limerat | 2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-08-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
Size

225KB
MD5

c71d20c012f7b4350c4a934afcd130f2
SHA1

a967ff6228345830899dbeb0a4471a22780ddea7
SHA256

2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3
SHA512

393e51cc49e885095718896e9c5313dc9f8d10d8410f062b051b7ddad06c4518214444df1e91e62adc81a73cb14f27dd3a86eeea8ea1218a1edca9a6f01329f1
SSDEEP

1536:iyfFtVj5LJ0DJ90D97D9uYGnS7XlaOFE56i504iiF/wZHVN:iyfDyRSE8E57/jFWT

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Wallets

359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8

Attributes

aes_key
zynova@56070
antivm
false
c2_url
https://pastebin.com/raw/PyH9MBfx
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
true
sub_folder
\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Drops startup file 4 IoCs

Processes:

Ethernet.exeEthernet.exec71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exeEthernet.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url	Ethernet.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url	Ethernet.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url	Ethernet.exe

Executes dropped EXE 3 IoCs

Processes:

Ethernet.exeEthernet.exeEthernet.exe

pid process

2980 Ethernet.exe
3060 Ethernet.exe
2604 Ethernet.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
5 pastebin.com

pid	process
2980	Ethernet.exe
3060	Ethernet.exe
2604	Ethernet.exe

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exeEthernet.exeEthernet.exeEthernet.exe

description	pid	process	target process
PID 2928 set thread context of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2980 set thread context of 2196	2980	Ethernet.exe	RegAsm.exe
PID 3060 set thread context of 1688	3060	Ethernet.exe	RegAsm.exe
PID 2604 set thread context of 2904	2604	Ethernet.exe	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exeRegAsm.exeschtasks.execvtres.exeEthernet.exeRegAsm.exeschtasks.exeEthernet.exeRegAsm.execvtres.exec71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.execsc.execvtres.exeRegAsm.execsc.exeschtasks.exeschtasks.exeEthernet.execsc.execvtres.execsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ethernet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ethernet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ethernet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2604 schtasks.exe

pid	process
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exeEthernet.exeEthernet.exeEthernet.exe

pid	process
2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
2980	Ethernet.exe
2980	Ethernet.exe
3060	Ethernet.exe
3060	Ethernet.exe
2604	Ethernet.exe
2604	Ethernet.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exeRegAsm.exeEthernet.exeEthernet.exeEthernet.exe

description	pid	process
Token: SeDebugPrivilege	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
Token: SeDebugPrivilege	2728	RegAsm.exe
Token: SeDebugPrivilege	2728	RegAsm.exe
Token: SeDebugPrivilege	2980	Ethernet.exe
Token: SeDebugPrivilege	3060	Ethernet.exe
Token: SeDebugPrivilege	2604	Ethernet.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.execsc.exetaskeng.exeEthernet.execsc.exeEthernet.execsc.exe

description	pid	process	target process
PID 2928 wrote to memory of 2616	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	csc.exe
PID 2928 wrote to memory of 2616	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	csc.exe
PID 2928 wrote to memory of 2616	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	csc.exe
PID 2928 wrote to memory of 2616	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	csc.exe
PID 2616 wrote to memory of 2636	2616	csc.exe	cvtres.exe
PID 2616 wrote to memory of 2636	2616	csc.exe	cvtres.exe
PID 2616 wrote to memory of 2636	2616	csc.exe	cvtres.exe
PID 2616 wrote to memory of 2636	2616	csc.exe	cvtres.exe
PID 2928 wrote to memory of 2656	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 2928 wrote to memory of 2656	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 2928 wrote to memory of 2656	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 2928 wrote to memory of 2656	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 2928 wrote to memory of 2604	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 2928 wrote to memory of 2604	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 2928 wrote to memory of 2604	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 2928 wrote to memory of 2604	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	schtasks.exe
PID 2928 wrote to memory of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2928 wrote to memory of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2928 wrote to memory of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2928 wrote to memory of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2928 wrote to memory of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2928 wrote to memory of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2928 wrote to memory of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2928 wrote to memory of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2928 wrote to memory of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2928 wrote to memory of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2928 wrote to memory of 2728	2928	c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe	RegAsm.exe
PID 2964 wrote to memory of 2980	2964	taskeng.exe	Ethernet.exe
PID 2964 wrote to memory of 2980	2964	taskeng.exe	Ethernet.exe
PID 2964 wrote to memory of 2980	2964	taskeng.exe	Ethernet.exe
PID 2964 wrote to memory of 2980	2964	taskeng.exe	Ethernet.exe
PID 2980 wrote to memory of 1540	2980	Ethernet.exe	csc.exe
PID 2980 wrote to memory of 1540	2980	Ethernet.exe	csc.exe
PID 2980 wrote to memory of 1540	2980	Ethernet.exe	csc.exe
PID 2980 wrote to memory of 1540	2980	Ethernet.exe	csc.exe
PID 1540 wrote to memory of 2480	1540	csc.exe	cvtres.exe
PID 1540 wrote to memory of 2480	1540	csc.exe	cvtres.exe
PID 1540 wrote to memory of 2480	1540	csc.exe	cvtres.exe
PID 1540 wrote to memory of 2480	1540	csc.exe	cvtres.exe
PID 2980 wrote to memory of 2280	2980	Ethernet.exe	schtasks.exe
PID 2980 wrote to memory of 2280	2980	Ethernet.exe	schtasks.exe
PID 2980 wrote to memory of 2280	2980	Ethernet.exe	schtasks.exe
PID 2980 wrote to memory of 2280	2980	Ethernet.exe	schtasks.exe
PID 2980 wrote to memory of 2196	2980	Ethernet.exe	RegAsm.exe
PID 2980 wrote to memory of 2196	2980	Ethernet.exe	RegAsm.exe
PID 2980 wrote to memory of 2196	2980	Ethernet.exe	RegAsm.exe
PID 2980 wrote to memory of 2196	2980	Ethernet.exe	RegAsm.exe
PID 2980 wrote to memory of 2196	2980	Ethernet.exe	RegAsm.exe
PID 2980 wrote to memory of 2196	2980	Ethernet.exe	RegAsm.exe
PID 2980 wrote to memory of 2196	2980	Ethernet.exe	RegAsm.exe
PID 2980 wrote to memory of 2196	2980	Ethernet.exe	RegAsm.exe
PID 2980 wrote to memory of 2196	2980	Ethernet.exe	RegAsm.exe
PID 2980 wrote to memory of 2196	2980	Ethernet.exe	RegAsm.exe
PID 2980 wrote to memory of 2196	2980	Ethernet.exe	RegAsm.exe
PID 2964 wrote to memory of 3060	2964	taskeng.exe	Ethernet.exe
PID 2964 wrote to memory of 3060	2964	taskeng.exe	Ethernet.exe
PID 2964 wrote to memory of 3060	2964	taskeng.exe	Ethernet.exe
PID 2964 wrote to memory of 3060	2964	taskeng.exe	Ethernet.exe
PID 3060 wrote to memory of 2400	3060	Ethernet.exe	csc.exe
PID 3060 wrote to memory of 2400	3060	Ethernet.exe	csc.exe
PID 3060 wrote to memory of 2400	3060	Ethernet.exe	csc.exe
PID 3060 wrote to memory of 2400	3060	Ethernet.exe	csc.exe
PID 2400 wrote to memory of 2256	2400	csc.exe	cvtres.exe
PID 2400 wrote to memory of 2256	2400	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ajwpppf\1ajwpppf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FE3.tmp" "c:\Users\Admin\AppData\Local\Temp\1ajwpppf\CSC63B7E7C2603D4621A11568963741D17D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /query
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /sc MINUTE /tn Ethernet /MO 1 /tr "C:\Users\Admin\AppData\Roaming\global\Ethernet.exe\
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2728

C:\Windows\system32\taskeng.exe
taskeng.exe {2F35909F-E91E-4DE7-A94A-674508635A10} S-1-5-21-940600906-3464502421-4240639183-1000:MGWWAYYN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Roaming\global\Ethernet.exe
  C:\Users\Admin\AppData\Roaming\global\Ethernet.exe "C:\Users\Admin\AppData\Roaming\global\Ethernet.exe\"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gcs1vj0w\gcs1vj0w.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA46A.tmp" "c:\Users\Admin\AppData\Local\Temp\gcs1vj0w\CSC2E35555520E43E49470B6CEA7EEFE9.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /query
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2196
- C:\Users\Admin\AppData\Roaming\global\Ethernet.exe
  C:\Users\Admin\AppData\Roaming\global\Ethernet.exe "C:\Users\Admin\AppData\Roaming\global\Ethernet.exe\"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\prrfja1s\prrfja1s.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E2C.tmp" "c:\Users\Admin\AppData\Local\Temp\prrfja1s\CSCCE5481A742B941569925C51F4295661B.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2256
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /query
    3⤵
    - System Location Discovery: System Language Discovery
    PID:816
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
- C:\Users\Admin\AppData\Roaming\global\Ethernet.exe
  C:\Users\Admin\AppData\Roaming\global\Ethernet.exe "C:\Users\Admin\AppData\Roaming\global\Ethernet.exe\"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\44sagx33\44sagx33.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78A9.tmp" "c:\Users\Admin\AppData\Local\Temp\44sagx33\CSC5822C3A43E124860A08B5D82C32DAC1.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1096
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /query
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ajwpppf\1ajwpppf.dll

Filesize
8KB

MD5
f896e58a0348eb52e7a9fa5708559112

SHA1
bfce1027a8faf711c4933b2575fdfada4682b9f9

SHA256
8f655bcaa6d29df5691cc8f85dc7a08bb905fb68e6de0e118b7c3f5169701fdc

SHA512
08317432d0df5a5b701decdeae65132cec084b49bd4423ac169b5e8c4b3fcb75884161c5cd8444f11b4bb32b5ac53b49b9d2bc0c485975c1dcc1c47fb73e37c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ajwpppf\1ajwpppf.pdb

Filesize
23KB

MD5
c8ea9e66e309e55159d65e207a934c59

SHA1
f12b7121e1abadcbefb8d5a1058adae71d40a28a

SHA256
f6918d0fc7979e559fd01ab05f702664e34e8577bc386ad6a18c317d902a9c13

SHA512
96a91f809c8138ad92a5b2611b26cb465504a1fb373141ec2e767432b4244f9251ec873ecd866d1ad94ec84092be4e479927fb878bd212f3e9ce3477285a81eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\44sagx33\44sagx33.dll

Filesize
8KB

MD5
fb50af6a69e9a79f1113ef7793068626

SHA1
7ed6bb105ccc62e8c0df56e1ef9cf2ffed12dc41

SHA256
d30fd2488560cef188f699cf94296ee4993fbe3808520bba6ec38c1a644cd643

SHA512
64684877322b1d2035b0ed09f6d15d5dd33091398a6acc9e9b620cca3d7c1df05d3984e65f2b9ad667c651aa99b9c517018431273f94708d8c6b5d8f61663eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\44sagx33\44sagx33.pdb

Filesize
23KB

MD5
0175fab1c451d16323df294529198651

SHA1
3d8b0bad294878f20235deca4fb19e5bcb5ae13f

SHA256
9a3e34e5d2b870806ace066abb40a46adac79cac38c24ce23b3d085b9767cdee

SHA512
1008af596fa5dd7793cc9213d9babc6b7b9f8ef4ed6a72cbc093d64e67000955084e84b915385d4ae12d1e88815961353a56b5f756d5b301c80201c3109f3186

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6FE3.tmp

Filesize
1KB

MD5
29ea1031a306cb560b75c54f989aabc3

SHA1
68bf39cf3f6acac79abd72ba6688eecaaef4bcfd

SHA256
fb4ee19d8b53ac8cdff72523e60c482ad4aafc05f27e84ae9b81823c3403f064

SHA512
b604affc47cabc29a5cc8c87a6e58bdb415804f00dd34bba5c63051b1a3b41d9a3ba65556220971d7bd54521c776567a02e0d55efe5856d334c8a2a5f48b3158

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES78A9.tmp

Filesize
1KB

MD5
0b863e14b3413add2375061cd6ed13e4

SHA1
2d15c82db340917bfc5c768c7d61d419ec5311aa

SHA256
0bfde906aef10196bbcf9272b1a8befb55741276568fae25c83cee7704ef8f1c

SHA512
7633894be554fb3116e52502ff9fd48c1e6ddab01d436269b94888985b610ccff6540ea16be1c3decadd5014e4a04d97b06c5dae8f01f5002bcc30fc89e48e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E2C.tmp

Filesize
1KB

MD5
bac637864525352215a2f6f0634b68bf

SHA1
2bf897fbbb050e86415d2c18ecb864357db70a85

SHA256
a49607590bfd84b1882601917059c21634a3b4ddbbbcf01ac12dbfb2851181bc

SHA512
b2992592eed3db55c8d13e37069cadb8278072da8f9222502ab9fe6020b33f173f8ea2b35d05fb4a27e829a623b5ce2e3295651e7a4ea3d4c2b94dffd3397b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA46A.tmp

Filesize
1KB

MD5
142dd654068b5e700b93fac5a04e1ccc

SHA1
3b707479654b595f516cc03c7d0fbe62af97ddcf

SHA256
e1325bf4b8ee517acbd61dd4e73ada695fa19838cec566b852e608e32fcbe484

SHA512
a2dea8e9e13993b4ca2632310bdfd0decf6f80dff832753e43936372a0c0a28b067e2162093f88e0a62f1c2ee8135006e350bda287066141e9d6b6acafcd9cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcs1vj0w\gcs1vj0w.dll

Filesize
8KB

MD5
4df8a3eb1ab7623c8b4fb4bc93a28883

SHA1
7b82a2232aadb456f211488cc8bf4c6f1fb1144c

SHA256
43732408cf269302228d563fb1c3e16053c01e5206b52382900091eb1e8040c0

SHA512
5a8d891bed30387387139a80ef376b29cf1b7bbc1cd60e9f01cd2669366068a8d1fbfcf4d33d85fc98618125af0ff0b82a5e1908062ed50ac08fc31280736543

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcs1vj0w\gcs1vj0w.pdb

Filesize
23KB

MD5
fb31dd7350ff809de42f0687df7425be

SHA1
777ee288a9b893fecf531441154a0ce81f2107d7

SHA256
529e6bb1f63a59918fed3e9e2fc33381172e2be4a9eb32ea7cec2e3b0d881cf6

SHA512
874c378fe9a0edd39beb7fd30f082a5fe462ac7d608501b484f43b615a4d7d688486c20e9d1628eda1819e1ab53fb3832b7c435a75359ff448e7416d236ad60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\prrfja1s\prrfja1s.dll

Filesize
8KB

MD5
71f67decd6f63203da4daba0bfbf0102

SHA1
c7942317f559176af9648a1dd10ec06d203f12cb

SHA256
542de9656f13567d4be858449a47358d31f9bae261aa95166b3cbf0c336e343c

SHA512
225cc67a4fae2744ee4334fe1ee168ad06f94ea7c310039737e165faa5013907e31ce296841abc5344e378896f720f299c39acc7f1aea69242b7a74d59b0a328

Download Submit
C:\Users\Admin\AppData\Local\Temp\prrfja1s\prrfja1s.pdb

Filesize
23KB

MD5
99b1a6250596af5e28c231143c7d2444

SHA1
3b950f575128dc6c70344c3e674f7e25b4f48713

SHA256
02a16192e1a5636bf90bc76f29a83e0b90cea3e0a820b2595334101163c486b6

SHA512
6166e18cc0f29ca7999e374a9cb8260b1475263936679f7ce5d4eae4cbe935883da7f5b63395439541f2a9328904988e54837385a24336c2f2b79497c716c257

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url

Filesize
84B

MD5
be22ba3f7e580c8a2dd9aa3bad570846

SHA1
d983c8161cf34410bfd6e35a89784f2b12e832c5

SHA256
ced2b040c61dc72e79c4d1a472fe81512cae022e0f15910c6dd111556f4b9b91

SHA512
a3d97ca34915a7db22fd45b3f04e73c184be0b804ff7e18a8e150520638067eebd97c9a3f83057a2c9fa90006f32ccb9d7f0b1ba7827c55f3fd95d427e54f108

Download Submit
C:\Users\Admin\AppData\Roaming\global\Ethernet.exe

Filesize
225KB

MD5
c71d20c012f7b4350c4a934afcd130f2

SHA1
a967ff6228345830899dbeb0a4471a22780ddea7

SHA256
2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3

SHA512
393e51cc49e885095718896e9c5313dc9f8d10d8410f062b051b7ddad06c4518214444df1e91e62adc81a73cb14f27dd3a86eeea8ea1218a1edca9a6f01329f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1ajwpppf\1ajwpppf.0.cs

Filesize
9KB

MD5
38ca37eafe03d8f9c9324484795402bf

SHA1
4cc028fd81e7dcdbf9de360b71f0d66259a7a399

SHA256
10272281e324dac2e39caa13af6c447ede6f2a64da9bf2ca47388d693c5f7424

SHA512
3f625b39aa0c83318f8ea30b468497ace4baf1f1bcb77fa3718aa5cbc94a6bbd474163bbc639a4fff9ae1e8a4061709f929d7e4bd265344fb12e6bd0b64a48d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1ajwpppf\1ajwpppf.cmdline

Filesize
312B

MD5
58a5282814a957a365835689e92f08a1

SHA1
e694f2eefa94d77f341de751425c51b4eaa8fccf

SHA256
ccfd05c213930283eb80154196cee038c07587a9200e4da6f4ed97f1ea0c6458

SHA512
526b444b81eb0db2fd29b8e8d1cb9ad4c592274b4e93ef8475307041459348763e1736c0722cefc62fc68ccda569bd733c93a987535715cc95083ef6623217c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1ajwpppf\CSC63B7E7C2603D4621A11568963741D17D.TMP

Filesize
1KB

MD5
df9a7e23252da263b2f62055d74f7d17

SHA1
9a7dedcaaa611477c12a4d8d0d31dd8ba9b8ad48

SHA256
e07f1ff8b6884e6df951c14df06b4a68003ab4f587eeb09e02cdf84fccda0883

SHA512
f8cb48ef1140dd76c6b33c9df4340075bc6b3a638ed0d9d2c7bf5f62e10c9969fcb0068fa7186c3b0cfb51da55f49f2f7d34b6c8afc6d2104db00e125ceeb983

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\44sagx33\44sagx33.cmdline

Filesize
312B

MD5
b7f7c5b9ab7413d28ea873d44573f80f

SHA1
4c54798fa541dfa706aae16484da65a71a85a0c7

SHA256
8232fbdd3b693221949f32ccc317fff6d01cff62419240f500c8eae151458b7e

SHA512
6eb3ee600687d00b75842096c580e722ff96c92942621361da4e2594a190be6cbb2aebf9746f1bd4f38c90cfb86b53a9bbec1fd5bb88f0b79c8103e045328823

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\44sagx33\CSC5822C3A43E124860A08B5D82C32DAC1.TMP

Filesize
1KB

MD5
e70d6a28d6768c4dea205867495f8ebf

SHA1
4ab30484731c8a910e26ec862feb78332f4867aa

SHA256
b382bec2b0157b4c8aeb44e67e3c265b545f7b4101493ba94b25e0d2029370d2

SHA512
ce33aa4628e127621a8dee859e7023dce978f440b730c5afd452141aab63363fd5160dcde6b3b138a2dc071b227231c300d11f0e66299ca546080ff1b14efd3b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gcs1vj0w\CSC2E35555520E43E49470B6CEA7EEFE9.TMP

Filesize
1KB

MD5
1c67fa25f430650a98e30bcbeb749a1e

SHA1
456fc0a3d0014fc4563ba6ae300ad0f660e17112

SHA256
135122d6cca34e6b49c29b9eed04c2b846fc53c9adeeeeb41bed743d284cce99

SHA512
26abc26c5eeca8be2b491777c58635e3a59c8e5d3f43d470caa3801bffc87a6af2d9e5a2d5f5816f99e1ba606768197c9ecf72cfa97778a33a8649c19b187839

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gcs1vj0w\gcs1vj0w.cmdline

Filesize
312B

MD5
aee676462db5cd35a8ff47a3ef4e130f

SHA1
3d08bf1a8c56d436a8d8211be06c7cd42ffb356c

SHA256
020b5cefcbf5cc8d238606066f4f9b1e7e2ba7b34325e6ab7324cb27571aa63b

SHA512
4e8b913d5f319985989ae54c2e3ab7b4d04949e3bb9ae4bf9fdab97ca03af2a32ac7d036014b0dba6bfe36c7ff7b0de18208c10255aade225d4f2e44b89057f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\prrfja1s\CSCCE5481A742B941569925C51F4295661B.TMP

Filesize
1KB

MD5
1853adeb6cc7a70b1b0969fbe26e9390

SHA1
be3ada218c31265907109c3264e905024ef1b780

SHA256
439a586281e6cedc082cac79f7d8f67ffb165fde3d8292f7ccd9a29f97057a9b

SHA512
34b150205bb2f6c87b958c361cc9631e861a3344c483aa1a1425cecb948bd15bbf594399e251c18fe7f25bc8e1049048f188ea5f8459140e3bdd1c1f74a4be2f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\prrfja1s\prrfja1s.cmdline

Filesize
312B

MD5
7d3b726a9147e99199e7f9f3c75928ee

SHA1
0f5b8688016b2ca91161aed298a231c049624cf5

SHA256
05442c1dd66ce4a63c2a37afe7f9bb7c9e20c245428dc07bb03a95698a7ecbdd

SHA512
5d4a05204f6df42ff7b59802420d01510f358cff01d2f573e475282b54ddaffce31c1b5757c85a87f79d1acce6503e71ad6f747c6335a64d6e66402a026b27db

Download Submit
memory/2196-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-111-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/2728-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2728-32-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2728-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2728-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2728-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2728-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2928-24-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2928-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2928-21-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2928-20-0x0000000000410000-0x0000000000428000-memory.dmp

Filesize
96KB

Download
memory/2928-18-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/2928-35-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-3-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-2-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2928-1-0x0000000000A60000-0x0000000000A86000-memory.dmp

Filesize
152KB

Download
memory/2980-38-0x0000000000DF0000-0x0000000000E16000-memory.dmp

Filesize
152KB

Download
memory/2980-53-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/3060-82-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download