quasar | eb6f8f2a7f814d765640c5e6422921576383c85183677c8c1328f846bda5906e

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 22:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TangoGen/TangoGenV1.3.exe
Size

52.0MB
MD5

e9150812ffb2317a7ff1a2491a392ade
SHA1

6b929ee7d7555604ec71d2463b6c1602aaf38b75
SHA256

0e01eb02101b4aa05e0484ac9caebb77a7ecda7a36263aac8a32225fa2a8d38a
SHA512

7a7a5c6c29848e5a2f1c12753c6bf9900937b99fd5e07cfb6fc6793216361bc7962fbd0a2b29448bae1c028ab93c11640f176cf5d3897a64973dd954ff417914
SSDEEP

1572864:CxLPRJ/aHOlj/wZuj/hzJHW2ldP2dUOpfa4X62AC:CH2Mhzn+dUSh

Score

10^/10

quasar office04 persistence pyinstaller spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

6.tcp.ngrok.io:16799

Mutex

0c20af10-1b0a-4d0e-bbca-3718ee39e827

Attributes

encryption_key
284202D1B7ED732612BB54048953C4453A2549F9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System32
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015e6d-12.dat	family_quasar
behavioral1/memory/2712-14-0x0000000000C10000-0x0000000000F34000-memory.dmp	family_quasar
behavioral1/memory/2552-24-0x0000000001220000-0x0000000001544000-memory.dmp	family_quasar

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001a4a9-272.dat	acprotect

Executes dropped EXE 15 IoCs

pid	Process
2324	TANGOG~1.EXE
2712	Built.exe
2552	Client.exe
2620	TANGOG~1.EXE
2448	TANGOG~1.EXE
1352	TANGOG~1.EXE
1908	DMMEIF~1.EXE
3004	System32.exe
3016	System32.exe
1740	EPICGA~1.EXE
1512	EPICGA~1.EXE
956	WINDOW~1.EXE
1460	System32.exe
2560	System32.exe
1104	Process not Found

Loads dropped DLL 27 IoCs

pid	Process
1728	TangoGenV1.3.exe
2324	TANGOG~1.EXE
2620	TANGOG~1.EXE
2404	Process not Found
2448	TANGOG~1.EXE
1352	TANGOG~1.EXE
1352	TANGOG~1.EXE
1352	TANGOG~1.EXE
1352	TANGOG~1.EXE
1352	TANGOG~1.EXE
1352	TANGOG~1.EXE
1352	TANGOG~1.EXE
2620	TANGOG~1.EXE
3004	System32.exe
3016	System32.exe
1740	EPICGA~1.EXE
1512	EPICGA~1.EXE
1728	TangoGenV1.3.exe
956	WINDOW~1.EXE
1460	System32.exe
2560	System32.exe
2560	System32.exe
2560	System32.exe
2560	System32.exe
2560	System32.exe
2560	System32.exe
2560	System32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a4a9-272.dat	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	TangoGenV1.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TANGOG~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	TANGOG~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	DMMEIF~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	WINDOW~1.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	6.tcp.ngrok.io
16	6.tcp.ngrok.io
26	6.tcp.ngrok.io

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000001654a-33.dat	pyinstaller
behavioral1/files/0x0007000000016c42-161.dat	pyinstaller
behavioral1/files/0x0008000000016c3a-386.dat	pyinstaller
behavioral1/files/0x0007000000015fa7-599.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2312	schtasks.exe
2604	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	Built.exe
Token: SeDebugPrivilege	2552	Client.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2552	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2552	Client.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2324	1728	TangoGenV1.3.exe	28
PID 1728 wrote to memory of 2324	1728	TangoGenV1.3.exe	28
PID 1728 wrote to memory of 2324	1728	TangoGenV1.3.exe	28
PID 2324 wrote to memory of 2712	2324	TANGOG~1.EXE	29
PID 2324 wrote to memory of 2712	2324	TANGOG~1.EXE	29
PID 2324 wrote to memory of 2712	2324	TANGOG~1.EXE	29
PID 2712 wrote to memory of 2604	2712	Built.exe	30
PID 2712 wrote to memory of 2604	2712	Built.exe	30
PID 2712 wrote to memory of 2604	2712	Built.exe	30
PID 2712 wrote to memory of 2552	2712	Built.exe	32
PID 2712 wrote to memory of 2552	2712	Built.exe	32
PID 2712 wrote to memory of 2552	2712	Built.exe	32
PID 2324 wrote to memory of 2620	2324	TANGOG~1.EXE	33
PID 2324 wrote to memory of 2620	2324	TANGOG~1.EXE	33
PID 2324 wrote to memory of 2620	2324	TANGOG~1.EXE	33
PID 2552 wrote to memory of 2312	2552	Client.exe	34
PID 2552 wrote to memory of 2312	2552	Client.exe	34
PID 2552 wrote to memory of 2312	2552	Client.exe	34
PID 2620 wrote to memory of 2448	2620	TANGOG~1.EXE	36
PID 2620 wrote to memory of 2448	2620	TANGOG~1.EXE	36
PID 2620 wrote to memory of 2448	2620	TANGOG~1.EXE	36
PID 2448 wrote to memory of 1352	2448	TANGOG~1.EXE	38
PID 2448 wrote to memory of 1352	2448	TANGOG~1.EXE	38
PID 2448 wrote to memory of 1352	2448	TANGOG~1.EXE	38
PID 2620 wrote to memory of 1908	2620	TANGOG~1.EXE	39
PID 2620 wrote to memory of 1908	2620	TANGOG~1.EXE	39
PID 2620 wrote to memory of 1908	2620	TANGOG~1.EXE	39
PID 1908 wrote to memory of 3004	1908	DMMEIF~1.EXE	40
PID 1908 wrote to memory of 3004	1908	DMMEIF~1.EXE	40
PID 1908 wrote to memory of 3004	1908	DMMEIF~1.EXE	40
PID 1908 wrote to memory of 3004	1908	DMMEIF~1.EXE	40
PID 3004 wrote to memory of 3016	3004	System32.exe	41
PID 3004 wrote to memory of 3016	3004	System32.exe	41
PID 3004 wrote to memory of 3016	3004	System32.exe	41
PID 3004 wrote to memory of 3016	3004	System32.exe	41
PID 1908 wrote to memory of 1740	1908	DMMEIF~1.EXE	44
PID 1908 wrote to memory of 1740	1908	DMMEIF~1.EXE	44
PID 1908 wrote to memory of 1740	1908	DMMEIF~1.EXE	44
PID 1908 wrote to memory of 1740	1908	DMMEIF~1.EXE	44
PID 1740 wrote to memory of 1512	1740	EPICGA~1.EXE	45
PID 1740 wrote to memory of 1512	1740	EPICGA~1.EXE	45
PID 1740 wrote to memory of 1512	1740	EPICGA~1.EXE	45
PID 1740 wrote to memory of 1512	1740	EPICGA~1.EXE	45
PID 1728 wrote to memory of 956	1728	TangoGenV1.3.exe	46
PID 1728 wrote to memory of 956	1728	TangoGenV1.3.exe	46
PID 1728 wrote to memory of 956	1728	TangoGenV1.3.exe	46
PID 956 wrote to memory of 1460	956	WINDOW~1.EXE	47
PID 956 wrote to memory of 1460	956	WINDOW~1.EXE	47
PID 956 wrote to memory of 1460	956	WINDOW~1.EXE	47
PID 1460 wrote to memory of 2560	1460	System32.exe	48
PID 1460 wrote to memory of 2560	1460	System32.exe	48
PID 1460 wrote to memory of 2560	1460	System32.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TangoGen\TangoGenV1.3.exe
"C:\Users\Admin\AppData\Local\Temp\TangoGen\TangoGenV1.3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TANGOG~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TANGOG~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Built.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Built.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2604
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TANGOG~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TANGOG~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TANGOG~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TANGOG~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TANGOG~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TANGOG~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DMMEIF~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DMMEIF~1.EXE
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\System32.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\System32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\System32.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\System32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3016
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EPICGA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EPICGA~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EPICGA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EPICGA~1.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1512
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Built.exe

Filesize
3.1MB

MD5
415b798b89de60513a68357847e0892d

SHA1
76703f5121b80e67a4b55fba3a68ea57d452952b

SHA256
b4d710f8d33014f5b77ff61f10bc70df4eec50e0a954c7ef5f09fb75e62ca110

SHA512
c6463d4e828cd18c4f95e11023a2d85e8a24bcce8a2b616d23a6b76f47a45a7a77f6b66d2d09f88228252ace251150216086c159e4a5e73489ef5349ecd213dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TANGOG~1.EXE

Filesize
41.5MB

MD5
418826371c8cb889128cdfa3615fa99d

SHA1
d4bfaf14d2801611e2a64120aba2a2eb0fb52d4a

SHA256
48d96c17a1f0557d4ded682f7bd4179d463327685543b23100ef9152fa54412b

SHA512
c1fcad76fe6cf5d1af8168f334226a7153a4ac407efe93393f008e35f2ee5db4eb7091ea65a1d56f66d99696013192c214d54ecd022d883104b4325132628044

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DMMEIF~1.EXE

Filesize
35.5MB

MD5
2b5e9b534e34e6843a87a89a6e5628c8

SHA1
4c75db803321989103ec6c5a8cf2031af0f62288

SHA256
bdef6770d76867ffe396b53f2600ce85f94654e19ed54b33637b8514f1213c2b

SHA512
73901e38d216807759d18d1150bbbf840c506049cb277ac54346723af1371f09f972e9cc8baffd81793039eb6fa25277976df83a0766f28af3db8252f125a49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EPICGA~1.EXE

Filesize
18.2MB

MD5
60177a8b7ac06254751fde914a9c7ad8

SHA1
adee34f28fa5b0d2611cc1632d7ac2775e38fb0f

SHA256
03abd0d4b2599888c4aa815c925571301e34772efeae98eca9b68cc632c28246

SHA512
1272cb865b963da4a5fa4cdcaf82f6ee40e98fdef575f8b2684e5301b0e0f8f5ba6937654df1eba5657b15381f10f4a2f2650a70fade872de482ca58278c6403

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\System32.exe

Filesize
17.7MB

MD5
4789771162e29fabee8a6527f96ed309

SHA1
34a8ecd661788ebd589714f6eeabfe28fb63e239

SHA256
2195bd5f77ac0f57f99501ebc630ab9e1a5cf88c6c445e64d606ce3d482dedb6

SHA512
002c1808fa2ad8b1e372fcb8cb6ffd6259e0ee360a183f7a6ebcfd6c8d7ccbc69ad3fd8fee3cbba5b4e7f39d804216de7e942d875c1f5fc3ccb33e3b36f7eb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17402\python311.dll

Filesize
4.7MB

MD5
b8769a867abc02bfdd8637bea508cab2

SHA1
782f5fb799328c001bca77643e31fb7824f9d8cc

SHA256
9cf39945840ee8d769e47ffdb554044550b5843b29c68fa3849ba9376c3a7ec8

SHA512
bf01e343877a92d458373c02a9d64426118915ade324cf12d6ff200970da641358e8f362732cd9a8508845e367313c9bab2772d59a9ae8d934cd0dd7d28535b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17402\setuptools-65.5.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24482\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24482\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\TANGOG~1.EXE

Filesize
42.6MB

MD5
ea0f2bf412f49a4d131e186647e430fa

SHA1
a05b3d2e924b385089fcf477155c11af0d3852af

SHA256
f29dad7c38548748e8705ff719b4bba758bae20561318a91b3f4de65e715f6c9

SHA512
d360a148f83b4f5b2b03a445f566549aa1cf187640b4cd81d4854845f0415c96ea46f4a8afdb75ab03d0987b28fbf8eaf8d4a332b4d1c8587c77255188f97587

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE

Filesize
9.4MB

MD5
66d4b34a620496eef746ff9877a19153

SHA1
364957fe3636d9802141a5ad80dbef80b14c274a

SHA256
88920d4fc74333ad6d6d67f37ff75afc127147a93246c67f099aca85e3f7e69f

SHA512
0d933482d766ba207282823f44e985fa68aa345430efca229cd08eb90dc2660abfe819628d558f8b50ab07b180ea5447f24ad64e9909c7ac45f3f5b490776c23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe

Filesize
9.4MB

MD5
d195ccdcd0b15171656eefc1e56a8bbc

SHA1
228d45413f0b022c97b242f9d579554ff0af2675

SHA256
81ddf64cfeddc8551bdb8859b602edf3e6895da58de661fabab814b29bfcd7b5

SHA512
061dd51ad5bb107fecc7bfcf30c9f771f20302b465b86f45ef2801a76ca12688c27d00786df6c3b81f48fb55e2057a82962b1a45adf6b5a30f8722472790b278

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\TANGOG~1.EXE

Filesize
6.0MB

MD5
cca4410ce6b5c64389e221899c7924f5

SHA1
b43ecf2734266f0a0648ff6909eeab0b7cd162be

SHA256
5263a206f4c5bfaf4d64778507820df4e04273e19f767df253aa20fae1e31647

SHA512
616bb3a340e2a1ebf9c13d40868a2d3207b159757d9034621ecdec9d3c223e876a7cdcc39149d1e27b740cad937ccb8d36d79d418267c84393349d57b295d74e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24482\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24482\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24482\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24482\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24482\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30042\python311.dll

Filesize
1.4MB

MD5
b04819a5d25b1a31fd72d51c1b8d5b2c

SHA1
6c018c351cdf10307c2321237bd187409e5fc382

SHA256
d036f3cc39496332866828afe5785f3910289dbb4674e31294a224861a4335a0

SHA512
fd4fcb54b283c1d0b3fa8079b4831db992eff142807818a62deddcafa0bb046d992326a762526081533d6b4a095a14eb65a195c21d40feda59be21c713e6ac35

Download Submit
memory/2552-24-0x0000000001220000-0x0000000001544000-memory.dmp

Filesize
3.1MB

Download
memory/2552-274-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2552-275-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2552-25-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2552-23-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-22-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-16-0x00000000005D0000-0x0000000000650000-memory.dmp

Filesize
512KB

Download
memory/2712-15-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-14-0x0000000000C10000-0x0000000000F34000-memory.dmp

Filesize
3.1MB

Download
memory/3016-273-0x00000000748F0000-0x0000000074DFB000-memory.dmp

Filesize
5.0MB

Download
memory/3016-276-0x00000000748F0000-0x0000000074DFB000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads