox

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kernal132.exe	exec2.exe
File opened for modification	C:\Windows\SysWOW64\cjpg.dll	exec2.exe
File created	C:\Windows\SysWOW64\dbtm.exe	8d1dc53c355398e1cdff020fe8a8e993.exe
File created	C:\Windows\SysWOW64\exec1.exe	conhost.exe
File created	C:\Windows\SysWOW64\exec2.exe	conhost.exe
File opened for modification	C:\Windows\SysWOW64\exec2.Exe	exec2.exe
File opened for modification	C:\Windows\SysWOW64\melt.bat	exec2.exe
File created	C:\Windows\SysWOW64\kernal132.exe	exec2.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1176	sc.exe
2860	sc.exe
2980	sc.exe
1520	sc.exe
1428	sc.exe
1976	sc.exe
1216	sc.exe
2920	sc.exe
1960	sc.exe
2300	sc.exe
2164	sc.exe
1496	sc.exe
1740	sc.exe
2080	sc.exe
2584	sc.exe
1632	sc.exe
1144	sc.exe
1480	sc.exe
1484	sc.exe
108	sc.exe
1324	sc.exe
2464	sc.exe
2488	sc.exe
2516	sc.exe
2000	sc.exe
2852	sc.exe
1236	sc.exe
2056	sc.exe
2732	sc.exe
2940	sc.exe
2644	sc.exe
1920	sc.exe
2812	sc.exe
1980	sc.exe
2524	sc.exe
2828	sc.exe
1872	sc.exe
1208	sc.exe
580	sc.exe
840	sc.exe
1080	sc.exe
2724	sc.exe
2436	sc.exe
1436	sc.exe
2236	sc.exe
2792	sc.exe
2512	sc.exe
1900	sc.exe
2180	sc.exe
2128	sc.exe
2580	sc.exe
1532	sc.exe
1124	sc.exe
1796	sc.exe
1596	sc.exe
900	sc.exe
816	sc.exe
268	sc.exe
1696	sc.exe
1568	sc.exe
2468	sc.exe
1504	sc.exe
2956	sc.exe
1464	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2820	exec2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2820	exec2.exe
2820	exec2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2824	3044	8d1dc53c355398e1cdff020fe8a8e993.exe	63
PID 3044 wrote to memory of 2824	3044	8d1dc53c355398e1cdff020fe8a8e993.exe	63
PID 3044 wrote to memory of 2824	3044	8d1dc53c355398e1cdff020fe8a8e993.exe	63
PID 3044 wrote to memory of 2824	3044	8d1dc53c355398e1cdff020fe8a8e993.exe	63
PID 2824 wrote to memory of 2820	2824	conhost.exe	29
PID 2824 wrote to memory of 2820	2824	conhost.exe	29
PID 2824 wrote to memory of 2820	2824	conhost.exe	29
PID 2824 wrote to memory of 2820	2824	conhost.exe	29
PID 2824 wrote to memory of 2260	2824	conhost.exe	31
PID 2824 wrote to memory of 2260	2824	conhost.exe	31
PID 2824 wrote to memory of 2260	2824	conhost.exe	31
PID 2824 wrote to memory of 2260	2824	conhost.exe	31
PID 2820 wrote to memory of 2676	2820	exec2.exe	33
PID 2820 wrote to memory of 2676	2820	exec2.exe	33
PID 2820 wrote to memory of 2676	2820	exec2.exe	33
PID 2820 wrote to memory of 2676	2820	exec2.exe	33
PID 2820 wrote to memory of 2584	2820	exec2.exe	204
PID 2820 wrote to memory of 2584	2820	exec2.exe	204
PID 2820 wrote to memory of 2584	2820	exec2.exe	204
PID 2820 wrote to memory of 2584	2820	exec2.exe	204
PID 2820 wrote to memory of 2828	2820	exec2.exe	203
PID 2820 wrote to memory of 2828	2820	exec2.exe	203
PID 2820 wrote to memory of 2828	2820	exec2.exe	203
PID 2820 wrote to memory of 2828	2820	exec2.exe	203
PID 2820 wrote to memory of 2500	2820	exec2.exe	202
PID 2820 wrote to memory of 2500	2820	exec2.exe	202
PID 2820 wrote to memory of 2500	2820	exec2.exe	202
PID 2820 wrote to memory of 2500	2820	exec2.exe	202
PID 2820 wrote to memory of 2488	2820	exec2.exe	200
PID 2820 wrote to memory of 2488	2820	exec2.exe	200
PID 2820 wrote to memory of 2488	2820	exec2.exe	200
PID 2820 wrote to memory of 2488	2820	exec2.exe	200
PID 2820 wrote to memory of 2724	2820	exec2.exe	199
PID 2820 wrote to memory of 2724	2820	exec2.exe	199
PID 2820 wrote to memory of 2724	2820	exec2.exe	199
PID 2820 wrote to memory of 2724	2820	exec2.exe	199
PID 2820 wrote to memory of 2604	2820	exec2.exe	197
PID 2820 wrote to memory of 2604	2820	exec2.exe	197
PID 2820 wrote to memory of 2604	2820	exec2.exe	197
PID 2820 wrote to memory of 2604	2820	exec2.exe	197
PID 2820 wrote to memory of 2580	2820	exec2.exe	195
PID 2820 wrote to memory of 2580	2820	exec2.exe	195
PID 2820 wrote to memory of 2580	2820	exec2.exe	195
PID 2820 wrote to memory of 2580	2820	exec2.exe	195
PID 2820 wrote to memory of 2512	2820	exec2.exe	194
PID 2820 wrote to memory of 2512	2820	exec2.exe	194
PID 2820 wrote to memory of 2512	2820	exec2.exe	194
PID 2820 wrote to memory of 2512	2820	exec2.exe	194
PID 2820 wrote to memory of 2732	2820	exec2.exe	193
PID 2820 wrote to memory of 2732	2820	exec2.exe	193
PID 2820 wrote to memory of 2732	2820	exec2.exe	193
PID 2820 wrote to memory of 2732	2820	exec2.exe	193
PID 2820 wrote to memory of 2468	2820	exec2.exe	192
PID 2820 wrote to memory of 2468	2820	exec2.exe	192
PID 2820 wrote to memory of 2468	2820	exec2.exe	192
PID 2820 wrote to memory of 2468	2820	exec2.exe	192
PID 2820 wrote to memory of 2524	2820	exec2.exe	190
PID 2820 wrote to memory of 2524	2820	exec2.exe	190
PID 2820 wrote to memory of 2524	2820	exec2.exe	190
PID 2820 wrote to memory of 2524	2820	exec2.exe	190
PID 2820 wrote to memory of 1532	2820	exec2.exe	188
PID 2820 wrote to memory of 1532	2820	exec2.exe	188
PID 2820 wrote to memory of 1532	2820	exec2.exe	188
PID 2820 wrote to memory of 1532	2820	exec2.exe	188

C:\Users\Admin\AppData\Local\Temp\8d1dc53c355398e1cdff020fe8a8e993.exe
"C:\Users\Admin\AppData\Local\Temp\8d1dc53c355398e1cdff020fe8a8e993.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\dbtm.exe
  "C:\Windows\system32\dbtm.exe"
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\exec2.exe
    "C:\Windows\System32\exec2.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\system32\melt.bat" "
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\sc.exe
      sc config "awhost32" Start= disabled
      4⤵
      Launches sc.exe
      PID:2516
  - - C:\Windows\SysWOW64\sc.exe
      sc config "CAISafe" Start= disabled
      4⤵
      Launches sc.exe
      PID:2940
  - - C:\Windows\SysWOW64\sc.exe
      sc config "ccEvtMgr" Start= disabled
      4⤵
      Launches sc.exe
      PID:1900
  - - C:\Windows\SysWOW64\sc.exe
      sc config "McShield" Start= disabled
      4⤵
      Launches sc.exe
      PID:2644
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Norton Antivirus Server" Start= disabled
      4⤵
      Launches sc.exe
      PID:2180
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Norman ZANDA" Start= disabled
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nvcoas" Start= disabled
      4⤵
      Launches sc.exe
      PID:1872
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PREVSRV" Start= disabled
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\sc.exe
      sc config "ravmon8" Start= disabled
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PSIMSVC" Start= disabled
      4⤵
      Launches sc.exe
      PID:840
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PersFW" Start= disabled
      4⤵
      Launches sc.exe
      PID:1176
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SAVScan" Start= disabled
      4⤵
      Launches sc.exe
      PID:2128
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SBService" Start= disabled
      4⤵
      Launches sc.exe
      PID:2860
  - - C:\Windows\SysWOW64\sc.exe
      sc config "V3MonNT" Start= disabled
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Tmntsrv" Start= disabled
      4⤵
      Launches sc.exe
      PID:1632
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Symantec AntiVirus Client" Start= disabled
      4⤵
      Launches sc.exe
      PID:1144
  - - C:\Windows\SysWOW64\sc.exe
      sc config "V3MonSvc" Start= disabled
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\sc.exe
      sc config "XCOMM" Start= disabled
      4⤵
      Launches sc.exe
      PID:1124
  - - C:\Windows\SysWOW64\kernal132.exe
      "C:\Windows\system32\kernal132.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2368
  - - C:\Windows\SysWOW64\sc.exe
      sc config "wuauserv" Start= disabled
      4⤵
      Launches sc.exe
      PID:2000
  - - C:\Windows\SysWOW64\sc.exe
      sc config "vsmon" Start= disabled
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\sc.exe
      sc config "VexiraAntivirus" Start= disabled
      4⤵
      Launches sc.exe
      PID:1080
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SWEEPSRV.SYS" Start= disabled
      4⤵
      Launches sc.exe
      PID:1208
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SweepNet" Start= disabled
      4⤵
      Launches sc.exe
      PID:1960
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SPBBCSvc" Start= disabled
      4⤵
      Launches sc.exe
      PID:1796
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SNDSrvc" Start= disabled
      4⤵
      Launches sc.exe
      PID:1596
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SmcService" Start= disabled
      4⤵
      Launches sc.exe
      PID:1504
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SharedAccess" Start= disabled
      4⤵
      Launches sc.exe
      PID:2852
  - - C:\Windows\SysWOW64\sc.exe
      sc config "sharedaccess" Start= disabled
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\sc.exe
      sc config "schscnt" Start= disabled
      4⤵
      Launches sc.exe
      PID:2300
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SAVFMSE" Start= disabled
      4⤵
      Launches sc.exe
      PID:1480
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PCCPFW" Start= disabled
      4⤵
      Launches sc.exe
      PID:1236
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PAVSRV" Start= disabled
      4⤵
      Launches sc.exe
      PID:2164
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PavPrSrv" Start= disabled
      4⤵
      Launches sc.exe
      PID:2436
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PavProt" Start= disabled
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Pavkre" Start= disabled
      4⤵
      Launches sc.exe
      PID:1920
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PAVFNSVR" Start= disabled
      4⤵
      Launches sc.exe
      PID:816
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PASSRV" Start= disabled
      4⤵
      Launches sc.exe
      PID:1520
  - - C:\Windows\SysWOW64\sc.exe
      sc config "OutpostFirewall" Start= disabled
      4⤵
      Launches sc.exe
      PID:580
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NWService" Start= disabled
      4⤵
      Launches sc.exe
      PID:1484
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclnth" Start= disabled
      4⤵
      Launches sc.exe
      PID:2812
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclntg" Start= disabled
      4⤵
      Launches sc.exe
      PID:1496
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclntf" Start= disabled
      4⤵
      Launches sc.exe
      PID:1436
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclnte" Start= disabled
      4⤵
      Launches sc.exe
      PID:108
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclntd" Start= disabled
      4⤵
      Launches sc.exe
      PID:268
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclntc" Start= disabled
      4⤵
      PID:780
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NVCScheduler" Start= disabled
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NSCTOP" Start= disabled
      4⤵
      Launches sc.exe
      PID:2056
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NProtectService" Start= disabled
      4⤵
      Launches sc.exe
      PID:1740
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NPFMntor" Start= disabled
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Norman NJeeves" Start= disabled
      4⤵
      Launches sc.exe
      PID:2236
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NOD32Service" Start= disabled
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NOD32ControlCenter" Start= disabled
      4⤵
      Launches sc.exe
      PID:1980
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NISUM" Start= disabled
      4⤵
      Launches sc.exe
      PID:2980
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NISSERV" Start= disabled
      4⤵
      Launches sc.exe
      PID:2956
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Network Associates Log Service" Start= disabled
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\sc.exe
      sc config "navapsvc" Start= disabled
      4⤵
      Launches sc.exe
      PID:1696
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MonSvcNT" Start= disabled
      4⤵
      Launches sc.exe
      PID:1464
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MCVSRte" Start= disabled
      4⤵
      Launches sc.exe
      PID:1428
  - - C:\Windows\SysWOW64\sc.exe
      sc config "McTaskManager" Start= disabled
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\sc.exe
      sc config "McAfeeFramework" Start= disabled
      4⤵
      Launches sc.exe
      PID:2792
  - - C:\Windows\SysWOW64\sc.exe
      sc config "KLBLMain" Start= disabled
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\sc.exe
      sc config "kavsvc" Start= disabled
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\sc.exe
      sc config "KAVMonitorService" Start= disabled
      4⤵
      Launches sc.exe
      PID:1976
  - - C:\Windows\SysWOW64\sc.exe
      sc config "fsdfwd" Start= disabled
      4⤵
      Launches sc.exe
      PID:1324
  - - C:\Windows\SysWOW64\sc.exe
      sc config "FSDFWD" Start= disabled
      4⤵
      Launches sc.exe
      PID:1216
  - - C:\Windows\SysWOW64\sc.exe
      sc config "fsbwsys" Start= disabled
      4⤵
      Launches sc.exe
      PID:900
  - - C:\Windows\SysWOW64\sc.exe
      sc config "dvpinit" Start= disabled
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\sc.exe
      sc config "dvpapi" Start= disabled
      4⤵
      Launches sc.exe
      PID:2920
  - - C:\Windows\SysWOW64\sc.exe
      sc config "DefWatch" Start= disabled
      4⤵
      Launches sc.exe
      PID:2464
  - - C:\Windows\SysWOW64\sc.exe
      sc config "ccSetMgr" Start= disabled
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\sc.exe
      sc config "ccPwdSvc" Start= disabled
      4⤵
      Launches sc.exe
      PID:1568
  - - C:\Windows\SysWOW64\sc.exe
      sc config "BlackICE" Start= disabled
      4⤵
      Launches sc.exe
      PID:2080
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AvxIni" Start= disabled
      4⤵
      Launches sc.exe
      PID:1532
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AVUPDService" Start= disabled
      4⤵
      Launches sc.exe
      PID:2524
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AVPCC" Start= disabled
      4⤵
      Launches sc.exe
      PID:2468
  - - C:\Windows\SysWOW64\sc.exe
      sc config "avpcc" Start= disabled
      4⤵
      Launches sc.exe
      PID:2732
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AvgServ" Start= disabled
      4⤵
      Launches sc.exe
      PID:2512
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AvgFsh" Start= disabled
      4⤵
      Launches sc.exe
      PID:2580
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AvgCore" Start= disabled
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\sc.exe
      sc config "avg7updsvc" Start= disabled
      4⤵
      Launches sc.exe
      PID:2724
  - - C:\Windows\SysWOW64\sc.exe
      sc config "avg7alrt" Start= disabled
      4⤵
      Launches sc.exe
      PID:2488
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AVExch32Service" Start= disabled
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AlertManger" Start= disabled
      4⤵
      Launches sc.exe
      PID:2828
  - - C:\Windows\SysWOW64\sc.exe
      sc config "alerter" Start= disabled
      4⤵
      Launches sc.exe
      PID:2584
- - C:\Windows\SysWOW64\exec1.exe
    "C:\Windows\System32\exec1.exe"
    3⤵
    - Executes dropped EXE
    PID:2260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5657570541209603985-7863903141325195664-18939001805384437041014077056-522061344"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\system32\melt.bat" "
1⤵
PID:4016

Network

DNS

shimano.no-ip.info

Remote address:

8.8.8.8:53

Request

shimano.no-ip.info

IN A

Response

No results found

8.8.8.8:53

shimano.no-ip.info

dns

64 B
124 B
1
1

DNS Request

shimano.no-ip.info

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dbtm.exe

Filesize
841KB

MD5
d479d6bd0b9f2a441e632e008545be77

SHA1
d20c35fb8a2125ba0e0836ce711fe75b15cca59f

SHA256
4abfb935496b8c9acc1d1d413fd47b272cd9334a2bc52a6d23c0768eedbf1e05

SHA512
ac4bfc614108037788edaedac30aa4f2c604ff67b2411b526efd9eb4cdd8b24c0e44ea6bcde3ee65b3a7dec9b8752d842554b3c60b0fff5a918238555f787cc3

Download Submit
C:\Windows\SysWOW64\exec2.exe

Filesize
200KB

MD5
b92d5da02a211dae92ff1fb2f6567646

SHA1
6c7e8adaed92d9a7db096958a854863f8aa6bb95

SHA256
2f51cbf7671780598639ab7ccc6fbcd2171f22648188baa1f6c740e3fb368fe3

SHA512
f6fbad8afaf2b1baba36199b05f9a1fdd98910970c8c6a24d93ec1aae45336d441e087c0a94e6c38882e279cba84768d809ddb5c7c3547a26a2cde2a94cb4023

Download Submit
C:\Windows\SysWOW64\melt.bat

Filesize
107B

MD5
1de2c1c914398bcd9d3100acfc9eec86

SHA1
8512b95140182caeead8313dfa01f5c53b77a23a

SHA256
868bad56f7a031dba5598498bdab5ce566f2be447f8de222957bcc92f426a501

SHA512
f4d8b94d1fe154a3f0d001fc0a6bb6b7899cfe6e265a6d269cca6e8ea9b6e244f46b576358484245d323858586e4785452cf4943d94767b6008b0f356c8001ec

Download Submit
\Windows\SysWOW64\dbtm.exe

Filesize
932KB

MD5
2ed22c5b39e666a7b7d20fdc5dd124e3

SHA1
55deb1b62ea2bd18ec70489d17f1b065c487da13

SHA256
5d72746ed9ffdf3cf7a33c83647b8c6e82202735398c25e6e3773231b4375e71

SHA512
0bb15ccdb330129683a16e421bac0502ea15b296d5a513624486fed9ffed036351d692b14bb5e3a21fb4f9bc3a6ac5f416750e7b7f74a69e793fdccc8878f432

Download Submit
\Windows\SysWOW64\dbtm.exe

Filesize
804KB

MD5
83b6bfa6684e1f7ea3d1c553b6776cdb

SHA1
0735d46c90239def6de580ddddc5d7048edb1b8f

SHA256
49b87fe0a9383f2c52474bb54bad9a1831cb16180517ca3fbdff05aa20f7b38d

SHA512
311a44e30dacd9e866dcfe9dd73718f1f1e5a50bdc3acde2fd8aa4c4edb832cca32d80b7a33afe605d6ebb1933d011af3ce5a466fc5974aa7ac386d5b6e141f1

Download Submit
\Windows\SysWOW64\exec1.exe

Filesize
701KB

MD5
152f4e8e92a62bf2c24462ca42ff83c0

SHA1
0b3aed2dcadbae0775736f3f2914ef7024794bd8

SHA256
88994dd7b62f3f522cda83909cf204b9857acf1bfe3d70219f2b83bfec97d42c

SHA512
e0183b05dd1ddc211cacc225121d73bff38969fcb10406dc019a362bef549d09d1a9151074b3cd8e41e75fc62d16814337ffcdfd3995f0f2f2bbb0f2210a9bd9

Download Submit
memory/2260-57-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2368-60-0x0000000002D70000-0x0000000002E80000-memory.dmp

Filesize
1.1MB

Download
memory/2824-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3044-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.