sality | ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Size

175KB
MD5

6a61a3d7d8ea4a373a2b71d50f166882
SHA1

bf3d7a162624857a267e197dbd745b120dba239c
SHA256

ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95
SHA512

48f5ac05f965713515c8b00c5b84e72fa2d109deac8c2235bda191661ec208dabd2f991636bd0859170fc16873a595315b61f306d6bec327210422e7efb5ad69
SSDEEP

3072:aftffjmNaftffjmNmcoa3b9OBFhfY6XHNNTGkZm1MOTLjAimZcoa3b9OBF:aVfjmNaVfjmNm+BOBbfY6XHjSkZmGgje

Score

10^/10

sality backdoor upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1812 cmd.exe

pid	process
1812	cmd.exe

Executes dropped EXE 4 IoCs

Processes:

Logo1_.execa39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.execa39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exeExplorer.EXE

pid	process
2240	Logo1_.exe
1996	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
2144	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
1196	Explorer.EXE

Loads dropped DLL 5 IoCs

Processes:

cmd.execmd.exeExplorer.EXE

pid process

1812 cmd.exe
1812 cmd.exe
2728 cmd.exe
2728 cmd.exe
1196 Explorer.EXE

pid	process
1812	cmd.exe
1812	cmd.exe
2728	cmd.exe
2728	cmd.exe
1196	Explorer.EXE

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1996-44-0x0000000000600000-0x000000000168E000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini	Logo1_.exe

Drops file in Windows directory 6 IoCs

Processes:

ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exeLogo1_.execa39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
File created	C:\Windows\Logo1_.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\rundl132.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
File created	C:\Windows\Logo1_.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exeLogo1_.execmd.exenet.execa39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.execmd.exe

description	pid	process	target process
PID 2084 wrote to memory of 1812	2084	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 2084 wrote to memory of 1812	2084	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 2084 wrote to memory of 1812	2084	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 2084 wrote to memory of 1812	2084	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 2084 wrote to memory of 2240	2084	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	Logo1_.exe
PID 2084 wrote to memory of 2240	2084	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	Logo1_.exe
PID 2084 wrote to memory of 2240	2084	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	Logo1_.exe
PID 2084 wrote to memory of 2240	2084	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	Logo1_.exe
PID 2240 wrote to memory of 2640	2240	Logo1_.exe	net.exe
PID 2240 wrote to memory of 2640	2240	Logo1_.exe	net.exe
PID 2240 wrote to memory of 2640	2240	Logo1_.exe	net.exe
PID 2240 wrote to memory of 2640	2240	Logo1_.exe	net.exe
PID 1812 wrote to memory of 1996	1812	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 1812 wrote to memory of 1996	1812	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 1812 wrote to memory of 1996	1812	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 1812 wrote to memory of 1996	1812	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 2640 wrote to memory of 2720	2640	net.exe	net1.exe
PID 2640 wrote to memory of 2720	2640	net.exe	net1.exe
PID 2640 wrote to memory of 2720	2640	net.exe	net1.exe
PID 2640 wrote to memory of 2720	2640	net.exe	net1.exe
PID 1996 wrote to memory of 2728	1996	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 1996 wrote to memory of 2728	1996	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 1996 wrote to memory of 2728	1996	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 1996 wrote to memory of 2728	1996	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 2728 wrote to memory of 2144	2728	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 2728 wrote to memory of 2144	2728	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 2728 wrote to memory of 2144	2728	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 2728 wrote to memory of 2144	2728	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 2240 wrote to memory of 1196	2240	Logo1_.exe	Explorer.EXE
PID 2240 wrote to memory of 1196	2240	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1196

C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
"C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a12F4.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
"C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a13FE.bat
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
"C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe"
6⤵
- Executes dropped EXE
PID:2144

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2720

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
96e1b35794cab7c89ed11aef9fd21231

SHA1
f117566e261850b2a7439a644d229ae68917da20

SHA256
b3a73fa9b408ee517b0bfe8d54f7ddfa25158dc2a9aa0944b08b11fbcf8b57f3

SHA512
6962ac273cce263805f787f1a08584125091c906e9a753023cdc54e20ad3f0d2e63678d6d167e5febbd5a2776360cb1266200fac701bb755a3ee97938c558a16

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a12F4.bat
Filesize
722B

MD5
cc9be3953b08bcc3572c177254cb6cac

SHA1
76fee205644010a271e421f11a9db307a94c475e

SHA256
92b89656a1d2af8dbba6a6fde1e39424461104f80f134e996ec0f827f97bc1d3

SHA512
79f93a08829d9ce25ce5ba8d036b4357cb7b8c165c5e47d149a9a4648cb9b023f71278e0d1fb8db0d973f9ddc09ce28236e1e72974fd81e87a3bc55e582c84b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a13FE.bat
Filesize
722B

MD5
206d4512ba00cfbe2fb367e4b9632d6a

SHA1
b943647c395afc7986e2d0f623462c065bf01bd2

SHA256
7600a477232d6ca5b502b44bae64be8336c42cb4360b0018d1e17a7df4434fd2

SHA512
1509d9c6787d59f0236654f37fe6b31f74b34753aa28028aebd080ea8722f49b7881a550d26639cce0d0994c9f75732dd27a54c161c7e21dbf8e12f37df8f5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe.exe
Filesize
123KB

MD5
545c8eaf76284f3a19868beeb5ed9468

SHA1
71aa8f38967552840fb0ec45e0ea6586052dd01a

SHA256
ff9a0963d54145747422bf112102df5b15cd0d2e6425673590c323c028db481b

SHA512
0b873532d9f065e3cfa72af297ccd64df9205e99523c4579508e6a11fa87590d6f19455bf78c8e71f9a332852cfabae64e890899e7b0b41ba87434799ec1b278

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe.exe
Filesize
149KB

MD5
60cba5d5d2f3c1b7cc30ea13d7aa3ccf

SHA1
4dc4de651d6c51d9232d883bab16afc3bb2c9cde

SHA256
336bceaf647585452d703c72c3f9ed448f51defebb3c96486ee50563ce6299ab

SHA512
01d40229fd8864775eb3632140994286421eea0cf5f2ee510cff4cdfec09df040ba20daa6118ef2b6c9e2d399eac61f7236290dac30d1fdc75f6feeff27dc1e2

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
501e8b69f0c69752427230a1a009466e

SHA1
96d9e84f26cda2da08e2aa64d3a0a4e01bfa91b1

SHA256
48c1b2a71fe3057e59ca81108b97cff0189251c8d98739462bf65e307a7352dd

SHA512
1c11f011297000e4a103a2f2732bc47b5f6f4fef9ce746ee519fa7b57a08703bf73ce148b9caa5b20dc104323dda304553b384a2520bda9c6b5f3fce79be7656

Download Submit
C:\Windows\rundl132.exe
Filesize
26KB

MD5
3b569dd590fe54c93c348668d5a6485b

SHA1
ca3f84814c40aede97e456b732310f84c073e70d

SHA256
5ad5ec797c8d0a90d3f18f41e0f15871f083300681478402e6814021af53eaed

SHA512
7313b0cb51367225e001fddd50b23b06f908a36a0c5bffe4dc2d153fd778dcfc18b1a32437d726182dcc0819fbabba5c64749aab33ca7af12352a7d43f7f8369

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
Filesize
9B

MD5
1d8a3f28a10f9f8be912b9aa0d257c6f

SHA1
358ca1e31914fb991e009c945a40796cf465bb50

SHA256
3887316b3cbbf3fa224813b5883e0ee043c8422d4f72d4ebdf0ae8a195b40d3e

SHA512
b1ec3f07af4abcdc007ab43a9e685419176d74a6856df9be9085f5bc33178b91b30fc44667fd083d2aa818483b4ea216920fa479ebb277325c7b1e5d7a8caec1

Download Submit
memory/1196-54-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/1812-31-0x0000000002270000-0x00000000022B6000-memory.dmp

Filesize
280KB

Download
memory/1812-30-0x0000000002270000-0x00000000022B6000-memory.dmp

Filesize
280KB

Download
memory/1996-45-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1996-44-0x0000000000600000-0x000000000168E000-memory.dmp

Filesize
16.6MB

Download
memory/1996-32-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2084-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-18-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2084-17-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2240-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-1018-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-1899-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-2207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-3359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads