neshta | 2835c974cc09bb061c2737418d331ca8a338936f7d986ce848396c78b35845be

General

Target

XClient.exe
Size

37KB
MD5

d837db914680e0e91ee392cf2b3f3d2b
SHA1

30f2fc5f58250895f74969d1a7c932f68efcd9af
SHA256

2835c974cc09bb061c2737418d331ca8a338936f7d986ce848396c78b35845be
SHA512

aff4c2cafa23813d5c16ccd8baa8247697cc444c3642140610113f7e4854c083fad514ef3a6441b1fb3075e819af8599d1c5f5b3725c89521045f55598ebcd7b
SSDEEP

768:xz5lT+Q2PeKmxzHAXFyK9Oi26YOjhDPygM:xz512PGLuF39726YOj9u

Score

10^/10

neshta xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

weeks-deployment.gl.at.ply.gg:56058

Mutex

bGBs6Wpo1XzkMyuH

Attributes

Install_directory
%Temp%
install_file
System32.exe

aes.plain

Signatures

Detect Neshta payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tdwirz.exe	family_neshta
behavioral1/memory/2492-138-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1472-1-0x00000000013B0000-0x00000000013C0000-memory.dmp	family_xworm

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2636 powershell.exe
2100 powershell.exe
2528 powershell.exe
2952 powershell.exe

pid	process
2636	powershell.exe
2100	powershell.exe
2528	powershell.exe
2952	powershell.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk	XClient.exe

Executes dropped EXE 2 IoCs

Processes:

tdwirz.exetdwirz.exe

pid process

2492 tdwirz.exe
1964 tdwirz.exe
Loads dropped DLL 2 IoCs

Processes:

tdwirz.exe

pid process

2492 tdwirz.exe
2492 tdwirz.exe
Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

tdwirz.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tdwirz.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2492	tdwirz.exe
1964	tdwirz.exe

pid	process
2492	tdwirz.exe
2492	tdwirz.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	tdwirz.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Drops file in Program Files directory 64 IoCs

Processes:

tdwirz.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	tdwirz.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	tdwirz.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	tdwirz.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	tdwirz.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	tdwirz.exe

Drops file in Windows directory 1 IoCs

Processes:

tdwirz.exe

description ioc process

File opened for modification C:\Windows\svchost.com tdwirz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

tdwirz.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tdwirz.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2636 powershell.exe
2100 powershell.exe
2528 powershell.exe
2952 powershell.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	tdwirz.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	tdwirz.exe

pid	process
2636	powershell.exe
2100	powershell.exe
2528	powershell.exe
2952	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exeWScript.exe

description	pid	process
Token: SeDebugPrivilege	1472	XClient.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1472	XClient.exe
Token: 33	1996	WScript.exe
Token: SeIncBasePriorityPrivilege	1996	WScript.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

XClient.exetdwirz.exetdwirz.exe

description	pid	process	target process
PID 1472 wrote to memory of 2636	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2636	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2636	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2100	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2100	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2100	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2528	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2528	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2528	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2952	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2952	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2952	1472	XClient.exe	powershell.exe
PID 1472 wrote to memory of 2492	1472	XClient.exe	tdwirz.exe
PID 1472 wrote to memory of 2492	1472	XClient.exe	tdwirz.exe
PID 1472 wrote to memory of 2492	1472	XClient.exe	tdwirz.exe
PID 1472 wrote to memory of 2492	1472	XClient.exe	tdwirz.exe
PID 2492 wrote to memory of 1964	2492	tdwirz.exe	tdwirz.exe
PID 2492 wrote to memory of 1964	2492	tdwirz.exe	tdwirz.exe
PID 2492 wrote to memory of 1964	2492	tdwirz.exe	tdwirz.exe
PID 2492 wrote to memory of 1964	2492	tdwirz.exe	tdwirz.exe
PID 1964 wrote to memory of 1996	1964	tdwirz.exe	WScript.exe
PID 1964 wrote to memory of 1996	1964	tdwirz.exe	WScript.exe
PID 1964 wrote to memory of 1996	1964	tdwirz.exe	WScript.exe
PID 1964 wrote to memory of 1996	1964	tdwirz.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System32.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Users\Admin\AppData\Local\Temp\tdwirz.exe
"C:\Users\Admin\AppData\Local\Temp\tdwirz.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\3582-490\tdwirz.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\tdwirz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"
4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS
Filesize
168B

MD5
2b56784f8f16a689b305a1c768f28689

SHA1
e81ce025337ff3ebfc8bc48d43d360345a18688f

SHA256
dcd7fe09e32ec3a9fd356f12ded8e3f2ae520a99c8dc996b48dc98a39d68a077

SHA512
d0134e11bea5809b966cae3cc60828e557d6acddab890e56c0e22bed7c4facda582f77dd00a7ccb6da66200cc610ba9bd4423dcf33075f3b2b18434f219bbd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\prj_13626871_c66985d209c8197ecce4f5ce7899b49d_1656581581.mp3
Filesize
83KB

MD5
4843241a72238329e13f2497733fd70c

SHA1
c6b6fcc361bbcf17e9d05868deec5700b9e1d048

SHA256
3c6de7e0e9b3781a9bbf710553efaacbd61afd486034a1a633e571fdb02f4348

SHA512
f302d7b69c6a9eced6770ca2e6da3119c3bdf9c2a6a90657814cf0b5ddc52f3c336a4c5e45152443bb6d6f3fa777e3d99c82a3c090c6fa5b4b377f5aa0e1ba20

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdwirz.exe
Filesize
436KB

MD5
f6509de53c3061e0e0e1229fe2f8c7a0

SHA1
9305d1ba855b9749c0bb3065906217ef87f62af0

SHA256
3af0e7b7c901d425a55597ab9aeb6046f1e236109e5700be08061b2542c0e994

SHA512
0488e977d9b2bedafaad80084a085155785725e94008d3d08cc676ca272bdf2db842177c5a8dbc234dfa02105b2973ff538bf0d5cbf995c77764aa7a04d50e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dbba3b9aeb4f1dc5a694dd38162879ce

SHA1
cf185f960508a2ec838aa0317ce359a142b6f321

SHA256
b66b327021fdec1f86ac2ef9d6b772b4a2d5cc32dfc9914d6107cd10f9eae84d

SHA512
7a0e9b6edddd5d0d4f80c4091b5b3999e4dcc54fe04e403f38389aa476e22c9ef391d1959ea3da17868292e940e7c48feef86d8b383fae352ac5b37781b05ac6

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\tdwirz.exe
Filesize
396KB

MD5
a703c3b8a39537ce9be339bbc7339a45

SHA1
10354130b42e12c39eb6f3ce95b8368f581ef71b

SHA256
fce41ec4380d80f04eea4f2bb4ed9734c0ed31fb85c8897c0e299fbc0de41f60

SHA512
f73d2daaf572028655e4168834af7fb5477af4748f99845db314c57ab3a08c16d64bd2c5489f5c84ac3b0dcd16ec414284b5994091c3e44929fc7e923d26cb07

Download Submit
memory/1472-2-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1472-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

Filesize
4KB

Download
memory/1472-1-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/1472-33-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

Filesize
4KB

Download
memory/1472-34-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1472-35-0x000000001A840000-0x000000001A84C000-memory.dmp

Filesize
48KB

Download
memory/2100-16-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2100-15-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2492-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2636-9-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/2636-8-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2636-7-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads