zeppelin | f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

Resubmissions

08/06/2024, 15:19 UTC

240608-sqmvesch2s 10

06/11/2020, 15:33 UTC

201106-nz68d98cw2 10

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 15:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe
Size

212KB
MD5

723825ad69a5d55a1e5ed3d1ee831f0d
SHA1

7e082df63c3de0f8bf9d38edf72ba5268078275a
SHA256

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb
SHA512

dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78
SSDEEP

6144:tia1gMH2EXtAup5Qnqn64DQFu/U3buRKlemZ9DnGAe+hsO6a+8:tIMHxGe5Qb4DQFu/U3buRKlemZ9DnGAb

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000173b4-67.dat	family_zeppelin
behavioral1/memory/2176-74-0x0000000000920000-0x0000000000A60000-memory.dmp	family_zeppelin
behavioral1/memory/2620-185-0x00000000008A0000-0x00000000009E0000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin

Executes dropped EXE 1 IoCs

pid	Process
2620	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2176	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe
2176	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	iplogger.org
21	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	geoiptool.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2620	2176	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe	28
PID 2176 wrote to memory of 2620	2176	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe	28
PID 2176 wrote to memory of 2620	2176	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe	28
PID 2176 wrote to memory of 2620	2176	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe	28

C:\Users\Admin\AppData\Local\Temp\f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe
"C:\Users\Admin\AppData\Local\Temp\f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  PID:2620

Network

DNS

geoiptool.com

explorer.exe

Remote address:

8.8.8.8:53

Request

geoiptool.com

IN A

Response

geoiptool.com

IN A

172.67.207.3

geoiptool.com

IN A

104.21.50.146
GET

http://geoiptool.com/

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

Remote address:

172.67.207.3:80

Request

GET / HTTP/1.1
Host: geoiptool.com

Response

HTTP/1.1 301 Moved Permanently

Date: Sat, 08 Jun 2024 15:20:37 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://www.geodatatool.com/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r%2BT7JxsR1elSh%2BouIqtENwRGVA3UEnvn8N8VdhBHG%2BGUdL%2Fy1oo0TCiv6IFbJG1Q7yPoA2rQPAha4kebUdBFA6T8LL8G5Ak%2BJMXyy0%2FKnvg3K3bsN0tfSYLfh%2BwNP%2Fwv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8909ddee0c0c418f-LHR
alt-svc: h3=":443"; ma=86400
DNS

www.geodatatool.com

explorer.exe

Remote address:

8.8.8.8:53

Request

www.geodatatool.com

IN A

Response

www.geodatatool.com

IN A

158.69.65.151
DNS

crl.usertrust.com

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

Remote address:

8.8.8.8:53

Request

crl.usertrust.com

IN A

Response

crl.usertrust.com

IN CNAME

crl.comodoca.com.cdn.cloudflare.net

crl.comodoca.com.cdn.cloudflare.net

IN A

172.64.149.23

crl.comodoca.com.cdn.cloudflare.net

IN A

104.18.38.233
GET

http://crl.usertrust.com/GoGetSSLRSADVCA.crl

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

Remote address:

172.64.149.23:80

Request

GET /GoGetSSLRSADVCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.usertrust.com

Response

HTTP/1.1 200 OK

Date: Sat, 08 Jun 2024 15:20:38 GMT
Content-Type: application/pkix-crl
Content-Length: 147734
Connection: keep-alive
Last-Modified: Sat, 08 Jun 2024 06:29:38 GMT
Expires: Sat, 15 Jun 2024 06:29:38 GMT
Etag: "c31d1841e1f555b1f7b475368e2d515fa7753324"
Cache-Control: max-age=603456,s-maxage=3600,public,no-transform,must-revalidate
X-CCACDN-Proxy-ID: mcdpinlb3
X-Frame-Options: SAMEORIGIN
CF-Cache-Status: HIT
Age: 1523
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 8909ddf5ea4d63f6-LHR
GET

http://geoiptool.com/

explorer.exe

Remote address:

172.67.207.3:80

Request

GET / HTTP/1.1
Host: geoiptool.com

Response

HTTP/1.1 301 Moved Permanently

Date: Sat, 08 Jun 2024 15:20:39 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://www.geodatatool.com/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q511SoaQEs0bf2gCm4wrWytkMHW8plwPDVntNSQ1u0GcKe3gM1J2Mm3rRRTBpPfiMfi1WgcPZmnjPKrWzKak0Q3mE0hK8XQDd6MOZG63lT5xAFPrXhQYRd7pDsL%2B6jfG"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8909ddfc0ec86325-LHR
alt-svc: h3=":443"; ma=86400
DNS

iplogger.org

explorer.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

104.21.4.208

iplogger.org

IN A

172.67.132.113
GET

http://iplogger.org/1VBct7

explorer.exe

Remote address:

104.21.4.208:80

Request

GET /1VBct7 HTTP/1.1
Host: iplogger.org
User-Agent: ZEPPELIN
Referer: 9F2-A7D-213

Response

HTTP/1.1 301 Moved Permanently

Date: Sat, 08 Jun 2024 15:20:42 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://iplogger.org/1VBct7#80
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TFNVEf%2BoC5ivzvJgLC8ehYrQzZ9Ol7A6TO7r39NFwaFMCHyraHNLtyAP8Bxhgacjkd3gUp2s9%2F3yldB1lcIccEq6iMCp30KkwTJINa5Z6cTTZiIXMpaTeUHjq0gUDJI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8909de0fbba97324-LHR
alt-svc: h3=":443"; ma=86400
GET

https://iplogger.org/1VBct7

explorer.exe

Remote address:

104.21.4.208:443

Request

GET /1VBct7 HTTP/1.1
Connection: Keep-Alive
User-Agent: ZEPPELIN
Referer: 9F2-A7D-213
Host: iplogger.org

Response

HTTP/1.1 200 OK

Date: Sat, 08 Jun 2024 15:20:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
memory: 0.42531585693359375
expires: Sat, 08 Jun 2024 15:20:43 +0000
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8KrTXgCn7hlEIplYxA5fq23uIJqkZbzG1yBuo5HLsMMNghZDYPBoXwB%2BU%2F9T8S19Nl1fJMZ5hdks7RQ1Oy53E1nWicG%2B3wf9JsCBOdEpuHdNykfCDrfHT14XH9ovW08%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8909de14fccb48ce-LHR
alt-svc: h3=":443"; ma=86400
DNS

apps.identrust.com

explorer.exe

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

2.17.107.235

a1952.dscq.akamai.net

IN A

2.17.107.226
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

explorer.exe

Remote address:

2.17.107.235:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Sat, 08 Jun 2024 16:20:42 GMT
Date: Sat, 08 Jun 2024 15:20:42 GMT
Connection: keep-alive
DNS

x2.c.lencr.org

explorer.exe

Remote address:

8.8.8.8:53

Request

x2.c.lencr.org

IN A

Response

x2.c.lencr.org

IN CNAME

crl.root-x1.letsencrypt.org.edgekey.net

crl.root-x1.letsencrypt.org.edgekey.net

IN CNAME

e8652.dscx.akamaiedge.net

e8652.dscx.akamaiedge.net

IN A

104.90.25.32
GET

http://x2.c.lencr.org/

explorer.exe

Remote address:

104.90.25.32:80

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: x2.c.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
ETag: "65ca969f-12b"
Cache-Control: max-age=3600
Expires: Sat, 08 Jun 2024 16:20:43 GMT
Date: Sat, 08 Jun 2024 15:20:43 GMT
Content-Length: 299
Connection: keep-alive

172.67.207.3:80

http://geoiptool.com/

http

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

269 B
990 B
5
4

HTTP Request

GET http://geoiptool.com/

HTTP Response

301
158.69.65.151:443

www.geodatatool.com

tls

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

988 B
5.2kB
10
9
172.64.149.23:80

http://crl.usertrust.com/GoGetSSLRSADVCA.crl

http

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

2.9kB
152.8kB
60
113

HTTP Request

GET http://crl.usertrust.com/GoGetSSLRSADVCA.crl

HTTP Response

200
172.67.207.3:80

http://geoiptool.com/

http

explorer.exe

219 B
972 B
4
4

HTTP Request

GET http://geoiptool.com/

HTTP Response

301
158.69.65.151:443

www.geodatatool.com

tls

explorer.exe

890 B
5.0kB
8
8
104.21.4.208:80

http://iplogger.org/1VBct7

http

explorer.exe

272 B
1.0kB
4
4

HTTP Request

GET http://iplogger.org/1VBct7

HTTP Response

301
104.21.4.208:443

https://iplogger.org/1VBct7

tls, http

explorer.exe

1.1kB
14.8kB
14
18

HTTP Request

GET https://iplogger.org/1VBct7

HTTP Response

200
2.17.107.235:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

explorer.exe

323 B
1.6kB
4
4

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
104.90.25.32:80

http://x2.c.lencr.org/

http

explorer.exe

350 B
1.3kB
5
4

HTTP Request

GET http://x2.c.lencr.org/

HTTP Response

200

8.8.8.8:53

geoiptool.com

dns

explorer.exe

59 B
91 B
1
1

DNS Request

geoiptool.com

DNS Response

172.67.207.3

104.21.50.146
8.8.8.8:53

www.geodatatool.com

dns

explorer.exe

65 B
81 B
1
1

DNS Request

www.geodatatool.com

DNS Response

158.69.65.151
8.8.8.8:53

crl.usertrust.com

dns

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

63 B
144 B
1
1

DNS Request

crl.usertrust.com

DNS Response

172.64.149.23

104.18.38.233
8.8.8.8:53

iplogger.org

dns

explorer.exe

58 B
90 B
1
1

DNS Request

iplogger.org

DNS Response

104.21.4.208

172.67.132.113
8.8.8.8:53

apps.identrust.com

dns

explorer.exe

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

2.17.107.235

2.17.107.226
8.8.8.8:53

x2.c.lencr.org

dns

explorer.exe

60 B
165 B
1
1

DNS Request

x2.c.lencr.org

DNS Response

104.90.25.32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
6bfced3d108f9e5aa027f414cfe238e0

SHA1
8a2ed4d19bd317e6ee0e7d25facd84955d1f5eb8

SHA256
0b38c2b473c1e02da927633233632da350f216e558cffdcd8da705d6d376ef9a

SHA512
0599eebdb98cad52c6087a081449477f38c62cb76fa2bc60797574c329769063dff6f7ccbb8912bfe95467c4fe361a64fba86e0861bc401f36c364ac0ae660c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4

Filesize
144KB

MD5
66b6a26fc52329aef1228a78776ad59e

SHA1
c31d1841e1f555b1f7b475368e2d515fa7753324

SHA256
bb9b8cccfaf1896caf4533e139bf9e8278f3451b20f3244e4a540f45432c8166

SHA512
b834697654cedf2a59b2eb1ebd9f5f98c4c42c48359f051d969235e148a5f32b7ecc5073dec72b880328714c5445e7da3053596fb6b8db0cf1118f59f96978be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
4364933eb6dd73008e0616e0cf50c1d1

SHA1
d3c132bc1398039890f604587533015045dc3733

SHA256
de15c1206295e29c2f646e44c26be75afe8e9ddc121f0a12c5097f2546f2e9ac

SHA512
63372c5abfe5066a4365184a1d5af1716b8296ac3630cde403ec0f86e8df59014d3f9facee4fb9c0fe87baa9202466984575f3acf436e00b3ee3830adb78c51f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
30fa59ff4f34e906bf9b0557d9c7ee9c

SHA1
eb803597de04a1bd0aeae78ba5dfa412d4afe78c

SHA256
75ecac175056a7ab6e4ac5f52f85bb46f5ace26f4907eba54b09d5ed21160340

SHA512
e077f2455db9813834aaf3ec8e6dfe16de5d1abbbad33252b3ad7ab5673dac1a2c2f5b1f708b55b36e93ca1456874789648f469d6be90a19222db4f2962f17e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
402B

MD5
1c1ab687bd51604c26c2d3b35be9bda0

SHA1
dc75871cbe5d16db1e652a89e4165e9cfb1085d9

SHA256
689200d25bb2149788ecf01edb604d4bc9e2dfa3e0163924787e921ea9502b29

SHA512
e9833379987831cd4209d6644c5e6421f1ff5f5c826406533fc7b73030a4c34e4822c1dee403b40a340594b1d4d9d7009b06d2dab4d54a32eacd4fd3e5a44d88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
590165b17430f1efebc1157c1e7a3ac3

SHA1
588fd1ef909456f2d5608ad36d2060d5c88d43cf

SHA256
cb8bfd0f771071604dd76d14c5214eecbce95d8e9d95363b062467d66138beff

SHA512
feb73d54d1fc77512bace5b3b2ca171cd83be70a99063bd8e6bdca5c4658acfa7556e87fca59abb5ada2f2e09f55b689845b299e5c62aa9aa82a76b6b87347ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4

Filesize
292B

MD5
2cbc1a8c14cf44ab96d0ac889ea120c6

SHA1
40aac26cbb5c77cc4721452ed8d306ae22ab308a

SHA256
6eda81c2fdf8a460b29884c0b4ea61ce265e9f99c995a90228c84f042d1645c9

SHA512
fcb7801d9ad8ce53db9faff70c1d679c9efcf82e031dcfe54e471bf8d1a146496bd0b4dd8f0537ed47c3d8195366e6c9f8274dafbb2b2868edff1c1ade605f24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
5ef7d0ef35aad36423c4623b629dd75e

SHA1
a902d1b40aafcf251933e1aaa6e68c7548f83d17

SHA256
9b5833421a1c38f172b6cda066e731925278d014544b4e1608c2dc47620a2048

SHA512
1d3c41c39022fb703bb840ccc83c47f9c1271f4962d49328a18a6f8e699ab0c131dbf43cef9880c8db1c2784916ad8cc3f1361020d19d61bef56623d252167b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\KS9K7IGG.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2FBF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
212KB

MD5
723825ad69a5d55a1e5ed3d1ee831f0d

SHA1
7e082df63c3de0f8bf9d38edf72ba5268078275a

SHA256
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

SHA512
dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

Download Submit
memory/2176-74-0x0000000000920000-0x0000000000A60000-memory.dmp

Filesize
1.2MB

Download
memory/2620-185-0x00000000008A0000-0x00000000009E0000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.