netwire | 91736aebc292f7aa6a99944d7a217b86616f5dbd86d7505a9dc0e567c508bf5d

Analysis

max time kernel
125s
max time network
125s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe
Size

1.2MB
MD5

28c7c3357fdbfef80f92ff8d0efd5988
SHA1

be02669f64bb74b8de0492ef306ad395439c5037
SHA256

91736aebc292f7aa6a99944d7a217b86616f5dbd86d7505a9dc0e567c508bf5d
SHA512

57b65b4af21cbcc72e3c8c0b18ed7d2531bf5c31e02642bd297f5e456befd87f10b670cbfa8ba2ea1f8cea2902eb4e141328284d3b763d07ca77edf42c9df5ad
SSDEEP

24576:SvpG2Cojx0pB9w/4Bf1ZXgcPDZuRW3Ane7AxFzEhed1r9:r2bx60/4B3NDcAwe7y+heR

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

pd1n.ddns.net:1968

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
pd1n-noip
lock_executable
false
offline_keylogger
false
password
Kimbolsapoq!P12
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2584-89-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2584-88-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2584-85-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2584-91-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
2044	sdfgdwscvb.exe

Loads dropped DLL 2 IoCs

pid	Process
2560	cmd.exe
2560	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfgyhtyswq = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\dfgyhtyswq.txt \| cmd"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 2584	2044	sdfgdwscvb.exe	34

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.net\Framework\v2.0.50727\.IgHiJkLiO	regasm.exe
File opened for modification	C:\Windows\Microsoft.net\Framework\v2.0.50727\.IgHiJkLiO	regasm.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe
Token: SeDebugPrivilege	2044	sdfgdwscvb.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2560	2084	28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2560	2084	28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2560	2084	28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2560	2084	28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe	28
PID 2560 wrote to memory of 2044	2560	cmd.exe	30
PID 2560 wrote to memory of 2044	2560	cmd.exe	30
PID 2560 wrote to memory of 2044	2560	cmd.exe	30
PID 2560 wrote to memory of 2044	2560	cmd.exe	30
PID 2044 wrote to memory of 2792	2044	sdfgdwscvb.exe	31
PID 2044 wrote to memory of 2792	2044	sdfgdwscvb.exe	31
PID 2044 wrote to memory of 2792	2044	sdfgdwscvb.exe	31
PID 2044 wrote to memory of 2792	2044	sdfgdwscvb.exe	31
PID 2792 wrote to memory of 1952	2792	cmd.exe	33
PID 2792 wrote to memory of 1952	2792	cmd.exe	33
PID 2792 wrote to memory of 1952	2792	cmd.exe	33
PID 2792 wrote to memory of 1952	2792	cmd.exe	33
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34
PID 2044 wrote to memory of 2584	2044	sdfgdwscvb.exe	34

C:\Users\Admin\AppData\Local\Temp\28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28c7c3357fdbfef80f92ff8d0efd5988_JaffaCakes118.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Roaming\ghghjjkqwes\sdfgdwscvb.exe
    "C:\Users\Admin\AppData\Roaming\ghghjjkqwes\sdfgdwscvb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "dfgyhtyswq" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\dfgyhtyswq.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1952
  - - C:\Windows\Microsoft.net\Framework\v2.0.50727\regasm.exe
      "C:\Users\Admin\AppData\Roaming\ghghjjkqwes\sdfgdwscvb.exe"
      4⤵
      Drops file in Windows directory
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_6DEFC1B0F00B73D870DAEE9AD78095DA

Filesize
1KB

MD5
883b12e0acef8a17b46c2d728e9ee1e6

SHA1
546955f6d8b0657f2dde5a06de467949ee3733fb

SHA256
49d5e7c6db30db8fa95858bd7c003ba1d2d86beeeb45cfa888fcf4cb5d7b9464

SHA512
bbccaed5d53470d7ee962606f864eb74917bc283a142d15f05dd6e5954b4792ab56db6cf0e1b0c539ba2d6344ca8feb33d99f29c6784a5422d4ac7a9c95a3247

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A3D5BF1283C2E63D8C8A8C72F0051F5A

Filesize
834B

MD5
cbed24fd2b55aea95367efca5ee889de

SHA1
946f48b5c344fd57113845cd483fed5fb9fa3e54

SHA256
1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

SHA512
c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0972B7C417F696E06E186AEB26286F01_6DEFC1B0F00B73D870DAEE9AD78095DA

Filesize
398B

MD5
3ae5b1f2fd6c86f40f6ed849f80a9d93

SHA1
e2f397c5a85fc51ea4152fcece8545cb4b92eb51

SHA256
47826b472323c3dc8ee08a3d12a453e78fdf4038baddb7508e1906ce4554c72f

SHA512
f080849f00942813d6bfb78b7ed55a626f9e062692920374e480dc79a8463aef42ee605d1a3bbeef1b7dc2d974c4ec0435cdae441f320c48348ecac08dedab81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F

Filesize
392B

MD5
63f7a04239dd3b15c698767b39d779cd

SHA1
0a325b43270bb7b347f702032a3a2faa1597ec16

SHA256
664f112c2ba15afa0088590d12b6eba33cfbd4913538bfc1868cc6582bf2af51

SHA512
352db102fee8da228ea2416e33cf6ca5a3ccff8c935abf9f1eb0b106cd736e0999f7e95f4602b68fff7531fb9099b51cb54dc7f361952c3491fdfcc0d7b618d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f1e5ebcdf64811c40cea9fcee19a527

SHA1
d698854748bd8e62405b1a99aef25f5831a6fa41

SHA256
4f9c653ac0565945840c9f4df7fca0cd31ba6faaf93046e74302b10c37b2a23f

SHA512
575604babc6ab578acf979ab7808db9db398b8971fbc4003e68f28a3fedf7bf6db90c21ced1d81bfdd619cc70921aea2844b0510b91ec48d6ea1efd86e40ff1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A3D5BF1283C2E63D8C8A8C72F0051F5A

Filesize
178B

MD5
f063a1a9d320339c471106770e7ea626

SHA1
365a3cd786b7df8fb9a8e9375459597edcc26633

SHA256
72a68557c2fc680f70e34b16c5c17ccce0342a346ff7bcdddb2e8455e4a44480

SHA512
62396266759104af6c8f0c08d9e2603bafbf25b7dd882e22dd02477ea70ec73e70bd98d97403c5fbacc337f2760584c5d67476d11d5710c8cefbe11eea5f8059

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD2C.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD5E.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\ghghjjkqwes\sdfgdwscvb.exe

Filesize
1.2MB

MD5
28c7c3357fdbfef80f92ff8d0efd5988

SHA1
be02669f64bb74b8de0492ef306ad395439c5037

SHA256
91736aebc292f7aa6a99944d7a217b86616f5dbd86d7505a9dc0e567c508bf5d

SHA512
57b65b4af21cbcc72e3c8c0b18ed7d2531bf5c31e02642bd297f5e456befd87f10b670cbfa8ba2ea1f8cea2902eb4e141328284d3b763d07ca77edf42c9df5ad

Download Submit
memory/2044-63-0x0000000074A70000-0x000000007501B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-94-0x0000000074A70000-0x000000007501B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-0-0x0000000074A71000-0x0000000074A72000-memory.dmp

Filesize
4KB

Download
memory/2084-1-0x0000000074A70000-0x000000007501B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-62-0x0000000074A70000-0x000000007501B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-83-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2584-89-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2584-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2584-87-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-85-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2584-81-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2584-79-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2584-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads