b24082496752d0ead8b747742671c5d60e8b7d12dc5b9cfa15ec57a5e61d53f4

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58e65a52b438cadc584634998e229f00_NEAS.exe
Size

441KB
MD5

58e65a52b438cadc584634998e229f00
SHA1

a4019c54288ce433cc59ea4b0ea4c25e21c81c6f
SHA256

b24082496752d0ead8b747742671c5d60e8b7d12dc5b9cfa15ec57a5e61d53f4
SHA512

19422c34748dfded71898d75d16415b597b04c5ec4c4a551d38d23546400a85b84853bfcd8ecddb9e33738d5270f83f901846edadfd9daac004c947d48198f71
SSDEEP

6144:2eHwXUU5EYCTvaBjRjWrLJKuKnGML5NjcxFSsQLH5Ab:2yMUusvalgg5NjaFSsPb

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\OUD4E7P\\XPW7I4P.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\OUD4E7P\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe

Executes dropped EXE 5 IoCs

pid	Process
2504	service.exe
2512	smss.exe
2760	system.exe
2372	winlogon.exe
2492	lsass.exe

Loads dropped DLL 8 IoCs

pid	Process
2304	58e65a52b438cadc584634998e229f00_NEAS.exe
2304	58e65a52b438cadc584634998e229f00_NEAS.exe
2304	58e65a52b438cadc584634998e229f00_NEAS.exe
2304	58e65a52b438cadc584634998e229f00_NEAS.exe
2304	58e65a52b438cadc584634998e229f00_NEAS.exe
2304	58e65a52b438cadc584634998e229f00_NEAS.exe
2304	58e65a52b438cadc584634998e229f00_NEAS.exe
2304	58e65a52b438cadc584634998e229f00_NEAS.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015d7f-187.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\sUD7O1T0 = "C:\\Windows\\system32\\CUT4D0VWDM2I2H.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0I4PDM = "C:\\Windows\\QTG7O1T.exe"	system.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\X:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\JHL8Q7E.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\CUT4D0VWDM2I2H.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y	smss.exe
File opened for modification	C:\Windows\SysWOW64\CUT4D0VWDM2I2H.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y\CUT4D0V.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\JHL8Q7E.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\CUT4D0VWDM2I2H.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\CUT4D0VWDM2I2H.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y	lsass.exe
File opened for modification	C:\Windows\SysWOW64\CUT4D0VWDM2I2H.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y\CUT4D0V.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\JHL8Q7E.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y	system.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y\CUT4D0V.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\JHL8Q7E.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\JHL8Q7E.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y\CUT4D0V.cmd	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\JHL8Q7E.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y\CUT4D0V.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\CUT4D0VWDM2I2H.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\SJL8O0Y\CUT4D0V.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\OUD4E7P	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\OUD4E7P\NQN8R6K.com	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\moonlight.dll	winlogon.exe
File opened for modification	C:\Windows\WDM2I2H.exe	winlogon.exe
File opened for modification	C:\Windows\OUD4E7P\XPW7I4P.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\OUD4E7P	lsass.exe
File opened for modification	C:\Windows\OUD4E7P\winlogon.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\OUD4E7P\XPW7I4P.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\OUD4E7P\system.exe	lsass.exe
File opened for modification	C:\Windows\OUD4E7P\NQN8R6K.com	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\WDM2I2H.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\OUD4E7P	smss.exe
File opened for modification	C:\Windows\QTG7O1T.exe	service.exe
File opened for modification	C:\Windows\OUD4E7P\XPW7I4P.exe	smss.exe
File opened for modification	C:\Windows\OUD4E7P	system.exe
File opened for modification	C:\Windows\OUD4E7P\service.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\OUD4E7P\system.exe	service.exe
File opened for modification	C:\Windows\WDM2I2H.exe	service.exe
File created	C:\Windows\MooNlight.txt	smss.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\QTG7O1T.exe	system.exe
File opened for modification	C:\Windows\OUD4E7P\XPW7I4P.exe	lsass.exe
File opened for modification	C:\Windows\OUD4E7P\NQN8R6K.com	service.exe
File opened for modification	C:\Windows\OUD4E7P\NQN8R6K.com	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\OUD4E7P\service.exe	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\OUD4E7P\smss.exe	smss.exe
File opened for modification	C:\Windows\OUD4E7P\service.exe	smss.exe
File opened for modification	C:\Windows\OUD4E7P\regedit.cmd	service.exe
File opened for modification	C:\Windows\OUD4E7P\XPW7I4P.exe	service.exe
File opened for modification	C:\Windows\OUD4E7P\NQN8R6K.com	system.exe
File opened for modification	C:\Windows\OUD4E7P\system.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\WDM2I2H.exe	lsass.exe
File opened for modification	C:\Windows\OUD4E7P\system.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\OUD4E7P	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\OUD4E7P\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\OUD4E7P\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\OUD4E7P	service.exe
File opened for modification	C:\Windows\OUD4E7P\smss.exe	service.exe
File opened for modification	C:\Windows\OUD4E7P\regedit.cmd	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\OUD4E7P\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\OUD4E7P\MYpIC.zip	system.exe
File opened for modification	C:\Windows\OUD4E7P\smss.exe	winlogon.exe
File opened for modification	C:\Windows\OUD4E7P\smss.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\QTG7O1T.exe	58e65a52b438cadc584634998e229f00_NEAS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2304	58e65a52b438cadc584634998e229f00_NEAS.exe
2504	service.exe
2512	smss.exe
2372	winlogon.exe
2760	system.exe
2492	lsass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2504	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	28
PID 2304 wrote to memory of 2504	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	28
PID 2304 wrote to memory of 2504	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	28
PID 2304 wrote to memory of 2504	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	28
PID 2304 wrote to memory of 2512	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	29
PID 2304 wrote to memory of 2512	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	29
PID 2304 wrote to memory of 2512	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	29
PID 2304 wrote to memory of 2512	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	29
PID 2304 wrote to memory of 2760	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	30
PID 2304 wrote to memory of 2760	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	30
PID 2304 wrote to memory of 2760	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	30
PID 2304 wrote to memory of 2760	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	30
PID 2304 wrote to memory of 2372	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	31
PID 2304 wrote to memory of 2372	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	31
PID 2304 wrote to memory of 2372	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	31
PID 2304 wrote to memory of 2372	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	31
PID 2304 wrote to memory of 2492	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	32
PID 2304 wrote to memory of 2492	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	32
PID 2304 wrote to memory of 2492	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	32
PID 2304 wrote to memory of 2492	2304	58e65a52b438cadc584634998e229f00_NEAS.exe	32

C:\Users\Admin\AppData\Local\Temp\58e65a52b438cadc584634998e229f00_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\58e65a52b438cadc584634998e229f00_NEAS.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\OUD4E7P\service.exe
  "C:\Windows\OUD4E7P\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2504
- C:\Windows\OUD4E7P\smss.exe
  "C:\Windows\OUD4E7P\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2512
- C:\Windows\OUD4E7P\system.exe
  "C:\Windows\OUD4E7P\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Sets file execution options in registry
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2760
- C:\Windows\OUD4E7P\winlogon.exe
  "C:\Windows\OUD4E7P\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2372
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\OUD4E7P\NQN8R6K.com

Filesize
441KB

MD5
fe71bf1ce7958a795424ff508b1fc368

SHA1
0c2763b1713bd9daf8036699bcf10d17dc12ab11

SHA256
e4fd2507605f36449e5f4a011b530dc57912d17018bcd5b6b8f569a1925cc840

SHA512
fe0597638bf60be39cff4372247b912ea1d5a160a68fda7dc41b276ca964786b284c958dd0e50b7f580e0c595d693e0c955db0fd05d338bbc972bb91f6de7c35

Download Submit
C:\Windows\OUD4E7P\NQN8R6K.com

Filesize
441KB

MD5
e9a6cf1d3d8f5b945a0b0fc2e343914d

SHA1
16163c1af96d9367962aa0fbd627e2fbb8608db5

SHA256
8d0a5a3a32fd8ac7c5efca2916e5066a6b01d4cd88dbc6ff1c0ca1fb2957c03e

SHA512
e998dfb211cf513b881b80b3a207e722d220151e54446463ffd10e7c159b127ecf1b4a2a245f7c291a7e4d5a70a664994db620045d241b990cddf929638b144f

Download Submit
C:\Windows\OUD4E7P\NQN8R6K.com

Filesize
441KB

MD5
1127e0e3782de6b29c03522b0ea47194

SHA1
b970ad930bb1d70bc685024d110cac2468ae53c8

SHA256
0cd20cddae0290b2be85ae0b3e8f567ef73a1bac48a8f2ae3a204b13f9821d39

SHA512
8cfb67f24988202ebc7c5117fef2a2e553de86351c33b587cca8ccfe0a52bfbc0694b1e6fa027df007b3c0e35e5a60e2a367be2a4438bb49e0a560781770b8fe

Download Submit
C:\Windows\OUD4E7P\regedit.cmd

Filesize
441KB

MD5
5b6bc352ebfe0c9dcbbd3d7163b8fce3

SHA1
ec2428b9143482e55263764e2e31a59edcde2da8

SHA256
1cac7d0beb925380e1411b7df6d203f439f126cc10d3c86aca3d5e4bceb3e8ae

SHA512
55a291df9a3ad677e7483a641fd703d4555267bfc71a407ea30b789dbbffbfe4ce2a32c92c6e65166c4689ca749a0109583b7526fda53475af6e5a1dc5c07fc3

Download Submit
C:\Windows\OUD4E7P\service.exe

Filesize
441KB

MD5
457fbfa60e7ba982d9ecaef1b69cd484

SHA1
a6a8810e3186bb6188f51c32fabb61567166b47e

SHA256
d2945bb3eae2a06fab8b974a2924c12eb5409406b0ef338a701f5702b7624f4f

SHA512
31523a00c909ab1f50cded7dd0cd955cf7d7889aa6473119cdb6f083efe529934eca1e4541b1ea44a4d298ef4ba8a2dbfa1feb1e7e774337f54949b73a26bc89

Download Submit
C:\Windows\OUD4E7P\smss.exe

Filesize
441KB

MD5
3363ff23da8974f046a22eb4ae9ae7a0

SHA1
a04b7eb28437c01ad615a4d04241f6f9fddd988d

SHA256
b04cc24974cecd248580218d89cd1a1acbe8b7d170b50f8e4b4904e0696c88aa

SHA512
1c0f87a1c9709e5f1d5541cdb339b5dc869e838082b281232d2bd3b7238e3b0eb711f530ab1d92dfcb0dd040c9f20450859adf23654a81d78ad8fec2b076eb0d

Download Submit
C:\Windows\QTG7O1T.exe

Filesize
441KB

MD5
5d523791d8e9f01b63fe12e55e2db527

SHA1
d31943ac29534f9d0ff9bcbc95b41b31d46a9077

SHA256
ea8de4bc04987ab20ce42f3ca1f40cadda1c5e233e0618a43b34637e222c8132

SHA512
abbd60ab999e8bf9edbefe766e220fd4693d3424f467e4a690337991a56f24c2310b587f152fe14e1a692804ad397159acdbe563a23b83c89d3c581d8f35b3bc

Download Submit
C:\Windows\SysWOW64\CUT4D0VWDM2I2H.exe

Filesize
441KB

MD5
acb18b9884a9163335dccdcda5bd406a

SHA1
39cf351de223e3abc6e800aeff949556bf4449af

SHA256
aba25c239266942dfdc1349054f09c15c551b37b7da8fdcc27876f8f24892a03

SHA512
f5613584d552a1959d7164039c375acf684fb973427de8a1b5ea33d9da93dcf9588694029c69ef4660b6a527213603dab03364b8ecc33f00591242d833f6b055

Download Submit
C:\Windows\SysWOW64\JHL8Q7E.exe

Filesize
441KB

MD5
8e67582d7eb0a086980d3abb361d77ae

SHA1
ffb268295e2f143c708ddf1f37da6d57316d8f75

SHA256
9cc74fe24717d5bdecec9255eb259e5e73402e92f3065aa222a19a74040d6563

SHA512
e2d2c3ec0ff7deb4b96008b6e30bf9f4979bc0ca4b977b7352ca7ee6b6ec9503f2c6e1fc04a553ae0f5cc676015b3e1d9c8e7adf2f36eb146c2fc249a6be80ff

Download Submit
C:\Windows\SysWOW64\JHL8Q7E.exe

Filesize
441KB

MD5
17eb12053b384ff8f4d0c39c374c3355

SHA1
e60f21933dabdfaebd748bac80872cb03a7d8caf

SHA256
8fbff51828beeff0b1803dbf570813ba9ad1053833ad470a255d8e45eda5b787

SHA512
4d8fc0023cc55538b5479ddee6736a3ae8bf43778fbb5d9ff9a79e25689fa9322e0aefbaf543c5f7c6bf4ca817cbe58b3b28eafe22fa03d0ef6270707de0d6c7

Download Submit
C:\Windows\SysWOW64\JHL8Q7E.exe

Filesize
441KB

MD5
ad1b2270fee9fdf4d2ef48c5585011cb

SHA1
e797b4adf05e0ce51286b173e32ae0a311b601f2

SHA256
bd00a66a6fbf7eeafc59185fcd97b2e7832f7c7866ee17096b66977d532347de

SHA512
5c8866a59d01ab8fc3b134a97b58a67c731b0137266def1c4bb85edb53acc38e6e8b9fe1f64d7bb3794d1b27b1f08fd4a0fbdaf237112e4836e307dbbee55bc9

Download Submit
C:\Windows\SysWOW64\JHL8Q7E.exe

Filesize
441KB

MD5
1d8eb23c897943fefcf153001c2f39ea

SHA1
bd271b79c33e66e0619390c29cd319ba1f31646f

SHA256
907377a1d088f7aa02e95865de37822727f89165d1ade3a0abea154ea0f1f4c5

SHA512
34751d0f54dc738830bd028d004eb3a6c03c0d5bda9637ebda45f3b0eea1f2759e7bb377498ad9276f7e226dc330a99c05f35201c5974b8c5bb8718abf0e5951

Download Submit
C:\Windows\SysWOW64\SJL8O0Y\CUT4D0V.cmd

Filesize
441KB

MD5
0362295d6a77a7f61788e4879d202a6f

SHA1
0ff098866890462d0289db6dfb38235e7c5bdd33

SHA256
ea04cdb650a38a1ad37b5547fa8a228c8b378e4b8f3218a5c7f51c501c0a481d

SHA512
1eecdcf6c07e9d4b96b51cf0d79e8b11edc754475fb669de26fc07b6a2c00248fd6b4e082b94ac54f2451510f7580ce8b2de9fbaa5fa07cfab4457c5a774223a

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
2c9ff51e4a81e997967aa39d2154d2bc

SHA1
ef2db8faeab966606eb5c48363d60ce694f2d1e5

SHA256
d11c6014eb2c0f0b3a615805b4cad7a9639b41d6f78a220d1041e3581bd2f6e9

SHA512
c23cf02f146c2371a7ca0e2341038ba388db1a48e2063b4aff3316fdf9ee3759c98de5166c4e159e3f95d899e195bb7a69eaed33c47ca07f0ab8d5e58cf7f5f8

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
9627b380bfa803cb3223f4eeef85aa36

SHA1
411cc0b162ecf02028635b34a574bdaa63a69795

SHA256
b9ab3ed10e832e4520fb59f52584a93cd6b5cafde22f6df130105b5f401fab6f

SHA512
7b1e0f6132e1e2977629d3bdc9d74f012193b84eb2619e807e7f2d8b87c1ae601a21b66dcf8afa3d99231775237419adb4114410e79708dba4fd6a6932374be2

Download Submit
C:\Windows\WDM2I2H.exe

Filesize
441KB

MD5
70c2d13256c9ced4119f6f0162477eb8

SHA1
56a67b84f8ae11f94abeb9e27fb73ba42c371583

SHA256
9d806d7f6987788aa3c6ea71cffb81b0b897ce6132bfe899eb3b4c1fe29b3059

SHA512
9c0c98d5888294e62cee1c31009d3fa2c5327acf45c0de163aed1eca039de6bec5bfece04a14bf1477cc1dd82261e80299f9ab58ee1e7604b6e50542199e45a1

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
e9451860cfa19590dcf5765445c4fe6a

SHA1
64833587ca65612a92dc069b2a5944e9d75b12c2

SHA256
88cd19c8dc10e27a72bc776bf00907ac8670f80d2dda89c155678e581578301a

SHA512
bb8da8ae3a7a5cbd392c3d350554b9ad9ec2d53a27fad5d85f181e9ffc8e4c255c2e502046ac757b75b418d36a4faeeb4148361b748284b82ae00e4e8ca918fc

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
0928ffe3a68eaa83e73e9a7bfcfb188f

SHA1
0d75ea59cea8d884bb8ca193a07f1d382a8bf44a

SHA256
9e26c92c0860f1c5a0642a13b4cd7dba4d1a0d255982b1f30029c606f6614059

SHA512
8692ac112859c896041866eae9bb1d3340876a00f90a5d0a970dfee2b259402f030809cc4d4aaa966763925a37cd01bb37763faf513877735f4d7059e32d446f

Download Submit
C:\Windows\lsass.exe

Filesize
441KB

MD5
8f4f4d70dac5c886fcc9037abf382a30

SHA1
62a4ec56b541bbdb3fa21e061462bcd1147cb67c

SHA256
cc2d04185427dbbde3ddb85dfdfa97458cab1ce2922f412e4017997255871a51

SHA512
3fdf5eeaa7245e115a6436dbc774393db5d7c36cdf9f89fc416f51ad25b92bec93e22cec6cfdbcdee84d4b21d4f9bd430f303bd0a48c3f4c984906ec341dee74

Download Submit
C:\Windows\lsass.exe

Filesize
441KB

MD5
a798579d9710cefd99d59b30816281b2

SHA1
b08a0b7c7264fe5ab0b61b9e8362d81b04dd58d5

SHA256
a1283b6c954e5ad1a467be5398f1a5f518370cfaceeb1a4e8ad04c503867c184

SHA512
ae204e986e3685bc43a54d1f2a569cc41da7b3ed4874e4f16b9638891916b71f9fa96aa0ffd60430c37f6d6173901b1c93fdcd58e13d2a737dcb5091d0f671ac

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
8e6e31f8df128a746ff9a3a38f8f78c0

SHA1
e4da9aa336eb7e254592e585b29d8b4e23f3e4bd

SHA256
dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7

SHA512
eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
85c7225cfb89261ca68c6331f9a3d646

SHA1
3ca70d4a466cbb7201ca9487b9993035642601c9

SHA256
43eb341cf6a9965914ffdeaa770c9016279f6d3c65a711cfa482949ff49c814c

SHA512
24a78501edb7074d1541939d55ad57ff97a2c71daf96eed8e9790d97e88472be76650488b1cd272b2667fa7bb421a94a3a5c3adcb07c8abf0ba6e56dbcb0496e

Download Submit
\Windows\OUD4E7P\winlogon.exe

Filesize
441KB

MD5
8e63805d219d57b985446181e7a6abdb

SHA1
f62ec5fdd3a0514ff1544562e85c9fd037bd58c7

SHA256
43bfca179a687c170f1f197d8dd506849c3174c351ad8ec65dfbfccc0ced4680

SHA512
1dc6677181107d75dacabf4fa5a700a78df6ced2a77f309ca00d93e0fc1e4f0d79d7928ee2f1e688e5377e5c00ee71dec14e4aa3962eac80e31435b059214fdc

Download Submit
memory/2304-217-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2304-55-0x00000000034D0000-0x0000000003522000-memory.dmp

Filesize
328KB

Download
memory/2304-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2304-76-0x00000000034D0000-0x0000000003522000-memory.dmp

Filesize
328KB

Download
memory/2304-216-0x0000000003BA0000-0x0000000003BF2000-memory.dmp

Filesize
328KB

Download
memory/2304-56-0x00000000034D0000-0x0000000003522000-memory.dmp

Filesize
328KB

Download
memory/2372-249-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2372-88-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2492-250-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2492-219-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2504-237-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2504-57-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2512-70-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2512-238-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2760-242-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2760-243-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2760-247-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2760-246-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2760-248-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2760-78-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2760-251-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2760-252-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2760-253-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads