7aeb55f4385f6dad0f3a54a212f5ced8a3adf7349ac5fdc32d25e462b8128df9

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c2455673f5119d19819f58f846fca40.exe
Size

734KB
MD5

9c2455673f5119d19819f58f846fca40
SHA1

91e0b1d9f055595642f65289464312d1c035939c
SHA256

7aeb55f4385f6dad0f3a54a212f5ced8a3adf7349ac5fdc32d25e462b8128df9
SHA512

4db51b225973e505d8eafe7e56ce5a135b386adadd464aad8099858d826aa35e57196f68e69e92d29bfcd293f1bf519953f6d9d7815c8a740b48207d9e9c69d3
SSDEEP

12288:GDp20LiL+qI81leaplGt0y/2FEbkNvB5WlQ4URF42Brpkki6paTuB+/09HmEkqwG:kpd2+esapfEYNZ0S4+lBrpkki6ETuB+A

Score

7^/10

bootkit evasion persistence

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
2772	angelo.exe
552	angelo.exe
2208	angelo.exe
1540	angelo.exe
2256	angelo.exe
1360	angelo.exe
2280	angelo.exe
2704	angelo.exe
2844	angelo.exe
2900	angelo.exe
1720	angelo.exe
1632	angelo.exe
1620	angelo.exe
1660	angelo.exe
2256	angelo.exe
2852	angelo.exe
2712	angelo.exe
1744	angelo.exe
1920	angelo.exe
1976	angelo.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	angelo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	angelo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	angelo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	angelo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	angelo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	angelo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	angelo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	9c2455673f5119d19819f58f846fca40.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	angelo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	angelo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	angelo.exe

Loads dropped DLL 21 IoCs

pid	Process
2796	9c2455673f5119d19819f58f846fca40.exe
2796	9c2455673f5119d19819f58f846fca40.exe
2772	angelo.exe
552	angelo.exe
552	angelo.exe
1540	angelo.exe
1540	angelo.exe
1360	angelo.exe
1360	angelo.exe
2704	angelo.exe
2704	angelo.exe
2900	angelo.exe
2900	angelo.exe
1632	angelo.exe
1632	angelo.exe
1660	angelo.exe
1660	angelo.exe
2852	angelo.exe
2852	angelo.exe
1744	angelo.exe
1744	angelo.exe

Writes to the Master Boot Record (MBR) 1 TTPs 11 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	9c2455673f5119d19819f58f846fca40.exe
File opened for modification	\??\PhysicalDrive0	angelo.exe
File opened for modification	\??\PhysicalDrive0	angelo.exe
File opened for modification	\??\PhysicalDrive0	angelo.exe
File opened for modification	\??\PhysicalDrive0	angelo.exe
File opened for modification	\??\PhysicalDrive0	angelo.exe
File opened for modification	\??\PhysicalDrive0	angelo.exe
File opened for modification	\??\PhysicalDrive0	angelo.exe
File opened for modification	\??\PhysicalDrive0	angelo.exe
File opened for modification	\??\PhysicalDrive0	angelo.exe
File opened for modification	\??\PhysicalDrive0	angelo.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File opened for modification	C:\Windows\SysWOW64\angelo.exe	9c2455673f5119d19819f58f846fca40.exe
File opened for modification	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File opened for modification	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File created	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File opened for modification	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File created	C:\Windows\SysWOW64\angelo.exe	9c2455673f5119d19819f58f846fca40.exe
File created	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File opened for modification	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File created	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File created	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File opened for modification	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File opened for modification	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File created	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File created	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File opened for modification	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File opened for modification	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File created	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File opened for modification	C:\Windows\SysWOW64\angelo.exe	angelo.exe
File created	C:\Windows\SysWOW64\angelo.exe	angelo.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 1216 set thread context of 2796	1216	9c2455673f5119d19819f58f846fca40.exe	28
PID 2772 set thread context of 552	2772	angelo.exe	30
PID 2208 set thread context of 1540	2208	angelo.exe	32
PID 2256 set thread context of 1360	2256	angelo.exe	36
PID 2280 set thread context of 2704	2280	angelo.exe	38
PID 2844 set thread context of 2900	2844	angelo.exe	40
PID 1720 set thread context of 1632	1720	angelo.exe	42
PID 1620 set thread context of 1660	1620	angelo.exe	44
PID 2256 set thread context of 2852	2256	angelo.exe	46
PID 2712 set thread context of 1744	2712	angelo.exe	48
PID 1920 set thread context of 1976	1920	angelo.exe	50

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	angelo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	angelo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	angelo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	angelo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	9c2455673f5119d19819f58f846fca40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	angelo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	angelo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	angelo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	9c2455673f5119d19819f58f846fca40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	angelo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	9c2455673f5119d19819f58f846fca40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	angelo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	angelo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	angelo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	angelo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2796	1216	9c2455673f5119d19819f58f846fca40.exe	28
PID 1216 wrote to memory of 2796	1216	9c2455673f5119d19819f58f846fca40.exe	28
PID 1216 wrote to memory of 2796	1216	9c2455673f5119d19819f58f846fca40.exe	28
PID 1216 wrote to memory of 2796	1216	9c2455673f5119d19819f58f846fca40.exe	28
PID 1216 wrote to memory of 2796	1216	9c2455673f5119d19819f58f846fca40.exe	28
PID 1216 wrote to memory of 2796	1216	9c2455673f5119d19819f58f846fca40.exe	28
PID 1216 wrote to memory of 2796	1216	9c2455673f5119d19819f58f846fca40.exe	28
PID 1216 wrote to memory of 2796	1216	9c2455673f5119d19819f58f846fca40.exe	28
PID 1216 wrote to memory of 2796	1216	9c2455673f5119d19819f58f846fca40.exe	28
PID 1216 wrote to memory of 2796	1216	9c2455673f5119d19819f58f846fca40.exe	28
PID 2796 wrote to memory of 2772	2796	9c2455673f5119d19819f58f846fca40.exe	29
PID 2796 wrote to memory of 2772	2796	9c2455673f5119d19819f58f846fca40.exe	29
PID 2796 wrote to memory of 2772	2796	9c2455673f5119d19819f58f846fca40.exe	29
PID 2796 wrote to memory of 2772	2796	9c2455673f5119d19819f58f846fca40.exe	29
PID 2772 wrote to memory of 552	2772	angelo.exe	30
PID 2772 wrote to memory of 552	2772	angelo.exe	30
PID 2772 wrote to memory of 552	2772	angelo.exe	30
PID 2772 wrote to memory of 552	2772	angelo.exe	30
PID 2772 wrote to memory of 552	2772	angelo.exe	30
PID 2772 wrote to memory of 552	2772	angelo.exe	30
PID 2772 wrote to memory of 552	2772	angelo.exe	30
PID 2772 wrote to memory of 552	2772	angelo.exe	30
PID 2772 wrote to memory of 552	2772	angelo.exe	30
PID 2772 wrote to memory of 552	2772	angelo.exe	30
PID 552 wrote to memory of 2208	552	angelo.exe	31
PID 552 wrote to memory of 2208	552	angelo.exe	31
PID 552 wrote to memory of 2208	552	angelo.exe	31
PID 552 wrote to memory of 2208	552	angelo.exe	31
PID 2208 wrote to memory of 1540	2208	angelo.exe	32
PID 2208 wrote to memory of 1540	2208	angelo.exe	32
PID 2208 wrote to memory of 1540	2208	angelo.exe	32
PID 2208 wrote to memory of 1540	2208	angelo.exe	32
PID 2208 wrote to memory of 1540	2208	angelo.exe	32
PID 2208 wrote to memory of 1540	2208	angelo.exe	32
PID 2208 wrote to memory of 1540	2208	angelo.exe	32
PID 2208 wrote to memory of 1540	2208	angelo.exe	32
PID 2208 wrote to memory of 1540	2208	angelo.exe	32
PID 2208 wrote to memory of 1540	2208	angelo.exe	32
PID 1540 wrote to memory of 2256	1540	angelo.exe	35
PID 1540 wrote to memory of 2256	1540	angelo.exe	35
PID 1540 wrote to memory of 2256	1540	angelo.exe	35
PID 1540 wrote to memory of 2256	1540	angelo.exe	35
PID 2256 wrote to memory of 1360	2256	angelo.exe	36
PID 2256 wrote to memory of 1360	2256	angelo.exe	36
PID 2256 wrote to memory of 1360	2256	angelo.exe	36
PID 2256 wrote to memory of 1360	2256	angelo.exe	36
PID 2256 wrote to memory of 1360	2256	angelo.exe	36
PID 2256 wrote to memory of 1360	2256	angelo.exe	36
PID 2256 wrote to memory of 1360	2256	angelo.exe	36
PID 2256 wrote to memory of 1360	2256	angelo.exe	36
PID 2256 wrote to memory of 1360	2256	angelo.exe	36
PID 2256 wrote to memory of 1360	2256	angelo.exe	36
PID 1360 wrote to memory of 2280	1360	angelo.exe	37
PID 1360 wrote to memory of 2280	1360	angelo.exe	37
PID 1360 wrote to memory of 2280	1360	angelo.exe	37
PID 1360 wrote to memory of 2280	1360	angelo.exe	37
PID 2280 wrote to memory of 2704	2280	angelo.exe	38
PID 2280 wrote to memory of 2704	2280	angelo.exe	38
PID 2280 wrote to memory of 2704	2280	angelo.exe	38
PID 2280 wrote to memory of 2704	2280	angelo.exe	38
PID 2280 wrote to memory of 2704	2280	angelo.exe	38
PID 2280 wrote to memory of 2704	2280	angelo.exe	38
PID 2280 wrote to memory of 2704	2280	angelo.exe	38
PID 2280 wrote to memory of 2704	2280	angelo.exe	38

C:\Users\Admin\AppData\Local\Temp\9c2455673f5119d19819f58f846fca40.exe
"C:\Users\Admin\AppData\Local\Temp\9c2455673f5119d19819f58f846fca40.exe"
1⤵
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\9c2455673f5119d19819f58f846fca40.exe
  "C:\Users\Admin\AppData\Local\Temp\9c2455673f5119d19819f58f846fca40.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\angelo.exe
    C:\Windows\system32\angelo.exe 528 "C:\Users\Admin\AppData\Local\Temp\9c2455673f5119d19819f58f846fca40.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\angelo.exe
      "C:\Windows\SysWOW64\angelo.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Windows\SysWOW64\angelo.exe
        
        C:\Windows\system32\angelo.exe 532 "C:\Windows\SysWOW64\angelo.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\SysWOW64\angelo.exe
        
        "C:\Windows\SysWOW64\angelo.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\angelo.exe
        
        C:\Windows\system32\angelo.exe 528 "C:\Windows\SysWOW64\angelo.exe"
        7⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\angelo.exe
        
        "C:\Windows\SysWOW64\angelo.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\angelo.exe
        
        C:\Windows\system32\angelo.exe 532 "C:\Windows\SysWOW64\angelo.exe"
        9⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\angelo.exe
        
        "C:\Windows\SysWOW64\angelo.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\angelo.exe
        
        C:\Windows\system32\angelo.exe 532 "C:\Windows\SysWOW64\angelo.exe"
        11⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\angelo.exe
        
        "C:\Windows\SysWOW64\angelo.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\angelo.exe
        
        C:\Windows\system32\angelo.exe 524 "C:\Windows\SysWOW64\angelo.exe"
        13⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\angelo.exe
        
        "C:\Windows\SysWOW64\angelo.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\angelo.exe
        
        C:\Windows\system32\angelo.exe 532 "C:\Windows\SysWOW64\angelo.exe"
        15⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\angelo.exe
        
        "C:\Windows\SysWOW64\angelo.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\angelo.exe
        
        C:\Windows\system32\angelo.exe 524 "C:\Windows\SysWOW64\angelo.exe"
        17⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\angelo.exe
        
        "C:\Windows\SysWOW64\angelo.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\angelo.exe
        
        C:\Windows\system32\angelo.exe 524 "C:\Windows\SysWOW64\angelo.exe"
        19⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\angelo.exe
        
        "C:\Windows\SysWOW64\angelo.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\angelo.exe
        
        C:\Windows\system32\angelo.exe 528 "C:\Windows\SysWOW64\angelo.exe"
        21⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\angelo.exe
        
        "C:\Windows\SysWOW64\angelo.exe"
        22⤵
        Executes dropped EXE
        
        PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\angelo.exe

Filesize
440KB

MD5
50560b3d11dfcf51e9018d0a3b9180fd

SHA1
ff51c28dfc5f2e51db00a8c8266191b0b5114dfc

SHA256
f4680a84e6d361c225573c07279be7eeaec2ef4fc53042ed1ee425bef924fdfe

SHA512
7317f7996cb4252c8c33f1990a3f058f6c5b27e8ec440d067846396476888c8e82ed6762500d49e40a3c587899966e4adfa75d5d1e558bffa1749eaa7d426a72

Download Submit
C:\Windows\SysWOW64\angelo.exe

Filesize
320KB

MD5
e55ffa2d97723b0493e8293bb22541b6

SHA1
17ed5c3531469175349421aa67e526ff9138c1c7

SHA256
11e706217220846ab11c8e651b87884584d8fe22664d8e2fdfe9ca6d3e885638

SHA512
b6e2518b20619ae37207c2ff7465f6de0eb28733405f47f1c6d26ba61bfc7a7822413fe30f8aa14ec55d250748eb4bb85b152c1ef687ee27e12ca2084b8d831e

Download Submit
C:\Windows\SysWOW64\angelo.exe

Filesize
120KB

MD5
eee5cb0d781d7369c174c849e39efa20

SHA1
a0a96a650ebbb55cfac7e96b0969737fa7a514a5

SHA256
be994cc7200dd9a58b7a6205a3df6188fea92c3d7c731daa054cbd949e64cc52

SHA512
d1fef6d26652ab0676b5f6f1289c42a714adf14359d14c56bc13f7e342ae163b5c273f0dc20207fe6770cc2b46c9d8ab2b4d98b5af6414281b34e610eb68d7af

Download Submit
C:\Windows\SysWOW64\angelo.exe

Filesize
114KB

MD5
af45775f2b86932ef8557f692eb6868d

SHA1
5b606db4114a2b40089ef585069f95e76e1175ee

SHA256
424fb0e454c5f28e84e965736373eddc731a2978bd0d795f5075847dc0e48b81

SHA512
3cc665abe274266e51c28637c3daf51c0dbbedda470a9fd948ee048d25eee54cf54e533cbb925a7d0e5218bcbf5de892daed11b33d0d22912b42a82b601f7f73

Download Submit
C:\Windows\SysWOW64\angelo.exe

Filesize
35KB

MD5
eda3df131aacd1868ef7947f7c1462a4

SHA1
eed5b65c63b6527b77640b71a37fd1e73377f24e

SHA256
89d56043efeb6b5c1bd13d41c88f587c151916144cfe826b41ef88400b4181d4

SHA512
d76456e2b45cdf542ac1e862c335362f6e48da9846a2fbfd6474baf96b2cad6b6e777ed610a46f68fe3d3268124f6f832a32e29d87c090958252354dea1cba0a

Download Submit
C:\Windows\SysWOW64\angelo.exe

Filesize
187KB

MD5
e67ff9a3282f9c4585ff4545535a021e

SHA1
2ecf4e0b5f55fd2087140bd63aabee0f2485948b

SHA256
9cab630b9745434215ba987313d21301162c7bc5a78fe3781edfd15d924c2b0c

SHA512
94593e09816c00d9e57ace734f29ae58f8aff8b00233309f4c0393cc732ce3709e263bf0344ac1e15aac37a940d14fb6778b75d2837d29980f4f8f451ece17bc

Download Submit
\Windows\SysWOW64\angelo.exe

Filesize
621KB

MD5
0a3ee9c16e050a38dc1eb64fd712572f

SHA1
feaeed9cdde8c7ff8d577be63501fdb37c3f001c

SHA256
b8053defa7df00f752bd84e4593259077a505c5cd23ba198f9deade92b6ec975

SHA512
f72bede061bd631e8dfd7a3252d47835405f23fe8ca44f2b121067d7ca0b0a893fcaf42857a374ca69dc6545b95c87a9b2a914efc02c355fec055acc02ad93c5

Download Submit
\Windows\SysWOW64\angelo.exe

Filesize
460KB

MD5
e8b44b5d3bae6e403f9fe07870415fc4

SHA1
f7eabeda28fb6dadea1d94e75e031f7c8c081a0f

SHA256
9de57d92e3fdbfba1fadbae7ed55341d6d9daeb27b69eca6ef5fb0cec7046a54

SHA512
3d4729deabeff6df3d6ce91e035a2202e2c4395d7e148e311e9da5ce19851266d6ff3e1d59933162228c3e0140857970f758a943a3fc37c02eed552c0194724d

Download Submit
\Windows\SysWOW64\angelo.exe

Filesize
64KB

MD5
9e2c7faf07142161a7a0637a7fbcf272

SHA1
327a8c3df8a537f4f085a7dacd8b6a0db82a1233

SHA256
2136e91dbe516073e0c5e5054d6bf481e3b37917debcc7984ee081a3463003ab

SHA512
4c54b98e14f89fa3edc243e2a0435f25f23155fe50c712f92e5797e55ba117edd966c7e136416f12fb07586d1c85b528d8ac0f607a929890138ddcb5444d030e

Download Submit
\Windows\SysWOW64\angelo.exe

Filesize
309KB

MD5
aeb5c05fb9eb09f070664e66441428b0

SHA1
f9e755933e47f4e0200b99e886a2b3413436040d

SHA256
0538d47039242eac95d31aefeba1b1c728c3a441f7144df7495b98e748a26aea

SHA512
f9c070087a94663257a681dc59787b49579f8f37e9addd9917b9728ea707a486416f551b68d00fd6ca09bcefd9fef54c99e91053501b78935d3223710f891d6f

Download Submit
\Windows\SysWOW64\angelo.exe

Filesize
224KB

MD5
dfc762593f8e894bc04d48a42628722d

SHA1
655138024c36b77d8ed90d03043e1b730b35930f

SHA256
d3e335523026b375c5297c600aa807ae52bc07ad3265d20aae006110f613a8fb

SHA512
17001392749152a0d57adc4e1241e8fd380277db87fc73b2f45e4bf165e15e78862b0fb0788386971ab1ae2953d63369b9e241f582d5ba8cf5c6ed1ea785617b

Download Submit
\Windows\SysWOW64\angelo.exe

Filesize
734KB

MD5
9c2455673f5119d19819f58f846fca40

SHA1
91e0b1d9f055595642f65289464312d1c035939c

SHA256
7aeb55f4385f6dad0f3a54a212f5ced8a3adf7349ac5fdc32d25e462b8128df9

SHA512
4db51b225973e505d8eafe7e56ce5a135b386adadd464aad8099858d826aa35e57196f68e69e92d29bfcd293f1bf519953f6d9d7815c8a740b48207d9e9c69d3

Download Submit
memory/552-88-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/552-92-0x0000000002940000-0x0000000002A92000-memory.dmp

Filesize
1.3MB

Download
memory/1216-25-0x0000000004500000-0x0000000004652000-memory.dmp

Filesize
1.3MB

Download
memory/1216-15-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1216-17-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/1216-23-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/1216-0-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1216-27-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/1216-11-0x0000000004310000-0x0000000004312000-memory.dmp

Filesize
8KB

Download
memory/1216-19-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/1216-9-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1216-21-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/1216-35-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/1216-33-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1216-13-0x0000000001F50000-0x0000000001F52000-memory.dmp

Filesize
8KB

Download
memory/1216-5-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1216-7-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/1216-3-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1216-2-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1216-1-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/2208-128-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/2208-93-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2208-126-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2208-98-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2208-116-0x0000000004320000-0x0000000004322000-memory.dmp

Filesize
8KB

Download
memory/2208-114-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/2208-112-0x00000000043A0000-0x00000000043A2000-memory.dmp

Filesize
8KB

Download
memory/2208-110-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/2208-108-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2208-106-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/2208-104-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/2208-102-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/2208-100-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/2208-97-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2208-94-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/2256-148-0x0000000004320000-0x0000000004322000-memory.dmp

Filesize
8KB

Download
memory/2256-160-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/2256-169-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2256-168-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2256-162-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/2256-158-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/2256-156-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2256-154-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/2256-152-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/2256-150-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/2256-146-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/2256-144-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/2256-143-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2256-133-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2280-175-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2280-181-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2280-174-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2772-50-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2772-77-0x0000000004500000-0x0000000004652000-memory.dmp

Filesize
1.3MB

Download
memory/2772-63-0x0000000004320000-0x0000000004322000-memory.dmp

Filesize
8KB

Download
memory/2772-53-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2772-48-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2772-59-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/2772-61-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/2772-67-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2772-69-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/2772-71-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/2772-75-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/2772-65-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/2772-73-0x00000000043B0000-0x00000000043B2000-memory.dmp

Filesize
8KB

Download
memory/2772-57-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2772-85-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2772-87-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2772-79-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/2796-40-0x0000000002A20000-0x0000000002B72000-memory.dmp

Filesize
1.3MB

Download
memory/2796-34-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2796-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2796-24-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2796-18-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2796-29-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2796-51-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2796-47-0x0000000002A20000-0x0000000002B72000-memory.dmp

Filesize
1.3MB

Download
memory/2796-12-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2796-8-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2796-4-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads