ploutus | 8b097b6ebfe177d49434f4d632ce912792d52c149f431dd51c8e8631110abefa

General

Target

66f0d151d9994cc5811c746d48265e60N.exe
Size

3.2MB
MD5

66f0d151d9994cc5811c746d48265e60
SHA1

455ad3c941653dbfd4b0727527d67344dcf96865
SHA256

8b097b6ebfe177d49434f4d632ce912792d52c149f431dd51c8e8631110abefa
SHA512

f54b4a99782fda97530d79fb48776d8b3641d530c31c0fd2ac327ba6fbaf899bb3d39cc3b57a1973b63596ea59b1ddec8999f03705b0fd2ccac3f5b627f23bfe
SSDEEP

49152:t5NbfJJb4/WGdvbKJJb4/WGBJJb4/WGwJJb4/WGA0wr+jTZtaZ3Otfj7UCLiJJes:1XbbG5mbbGVbbGobbGABr+dCe6GU

Score

10^/10

ploutus atm backdoor discovery evasion persistence

Malware Config

Signatures

Detected Ploutus loader 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\66f0d151d9994cc5811c746d48265e60n.exe	family_ploutus

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Ploutus
Ploutus is an ATM malware written in C#.
backdoor atm ploutus
Executes dropped EXE 6 IoCs

Processes:

66f0d151d9994cc5811c746d48265e60n.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2720 66f0d151d9994cc5811c746d48265e60n.exe
4848 icsys.icn.exe
4420 explorer.exe
3848 spoolsv.exe
2972 svchost.exe
2184 spoolsv.exe

pid	process
2720	66f0d151d9994cc5811c746d48265e60n.exe
4848	icsys.icn.exe
4420	explorer.exe
3848	spoolsv.exe
2972	svchost.exe
2184	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exe66f0d151d9994cc5811c746d48265e60N.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	66f0d151d9994cc5811c746d48265e60N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

spoolsv.exe66f0d151d9994cc5811c746d48265e60N.exe66f0d151d9994cc5811c746d48265e60n.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66f0d151d9994cc5811c746d48265e60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66f0d151d9994cc5811c746d48265e60n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

66f0d151d9994cc5811c746d48265e60n.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	66f0d151d9994cc5811c746d48265e60n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	66f0d151d9994cc5811c746d48265e60n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	66f0d151d9994cc5811c746d48265e60n.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

66f0d151d9994cc5811c746d48265e60N.exeicsys.icn.exe

pid	process
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4848	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

4420 explorer.exe
2972 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

66f0d151d9994cc5811c746d48265e60n.exe

pid process

2720 66f0d151d9994cc5811c746d48265e60n.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

66f0d151d9994cc5811c746d48265e60n.exe

pid process

2720 66f0d151d9994cc5811c746d48265e60n.exe

pid	process
4420	explorer.exe
2972	svchost.exe

pid	process
2720	66f0d151d9994cc5811c746d48265e60n.exe

pid	process
2720	66f0d151d9994cc5811c746d48265e60n.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

66f0d151d9994cc5811c746d48265e60N.exe66f0d151d9994cc5811c746d48265e60n.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2432	66f0d151d9994cc5811c746d48265e60N.exe
2432	66f0d151d9994cc5811c746d48265e60N.exe
2720	66f0d151d9994cc5811c746d48265e60n.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
4420	explorer.exe
4420	explorer.exe
3848	spoolsv.exe
3848	spoolsv.exe
2972	svchost.exe
2972	svchost.exe
2184	spoolsv.exe
2184	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

66f0d151d9994cc5811c746d48265e60N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2432 wrote to memory of 2720	2432	66f0d151d9994cc5811c746d48265e60N.exe	66f0d151d9994cc5811c746d48265e60n.exe
PID 2432 wrote to memory of 2720	2432	66f0d151d9994cc5811c746d48265e60N.exe	66f0d151d9994cc5811c746d48265e60n.exe
PID 2432 wrote to memory of 2720	2432	66f0d151d9994cc5811c746d48265e60N.exe	66f0d151d9994cc5811c746d48265e60n.exe
PID 2432 wrote to memory of 4848	2432	66f0d151d9994cc5811c746d48265e60N.exe	icsys.icn.exe
PID 2432 wrote to memory of 4848	2432	66f0d151d9994cc5811c746d48265e60N.exe	icsys.icn.exe
PID 2432 wrote to memory of 4848	2432	66f0d151d9994cc5811c746d48265e60N.exe	icsys.icn.exe
PID 4848 wrote to memory of 4420	4848	icsys.icn.exe	explorer.exe
PID 4848 wrote to memory of 4420	4848	icsys.icn.exe	explorer.exe
PID 4848 wrote to memory of 4420	4848	icsys.icn.exe	explorer.exe
PID 4420 wrote to memory of 3848	4420	explorer.exe	spoolsv.exe
PID 4420 wrote to memory of 3848	4420	explorer.exe	spoolsv.exe
PID 4420 wrote to memory of 3848	4420	explorer.exe	spoolsv.exe
PID 3848 wrote to memory of 2972	3848	spoolsv.exe	svchost.exe
PID 3848 wrote to memory of 2972	3848	spoolsv.exe	svchost.exe
PID 3848 wrote to memory of 2972	3848	spoolsv.exe	svchost.exe
PID 2972 wrote to memory of 2184	2972	svchost.exe	spoolsv.exe
PID 2972 wrote to memory of 2184	2972	svchost.exe	spoolsv.exe
PID 2972 wrote to memory of 2184	2972	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\66f0d151d9994cc5811c746d48265e60N.exe
"C:\Users\Admin\AppData\Local\Temp\66f0d151d9994cc5811c746d48265e60N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432

\??\c:\users\admin\appdata\local\temp\66f0d151d9994cc5811c746d48265e60n.exe
c:\users\admin\appdata\local\temp\66f0d151d9994cc5811c746d48265e60n.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3848

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\X360CE\x360ce.Presets.xml
Filesize
182B

MD5
f135ee37bdc2bee6bf638994e6a94f0b

SHA1
4760b3c9a1bc86f8b57891cedd01ba76a6552e8c

SHA256
5a1e6a26433d1c1d5b72ecf67ca89dba3ef9a35192b23640911bbf232c21b458

SHA512
94346c7cf89c39440635ce876cba9b56571f7c40372a13717b565d202258586714932a3fcafdd6bbf64b91cc4a924b686de3ab9c2f53afcd6b77e801c1f1d785

Download Submit
C:\Users\Admin\AppData\Local\Temp\66f0d151d9994cc5811c746d48265e60n.exe
Filesize
3.1MB

MD5
b6e5bd3c6abd734ac9d66f7dbcdb8409

SHA1
485e46c4dcf4d1274eae63932c024bdf9fc52e34

SHA256
28e424c515f3724c872fc1d5d79709fa9d13e7986c47fb678b90a677a225abf5

SHA512
2e825c315db6761af99385d6be13308bc0f111d024b8a0e9e22d806d54b8312c1864f08799b73ee7b441719fb81d57000cfc5ce7ddc118745ca41226858db67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xinput_Amd64.tmp.dll
Filesize
123KB

MD5
5236623449893c0e1e98fc95f067fcff

SHA1
50b4f1e2340b7c7ad065b2111fc075b2cafe6231

SHA256
301f0d831d95bb5c3b5c57f8a92a35211531b410fcf2bd08927a286b867142a3

SHA512
9b94bddcb5e64bbf3649567f16a828588423873b60858d45c40155f36cc7f95d205f4e9b6cdc8ac2852240fdb6a67d0940c60e4f103cecbf118eae1438019c0c

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
7486da416a6496cd3be4149eb8ec9e92

SHA1
a8489d18fc111692ae8876a4d7a0a59b558f1a4f

SHA256
5464be71ba1c4c704cd09f3f72bda4bf0e8da77303ac476bb8a850938ba75f5e

SHA512
3c74723c343d48904ee56c713cb12cf9b3758776fc400dfef32bf60af9cd5a43afa31d71a950256a0dd0e71dbf3cb52acab24c96ae772d30df009b23ad314ec0

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
2e6baef9ae7870e20c45064147abc8a7

SHA1
94ab5ab24e5c57b103396b1a2e796906e02a995a

SHA256
6fab554124b66e3771863dd771909cf08eb1d3a1dfb9dec97552ee15913a24cd

SHA512
909e32bf2722522b3d1078fab3e87f74a66df732297b0ffd2bab7c5700f85147d96dda7f0c824da5c6121a2287b0122d5ed979712441f04385de34667e139b90

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
d8dabbf73aab1a5cdd025b140646ecbc

SHA1
2dd1f543c29c35469985295e6b64bad3846f8420

SHA256
48c75f01721b7034c76254f4d072b81ffa1da8b93825537c8875a27cf44882ed

SHA512
a22be46d7ad142c9c7efc9cae3628bda134431be0827a1fe7c74384b2c8127382b89da6bd90c6758cb685cd2bcd60fadf5a84b5073a6a522dcc7edfdca446507

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
0a9cf5f75bb93da2275c0aa487fadd2d

SHA1
14d4ddd8d39b2bf50c498fd4a4d7f40c8083bb95

SHA256
75f66514489337a62e1fa77a6c0edd6f715bff56cc3de46af178efef19edf283

SHA512
e7bffb69a1f28a7f4a82097507e466e7328a70eafc61da6fc000ecf3c9598b62975cec10d465d0893f169bbf8402f2dde698cfef6703c1a7907c979abc325e22

Download Submit
memory/2184-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2432-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2432-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-26-0x0000000005DC0000-0x0000000005DEC000-memory.dmp

Filesize
176KB

Download
memory/2720-72-0x0000000007B30000-0x0000000007B50000-memory.dmp

Filesize
128KB

Download
memory/2720-29-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-94-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-28-0x0000000005EA0000-0x0000000005EE4000-memory.dmp

Filesize
272KB

Download
memory/2720-27-0x0000000005E00000-0x0000000005E8E000-memory.dmp

Filesize
568KB

Download
memory/2720-13-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/2720-93-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

Filesize
4KB

Download
memory/2720-12-0x0000000004D90000-0x0000000004DAA000-memory.dmp

Filesize
104KB

Download
memory/2720-9-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

Filesize
4KB

Download
memory/2720-11-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/2720-10-0x0000000000100000-0x0000000000414000-memory.dmp

Filesize
3.1MB

Download
memory/2720-71-0x00000000096F0000-0x0000000009ACA000-memory.dmp

Filesize
3.9MB

Download
memory/2720-30-0x0000000006F60000-0x0000000006F6A000-memory.dmp

Filesize
40KB

Download
memory/2720-73-0x0000000009AD0000-0x0000000009E24000-memory.dmp

Filesize
3.3MB

Download
memory/2972-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3848-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4848-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4848-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads