c82b61d723e89dce005ca631f38166ae5b23dea6bce626c0ac8f2856163f6906

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe
Size

2.8MB
MD5

fa475fe091f7aeed7cbffd8b289ac0b5
SHA1

0eb6294df0b4b36fef41c8ea7b27f731147505e4
SHA256

c82b61d723e89dce005ca631f38166ae5b23dea6bce626c0ac8f2856163f6906
SHA512

84a3141ea9e2c7fbdf868c165d2bae38a59e71f78afaadfc6573626b2abd1714a36e2a5cf38f9572197592affbe06b348be35a961ee0c888c46957b6c85ecfde
SSDEEP

49152:D7gYRlYTvAS0+gvjCjCVQEX2YN2DhFGtXUWp1GaR8vk1bzNGl72YIqq6O:D7g2Gzqv+FEXYDhFOXDnLRrzNGoYIKO

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

tG9KFBVCktZrhQC.exeCTS.exesetup.exe

pid process

1648 tG9KFBVCktZrhQC.exe
2632 CTS.exe
2812 setup.exe

pid	process
1648	tG9KFBVCktZrhQC.exe
2632	CTS.exe
2812	setup.exe

Loads dropped DLL 13 IoCs

Processes:

2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exetG9KFBVCktZrhQC.exesetup.exe

pid	process
1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe
1648	tG9KFBVCktZrhQC.exe
2812	setup.exe
2812	setup.exe
2812	setup.exe
2812	setup.exe
2812	setup.exe
2812	setup.exe
2812	setup.exe
2812	setup.exe
2812	setup.exe
2812	setup.exe
2812	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

setup.exe

description	ioc	process
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\U:	setup.exe
File opened (read-only)	\??\W:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\I:	setup.exe
File opened (read-only)	\??\J:	setup.exe
File opened (read-only)	\??\G:	setup.exe
File opened (read-only)	\??\V:	setup.exe
File opened (read-only)	\??\L:	setup.exe
File opened (read-only)	\??\X:	setup.exe
File opened (read-only)	\??\B:	setup.exe
File opened (read-only)	\??\H:	setup.exe
File opened (read-only)	\??\K:	setup.exe
File opened (read-only)	\??\O:	setup.exe
File opened (read-only)	\??\A:	setup.exe
File opened (read-only)	\??\Q:	setup.exe
File opened (read-only)	\??\T:	setup.exe
File opened (read-only)	\??\Y:	setup.exe
File opened (read-only)	\??\Z:	setup.exe
File opened (read-only)	\??\R:	setup.exe
File opened (read-only)	\??\E:	setup.exe
File opened (read-only)	\??\M:	setup.exe
File opened (read-only)	\??\N:	setup.exe
File opened (read-only)	\??\P:	setup.exe
File opened (read-only)	\??\S:	setup.exe

Drops file in Windows directory 12 IoCs

Processes:

2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exengen.exengen.exengen.exengen.exeCTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.lock	ngen.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

setup.exe

pid process

2812 setup.exe

pid	process
2812	setup.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exeCTS.exesetup.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe
Token: SeDebugPrivilege	2632	CTS.exe
Token: SeRestorePrivilege	2812	setup.exe
Token: SeRestorePrivilege	2812	setup.exe
Token: SeRestorePrivilege	2812	setup.exe
Token: SeRestorePrivilege	2812	setup.exe
Token: SeRestorePrivilege	2812	setup.exe
Token: SeRestorePrivilege	2812	setup.exe
Token: SeRestorePrivilege	2812	setup.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeSecurityPrivilege	2488	msiexec.exe
Token: SeCreateTokenPrivilege	2812	setup.exe
Token: SeAssignPrimaryTokenPrivilege	2812	setup.exe
Token: SeLockMemoryPrivilege	2812	setup.exe
Token: SeIncreaseQuotaPrivilege	2812	setup.exe
Token: SeMachineAccountPrivilege	2812	setup.exe
Token: SeTcbPrivilege	2812	setup.exe
Token: SeSecurityPrivilege	2812	setup.exe
Token: SeTakeOwnershipPrivilege	2812	setup.exe
Token: SeLoadDriverPrivilege	2812	setup.exe
Token: SeSystemProfilePrivilege	2812	setup.exe
Token: SeSystemtimePrivilege	2812	setup.exe
Token: SeProfSingleProcessPrivilege	2812	setup.exe
Token: SeIncBasePriorityPrivilege	2812	setup.exe
Token: SeCreatePagefilePrivilege	2812	setup.exe
Token: SeCreatePermanentPrivilege	2812	setup.exe
Token: SeBackupPrivilege	2812	setup.exe
Token: SeRestorePrivilege	2812	setup.exe
Token: SeShutdownPrivilege	2812	setup.exe
Token: SeDebugPrivilege	2812	setup.exe
Token: SeAuditPrivilege	2812	setup.exe
Token: SeSystemEnvironmentPrivilege	2812	setup.exe
Token: SeChangeNotifyPrivilege	2812	setup.exe
Token: SeRemoteShutdownPrivilege	2812	setup.exe
Token: SeUndockPrivilege	2812	setup.exe
Token: SeSyncAgentPrivilege	2812	setup.exe
Token: SeEnableDelegationPrivilege	2812	setup.exe
Token: SeManageVolumePrivilege	2812	setup.exe
Token: SeImpersonatePrivilege	2812	setup.exe
Token: SeCreateGlobalPrivilege	2812	setup.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exetG9KFBVCktZrhQC.exesetup.exe

description	pid	process	target process
PID 1996 wrote to memory of 1648	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe	tG9KFBVCktZrhQC.exe
PID 1996 wrote to memory of 1648	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe	tG9KFBVCktZrhQC.exe
PID 1996 wrote to memory of 1648	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe	tG9KFBVCktZrhQC.exe
PID 1996 wrote to memory of 1648	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe	tG9KFBVCktZrhQC.exe
PID 1996 wrote to memory of 1648	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe	tG9KFBVCktZrhQC.exe
PID 1996 wrote to memory of 1648	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe	tG9KFBVCktZrhQC.exe
PID 1996 wrote to memory of 1648	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe	tG9KFBVCktZrhQC.exe
PID 1996 wrote to memory of 2632	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe	CTS.exe
PID 1996 wrote to memory of 2632	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe	CTS.exe
PID 1996 wrote to memory of 2632	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe	CTS.exe
PID 1996 wrote to memory of 2632	1996	2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe	CTS.exe
PID 1648 wrote to memory of 2812	1648	tG9KFBVCktZrhQC.exe	setup.exe
PID 1648 wrote to memory of 2812	1648	tG9KFBVCktZrhQC.exe	setup.exe
PID 1648 wrote to memory of 2812	1648	tG9KFBVCktZrhQC.exe	setup.exe
PID 1648 wrote to memory of 2812	1648	tG9KFBVCktZrhQC.exe	setup.exe
PID 1648 wrote to memory of 2812	1648	tG9KFBVCktZrhQC.exe	setup.exe
PID 1648 wrote to memory of 2812	1648	tG9KFBVCktZrhQC.exe	setup.exe
PID 1648 wrote to memory of 2812	1648	tG9KFBVCktZrhQC.exe	setup.exe
PID 2812 wrote to memory of 1636	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 1636	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 1636	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 1636	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 2852	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 2852	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 2852	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 2852	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 776	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 776	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 776	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 776	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 2420	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 2420	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 2420	2812	setup.exe	ngen.exe
PID 2812 wrote to memory of 2420	2812	setup.exe	ngen.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\tG9KFBVCktZrhQC.exe
C:\Users\Admin\AppData\Local\Temp\tG9KFBVCktZrhQC.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

\??\c:\5057fdf5155b5801b1\setup.exe
c:\5057fdf5155b5801b1\setup.exe /web
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe queue pause
4⤵
- Drops file in Windows directory
PID:1636

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe queue pause
4⤵
- Drops file in Windows directory
PID:2852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe queue continue
4⤵
- Drops file in Windows directory
PID:776

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe queue continue
4⤵
- Drops file in Windows directory
PID:2420

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5057fdf5155b5801b1\locdata.1055.ini
Filesize
15KB

MD5
afcdf8d8c96f5c695254e2e620f8d410

SHA1
fe785b77e4d5a2f283fe9ecc0606d081e99552a1

SHA256
370ff239e143b83ad4440ffaacc05b3750ea1fd3858ec8f1e6e208d3a72bfefe

SHA512
664000953fa8aca3fca23ee41b7387ca40e68b772e252bba8974bc21df2137fc188a9c22112d593ba83b26653710d8f81845111944e05d5dc0b15c3a541b6d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txt
Filesize
473B

MD5
a7a6704ff96ee0ba11559154c65b6f09

SHA1
19b3dd215b647acf904e3bc93dae97593e556320

SHA256
b07fe287031e4573a099cd3b07b3ea737c9fe86034fd585deecefc559834b2ad

SHA512
9570b69216ff573e0094bfcec388f45b47bc6ceef4dab20ce1383cc1723d885814946a4e2388ec3f72e3fb8a7f56bb40806e1b81f7ddd8031162166ba4729e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txt
Filesize
2KB

MD5
8b503cb8c1feebafdefde139558974fc

SHA1
f80e6f5c5927aa725faa9d7a0d36887f919df058

SHA256
93fa89a7fdf734e7301d3644097b624f53663a769e13a1e14c2b9ef9b317a317

SHA512
87b7f75a37ec2a96985e3c20a84a81524ce93b2a3dc384fbad90232994b67974fe49d9069c177d502666cf23fe4556480a9456f51368946e861210745b838dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txt
Filesize
4KB

MD5
c28347b0e2848138f07270999e1601df

SHA1
659713fa8257a4994b7f0bc51c446e912b4fbc30

SHA256
f1fd1d325626cfaf5b3ababcf8205ccefbef5e8bbc29b10281dd8412a3d56226

SHA512
3b732a672a629a13c5f02d0711cc9c60fdfbb431ed3b70c838ec1d93241e33296abba4723868b2e3ce55407ac4e0b585dc6d46611d39479c37e99f6930f49b6d

Download Submit
C:\Windows\CTS.exe
Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log
Filesize
307KB

MD5
2de9fd1ee33f6d76c3802ef6ade130d2

SHA1
bf4462ec9d13bd0ae28561f3f4a1df2390d6408f

SHA256
90d683083d390f671b42dc5e6a18f36f3c537e6aac58a253b39b93433de6c73d

SHA512
f12b1ca3521bcd026ae9bae7a4674c4ac60064afccc108403cb1199897ec062bd7925497604c623715667f5a5ed5320e9bcbb71d34f0f191ae9eadfc3b9a4437

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log
Filesize
307KB

MD5
2265c64180d26628fb4faccbed70ce33

SHA1
c2d84fc9b6833fcde0f35198c388321ed3851e97

SHA256
ed997c4529a1f78bffcb7bb78238e0afbd25b7623f14779d0fcd37a73febe270

SHA512
227e41a482e1004966459e09ab936f1558083a84eb891efdca445d49a89541e790319297ac58044c6e4685d8eb5469c829486a3dc5fa5006d44e173e3753d944

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log
Filesize
257KB

MD5
f16afcc97e8b742a9ac42d3b2e7a4a91

SHA1
84ed4e41162098261694b8386cbf48a1b0b1429d

SHA256
17601797424bd4b4fb5a1d600e9b41d2bbdf4f03e245e7c4029f5d5f6d907cae

SHA512
f5328593600f25c95761495dd66a45819fc0d666c29f93742e20d17ca44c1d3377663fbafaea47e71079d9a1dd7d199430aeb9a5f7a1112554523ddd9c0ca9d3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log
Filesize
257KB

MD5
d366fb92cc54b25a73c5d840f0f44e22

SHA1
9e662698aa989088d481847ff0a2ddb468dc010d

SHA256
a0d6aa5a3691f9ef116b8a9ff762ec6f0daf6c8b6218e5b10b4c3e4d84a913f6

SHA512
e861db06f1abf31de6a9ae8de041a7054127368aa3230ab07e01e5c9d4269a23945dacdfcae89d7b7b03a545f90899a60156ebad0e14bf584ad4ad4b3f277d17

Download Submit
\5057fdf5155b5801b1\setup.exe
Filesize
262KB

MD5
f9eef088eced778bd54b716b0459fa8d

SHA1
4e371fdea1258f508a956b9a7dd58e3aee9a67a4

SHA256
ff2be9643a7df7241768e7e439524d11618f2b8a8fbe47f2e94d6453b0e04dae

SHA512
7309817a3fc29892f2ce87db63b58b1c95e03bad3cfb7a987d543861ddc2766d83f3b3d6bb4bb2af8b3c3f7fa270e527d92c9ca661ff6b7fd9ff1d5658e73133

Download Submit
\??\c:\5057fdf5155b5801b1\DefFactory.dat
Filesize
784B

MD5
b4d60c4744eaead8f042b06a71a89e15

SHA1
9ff4fe9922ba4306cbf7a7dbffca3d7c0be81aae

SHA256
8de5a4fab48b4afaadb3b3226f26b7c8c7e202e114181aea7861352484e730c4

SHA512
58e6684c3fb9c84d7ef0ae39247667a04aa9b0da32d1507ab80fc0582447590bf728e6324e8e34680bfbba9ebe1a995ed0fe3e9e161c182dd53b271fcd56a4f7

Download Submit
\??\c:\5057fdf5155b5801b1\HtmlLite.dll
Filesize
173KB

MD5
1427f0ee7ff3ca5339f54a2b2480dfaf

SHA1
f14f4beb3131b925dd958d83f5f22a53a29bd2cf

SHA256
b238e8c647d2980ed5e965f484e8adadcb20832719735dd94472cfad2a27d9b6

SHA512
fa8b87c3fbcc02a5c7ea18968a11b815bbf87f8cf58c766366cc6fcb80206dbf5dfa36880fe8cb17092aefcb51513dae39ed6a806f46d0055979e9ffb64e02e6

Download Submit
\??\c:\5057fdf5155b5801b1\WapRes.dll
Filesize
104KB

MD5
e8824670433ad8593af150b2eb6913d1

SHA1
03e9ab11c1f7bc1b20309da2eef3ae52ce7be90f

SHA256
f8cb2735a2789d8e6b4cd1c7391ed8923466afd274490773e208d502132d1072

SHA512
8cdd6ed3b7fde72c148f8f5f0a795a796ec0d3c0c863d4c8f2cbdfb70443728eb975c1cf683f8e9dcd6079619c0c4e36f97bc56d348ad8b061390f9749faf95a

Download Submit
\??\c:\5057fdf5155b5801b1\baseline.dat
Filesize
205KB

MD5
814af5d4e24f23eb2c93145f8469d8e3

SHA1
fb2f66f333b8f5ea727e70ad15e4d44ff66bec8c

SHA256
e27661f825eb319c845e48b19f5a60a19eb1985b377e2ef613409880a5b7d242

SHA512
580fd779e53fac57a29032211c3bbd7632407e4f0dac99f6cfca4e8a035e64ed9671623f4ddecbb56f3a31682ce55d392262c421d18a857b6bd2725280814cac

Download Submit
\??\c:\5057fdf5155b5801b1\dlmgr.dll
Filesize
269KB

MD5
a309fe305d44711d62f03c8bae580e40

SHA1
27e3d98b556ec41ead00568b5c58a35c8e226228

SHA256
8d41eb260b66521b7789e7ca3cd98296b6cd309e2ca86959ceaa3a87892527ee

SHA512
bdf1f674e0a1b7d192cf8001b75b301b440c1f547c2de36a33f4065f0be6a24c5f5f4fc6bc4c4693c622f5cc042263e4cfecc73394f3da81365a53d6b6491a68

Download Submit
\??\c:\5057fdf5155b5801b1\gencomp.dll
Filesize
1.0MB

MD5
7701205cb985edbae0c1d283604e04a4

SHA1
2462782694a693fa1de5a0cfd32dcf66ffecfef8

SHA256
4532624fd6b585c519dea8e3023a68a0b2adfa801712ca616d411078e7f4d541

SHA512
6d11be23ba7f6f4009c41cd08e78dbb80ce2d5393ac754d5380be12a12c8c2d385ee891a651c608d1eb1cd46932c8c10f8cdddbfb051a62b532a51b0bdd51864

Download Submit
\??\c:\5057fdf5155b5801b1\logo.bmp
Filesize
5KB

MD5
27d1fb0f5ffab86ee4c906b67f7e3c29

SHA1
6f984c1e49ecfd5c3b9916c2e4b434fb8bf6103e

SHA256
0d6e46ff07901cc9d82e8fd76f8477474c3f440bf2e43ee5cea859c0095962a2

SHA512
db1d703f0bf9630404f64de54fc16447dbe993b61d2978e757a6676c1ad26c3f738c1cab7d269337f314dff917183f9330d57e4becbd69dbcc3daeada4ccfa9f

Download Submit
\??\c:\5057fdf5155b5801b1\setup.sdb
Filesize
71KB

MD5
7a94ef3b998e1098d2f4f7c66569bb9f

SHA1
5859e1ceff415a3613cee75f6b93dffa085ef83d

SHA256
95d71e04f822cdc59cc7bc449401f6e0c378f0ed7352ae83f5db30ee2d724639

SHA512
40d3d4b8930fd2d218c569be742c8640504369e66a43ec507d4c0d90e0fc61a45a58e5c96c4c5dc33b15cb2f632eae9dc796fb893c1cbd342fe9aa6e9fcfcd8e

Download Submit
\??\c:\5057fdf5155b5801b1\setupres.dll
Filesize
107KB

MD5
96d6e171f743a7c9222e2bc524e48a52

SHA1
ef1780adad57493058312967f720de1946d85a29

SHA256
73faae5003cf24b7b399d46d42babd754e132112e3bac9c1249a1310a25d1c6b

SHA512
4aaceb25276f5cb0c214e2141714d3044b01aad90289305bb3e211ecc53bd0cfdd41d73649bc2a31f017b04b95a69863bb3abb604f7d7bb7712c5e0a3ca36357

Download Submit
\??\c:\5057fdf5155b5801b1\sitsetup.dll
Filesize
1.3MB

MD5
70d42b96463300dcf804e18f2f1f9db1

SHA1
670e74d08090f78e63f056fa814aeb6d3c56e620

SHA256
63492edb2927fb8dea57580a55901f805c4d61e10d7f097b61f0b9dbf03aedbb

SHA512
b911562185e439306e04d96b3903005ca16d6506f4a8f1fa0a4e7923eec7486a3a722e093c372553a0b12c58ce133b3acdf54deae1828ef0b9c3bfe8279d5474

Download Submit
\??\c:\5057fdf5155b5801b1\vs70uimgr.dll
Filesize
613KB

MD5
cd272480b9a40c1743791e8618fb5541

SHA1
ef1126e163b14563780ce3250408572c6966878c

SHA256
c5b6d65a9667aa1231c66d72ff86fba55e50ba7f4e279cf3f267e03d90d616a0

SHA512
6ecffe64826d0c3e88a2d78486800cf526891551d0edfca1e89c9f1a65d28ebc4bbe42ea141208c09ebfc7967fb1c0271bb7fc6562f17aa298518798caaaaac8

Download Submit
\??\c:\5057fdf5155b5801b1\vs_setup.dll
Filesize
1021KB

MD5
ea4594bfc4df5a6f16dd79ea27b93a70

SHA1
80b492ad344f775001d08b2023c51f5199a724b9

SHA256
25b52ec5e47ec8dd0719bdc4961c926d32bb5ac1e0fc71a9d8cb5ab835da6ab1

SHA512
f3f410039fb21149f40bc2d06e2734ef349a9a993537165e551ea8dd0c011386fe75ecaf4b1c7336e76eb50a6f7c36600284798a460f1d0a8783c00daecc7d2c

Download Submit
\??\c:\5057fdf5155b5801b1\vs_setup.ms_
Filesize
603KB

MD5
8f479f91a12d4e48ecaaaa478aab1042

SHA1
ee42220275f4e82986f36d4f144fc891b07008c9

SHA256
b051bc37cc923fd3928a4d95ae4478d7b83f719625100ac950c6462a004399a5

SHA512
39d01f80f8fbd8d83baac76179f2d6c56206f7c29d692f89c51a8e1e9ff241a3bf6c30c5a37242e9cf7abb227edc75d695cab89bb9be845b39ce2f91aa916186

Download Submit
\??\c:\5057fdf5155b5801b1\vs_setup.pdi
Filesize
20KB

MD5
7b8966dffd15fa01d5bbdd7b312b526b

SHA1
cbfd752a07b35571917820b63a7799bf6755b5d4

SHA256
30ced1ffe473aa41d6968901f6a92dbe7d3f5e60a4ab5d5c82994e14b26dee91

SHA512
e11b4ac10aebd0cb9ec60cbd0fc14b52b99aefd154ca16cc7f49787c0e0954121e9bfd6a9e0cb4ab4a0a1868ca24db8a45ca6cf4b4e6c57a361d79cb352d6cd7

Download Submit
\??\c:\5057fdf5155b5801b1\vsbasereqs.dll
Filesize
401KB

MD5
057549953160d1e3e54c14263faf885d

SHA1
d3d73df0a71de5bab88932f08344ef91c7653ef4

SHA256
fc5f4e4f12e3baf632a267979da96955412caa63391f1d8137332672ba35cb46

SHA512
53116ad0019ea6bc8385acf3b6eb1a398e926abb4b76462771edc4e95612a527eaab42a6d4eff7d83ed562cc6a3b922a168c17525338ad560aefe7330185f381

Download Submit
\??\c:\5057fdf5155b5801b1\vsscenario.dll
Filesize
671KB

MD5
9b44d9e919f2f89365fb197bbd505400

SHA1
cd7484c2564d6f2d5baea8b5408af7715d9a3f49

SHA256
ed27270ea89f0a1cfda7f6e100204ebec0641bb41cafca5a287db81e69cdc120

SHA512
7cf04eb0ca2613648e21476da133716eddb6b53ba29b4dfd461a8b40295e4b928b8a57f4fc2cca4199e31eb88daf4a1899fe017afd5bfe1eddc0793119f9d517

Download Submit
\??\c:\5057fdf5155b5801b1\wapui.dll
Filesize
958KB

MD5
362a5e06b9aff6d147e491c13b0c3b60

SHA1
c96c759c956a631413717be23d1acae76c252b89

SHA256
df6ee489eba67f24812576dcd1e717029cbf80beed5c623742f7f4fa59928352

SHA512
334a729948e63a35f173a8fccac525efdb2676d174097cf0bac92267c9ef5a95ffb4b9f157c8d0b0f0a31952292a08a1a87d91d6d199ad76c7523685ec348942

Download Submit
\Users\Admin\AppData\Local\Temp\tG9KFBVCktZrhQC.exe
Filesize
2.7MB

MD5
269f314b87e6222a20e5f745b6b89783

SHA1
b0ca05c12ebb9a3610206bad7f219e02b7873cbd

SHA256
c05a019ce69c2e6973e464f381c2b0b618ad9b135ca5275b052febf64c9f9257

SHA512
34c574c78315cb83aac1b763a4f26f978d6c80d8e5bd61b601d16fdce2bccc109f8b46f03fb938a2ff2b9acb4793313f75b15539006e72b827ff7673507e5beb

Download Submit
memory/2812-142-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads