9bdef866d31871bc5806c3317771620dceaf4f698358120edb7defce731faa80

Analysis

max time kernel
119s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe
Size

16.2MB
MD5

9c2ea1daf35022f28c5e15419acc2c4f
SHA1

55a795e709e4c11019e7c175c4c699c98bce60dd
SHA256

9bdef866d31871bc5806c3317771620dceaf4f698358120edb7defce731faa80
SHA512

1f71114181b5d71c8db6eba96c49a7ae743692887efabc80e144a47d17b1d062555e07710bad929340055d7febce7af90d47c0cbe5d86efe81a60afd8501b7e4
SSDEEP

393216:kMhF6kmfSLwAVaUnQXZ8aA1dJPAhYOcY9Kwp:kMHFnQiLJUt7

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50354a116cfeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39295C41-6A5F-11EF-B439-523A95B0E536} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000003b2a82581e8b02bd23960e812981643cebdb2fb26c490b0085055e7c18b8a77c000000000e80000000020000200000004f622420e9f0279b8621450498f62ce8c308c9e488cb04bd4c5bb55b6639f64c20000000e9b69baf5c345cf434d38bbf7b460b7bb4123339b123ceddf1505edaf321e76b40000000fa2253876160762ed262e11518b70d864fcdd3fe9ae2b2437592aa2eafd7f4232c7b0332aa5a144e40605bc99c616911d7f82c6e813cd4137a808a1eff0e4af3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431576136"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000dc972b90234d8ad4f34b575774583172b39971436fbf2b7315a53218a1992a43000000000e8000000002000020000000a67e4789001998e5e8e0b7ee4d7df1c370b353dea35dd5a245510f0a0252784190000000548e4bf0c0e434cc1e093d05c45a3789ff513a712887913c7c459687a1d9fa33109dc7c60d59fbca99b0b8423bc5801d3f434d549aa4502fe3acecff55b605b065d98be76470bdf879ade0a6c1209e174db05e6bc3f7249619bada546165a4c1ebefb9b7314e373d9ab439d22dca4630446b2c558439c9f41e0950c94961785a00c912174c14e09112ee211f772c55cb40000000094c8db72f7f3a1be776917c19c3ed3b00bd75eea2faa8f1453dbf24047a8a4606992057069e4b718e26e45e4af5537fbee545206818b93f0f632db7cae597a6	iexplore.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2636	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2156	2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe
2156	2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe
2636	iexplore.exe
2636	iexplore.exe
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2636	2156	2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe	31
PID 2156 wrote to memory of 2636	2156	2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe	31
PID 2156 wrote to memory of 2636	2156	2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe	31
PID 2636 wrote to memory of 2832	2636	iexplore.exe	32
PID 2636 wrote to memory of 2832	2636	iexplore.exe	32
PID 2636 wrote to memory of 2832	2636	iexplore.exe	32
PID 2636 wrote to memory of 2832	2636	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-04_9c2ea1daf35022f28c5e15419acc2c4f_poet-rat_ryuk.exe"
1⤵
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.hamrick.com/vuescan/supported-scanners.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ae4e11441d89a0187d10708f4bfb911

SHA1
dfa027695099c3a04aaeb061df492e75ec573df7

SHA256
55009b60cf1164b8b7a9b3dbc23daf85f374dde9f1f0817d448a06a3e048da0d

SHA512
98ead7fcd542d4f7f6f66d700689b24dc704071fb959b44635043b2cdc82b7a5e0534f758458325068adb4ff077f94d1652a1881cecb77437fec1e1d5acab330

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c74edfd436b9d0a9984d4da33a95de7

SHA1
1c9a6476d0650a07fd51ef93f305790dcd22af6d

SHA256
2dcb6d8df1cd4b90c47de6612573565f1680f7504b92d771782896f99c40df69

SHA512
60caadddc4cdb1764627160fcd3bc5bc885b0c10df8e8af9f4566f591a020a864d46d3b55a90b33c55ecbaa3622f6c804be741eeb1f69517125e6ddeca33b65d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
331517c06930fd8b079ef48bfc42bff3

SHA1
11dde6be0c384c2ff5a760184fabd9fccd850542

SHA256
ca61b1212551637997263ae39a2039fc86d4ea61986a49b352fc4b4a7ecd81a1

SHA512
ba8677d9d3cf779ac80d754f3b94063e54db033355d48ac820e5a116bb15ae25d2b4163051ac719caa58fbc86832fbe8bfceaa2857ab3c8d604af6ef21852d59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8284e1c6a6f2570e7f6bda94676b56d

SHA1
438d9b4161277b6fd90fef19306e9d398f7b27d5

SHA256
1bdb14ba2b7abeba94e0ee2b96882972ecaf7094f741b42635d12bbaec9e854c

SHA512
47973978e9dee6da19f400bff3f3f13d71e9ac43b4a3ec018ec58ad8cbd66ece4bd2a0365ef93eacae3785ec8bbb7bc126b1d4ea355257ab5d3ed0d1ec40d14f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5688aea2c7178a9ebdd1cbbca8a957a0

SHA1
b75f620169513266509923100a1cdaa5fcfb82c9

SHA256
51061dea61712e47777c3e71400f817df5c0dad9f6ac73aee9f1caad4c8dec2e

SHA512
0b9454f61a4ee856f9a3322a09f81f0c086f48ea421fc768445bb908a4dc4c783e782fea7668835268738c4be648ee57343beeb1d2446ea5cecb1850abeede2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73715d38f667e09d1c1de526ce4d3af8

SHA1
010d7b54b133243165c69174f40a19395b8b97c3

SHA256
483440f772129f637b5541970a5cd9ce0cd888a669c9f04c5979213d76fa3d7d

SHA512
5cbdb86213bd63c77613f4ddf141ccbb6a232e49d0ec8997b90ad7cf1251ec865dc8ed76c02b8a4c4fe54c9e48a5cea2a450c1f31414e21bde63e84f982a5858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48fdb2d880ad63fae494ce8c87c2f68d

SHA1
aeaac53c57e7fc866d61f8bb9b00171892e883a2

SHA256
c3aa94fb798481614e991a8f308db9ab74519152f3c5117dcc6b457e81a79f0f

SHA512
a336a99c157aebf0292ae30d5469d86d0f19973719c6f841921ac11af5899c28135c9f651d4f3599d92b6a1e3bb5c2a77e21909368e0728d00622035c1ea2348

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd320dd17ed5ef3d8ae0f07f7fb9698b

SHA1
92ffefdb3f48e9b440e6b56034053ec2b5a1554e

SHA256
da258a3af9c5ac78b6c1c7bc6c851e7470c45e4ca09aca4df6363669ef2c4e94

SHA512
66cda740945a5ae39a674420172978fa9c3109ef529e0988d5b2c70160c97eae282e298eafe53bce7f82fe65096b74b10001416270be176f169f063a39128937

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
264e9a28c46992f4dc7b7e64950ec7c4

SHA1
72febb8ef7aa415f6a1a35b72c29941ae76935ce

SHA256
55a7b91b6eddf53cf6815ee254b81ee6049a73e00923debac6a5ffed231a2a72

SHA512
3ce19b811ac93e9011fe5a82c5f2e891e71310b783f9103bfec0016fc68e9c14ee8a40a8049dabfa662a658639d10be06bf2243055178b078706b158c4d38939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
531ec133e4e345ce68baf8deb7a7f9ee

SHA1
1e7dcc7d33709260b6ae8e95fa8e52f4059838a4

SHA256
273b9088fdcec32fc5b10f0e42ed9193302ec21cbc6697c3f503e3d245079ad8

SHA512
49c0d5c6e881ef7b2719bf5d81934f7099f80d364b436a631426fa2caa33a10b0575b6a37952a54bdb18c8a1e6ed35cfc4690f6a2b0410ec61e4e7987db42388

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34453ff0102baab3e9feef836bc1d242

SHA1
78f29367a8b6e43aae381cec67891f331706bf78

SHA256
f647fe070084366e4245d0ae67e1b0228a712ee40b5430137ec520583c19890f

SHA512
cd7d73848dde973bf763252265838ef6b93f24929364c21b99b8ceb9990e3e139f3ecf2fd67b39beb51b5bf86362afa4ef761bd562f725f767ce3310b9a30543

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0dc735aa95c2bde6db31f290cf80919

SHA1
53d62d23c5d4a499ddacd644fd7e4b543788be2a

SHA256
1126d41c24ea77e8611579c8497a529e2a686914fb0a089be3e08d8aec7f54fb

SHA512
4b281bbbe6c23586824521e693e41c72e333fd3f4b2a1ece85b368ff955cfbcca6d29e1dfe48c6a56424ebab6b3d079bcdc8d73f7b3d7f0a192ba738fd7de47c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aeb68bedf338d94d17d9041aa37fa47b

SHA1
f8a2432e73452e9fe783779f6d36a299abc182ad

SHA256
1b519e92215d345cde252e90c57910de4514eeefe30f5f0a757e2da50f13c208

SHA512
926fa8ba2db5528ef6e31a5dbac469a78240b2e03183e5be2cf2214317b1b44945275002ca01133e070495ad111dd0a52e0b1207ffdafc68e6eb0c03ebef93c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6076665f6ba4f7e48e0bf4534e309bfc

SHA1
6ae5a1c0bf016a1d7e68c36a5304665de0e51cf1

SHA256
70e32b25bc5cc894b8d47ef12e1b000a95ee81b637c2545a32168c38bb88bda2

SHA512
3312cee452d890a5197f615d9ddbd687817acfe46573ba2502b8aaa28a42968d90dabfde03109972d792ee99c0b9ae42cb83975ce65fd58945a054d2aa3ddf5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
724796ec4651217ecdf58a12871ab929

SHA1
622d74ea26380c5bc2a5214b6735ec21eb716837

SHA256
1e2f4a3c86e5abcf0a771dea48d59f18e5f76bac3bf7677340159d67b03fd976

SHA512
310f9e0c495304c6680e55fc287aea053d1afd65845758e94355f4cb72cafebfecae2fc7771c412c17bda5d601f1f7a55e3fa899f09bd29876f68ad05ae9fae7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4090b17a96104f0d26843cafd1f2c339

SHA1
5f695d8410e3134a64ab701b3c55d41e3b06f93d

SHA256
45489ecbeed9cec2e4878b1a75fe38c118d0cd00e994812007941de6d7440c87

SHA512
06f31d78e54add69fecb5d865db9da8a47c755a98c297489317d3c6dfbfcd62a79f06858d58db6ec92d475417f6dec5ce43594249581c1711c61bb5e4216bae1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
565b27e6b1034dc78d0ad0fc3eae5718

SHA1
6e693c4400401fb306c03978b1eea6ae82d9cf93

SHA256
1f50b28e9f38dbfb20ace27289f478ebbedad9fd8eb00ab381ac69ec51683c5c

SHA512
cd6fac3a571b1e0493eef847a3c460d212558c9b97f17e0bca91069576f0bf13c80eb1110343c91d8b6cdcda40a7708cada75153ef34cf648ba7aef70c2ed8fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cf86f0ab9d806f98b8ebfae934ec08b

SHA1
092c5351def290084d33813095440ac79df45624

SHA256
925c8fab569ba1c669b329ae415cbf0381af162690c1ed6a24f6baae83fd3a53

SHA512
6f43b72bf998762e0315e6d00b76d5a9b8d55be5dcc8acc86234d0b1d954ca9f10950a517ecdc35fb4998448fa37c1bce60fdae059436079bd856f358ffa4774

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b18372638bd6f2a68b743e6b56938876

SHA1
3fb27fb4ffc5064efb24df70f3b9b2cb504d0b56

SHA256
fb7e8cee0bdd178a8db465db6bf57f36c91c86894b00a2315cfcfc98324fcab5

SHA512
1143b5a5d1f390c64ee84564b3e86c05f596b0fb5881794c36753ab7e6354029ae1955329852275c888a8433de265335d043161263db53da24fb6bb0dfab5a4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98a8b0f6ef0edaeec1c8ee17bbf75854

SHA1
2a05307d3c1c7a71f52c90e12cdc7ebec1769aa1

SHA256
73644ea834d90f9b7b520025b783db9768c5a10a4403f37142668e158a3b65ef

SHA512
5510071e771022961ee8bca96b19a61c6cb52a1ab42a085937f79d1414505326e318bf7000def391d5701f92c2f04415c71e4f56f2cc93ace42857b9abb49589

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b6ecbde33adcf72c68438531b16381b

SHA1
90f95c8ee6da1a13cb62db4fe066b30d6cc74cf3

SHA256
44fd519f0094546fac618b5adc01955807a7f276e33f0dae2a51bcb8ab3ee5dc

SHA512
0c1c394369173191f68a30018d98f5cbeb73a28f3c68e4c3c2561170d0aed1fa6cb52a621de82a736c05a9c0080f1546047cf84eea8a4ffa2c634d082a92317b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
174bfa4c41cba7ae0b673f5992631309

SHA1
47ee3ee4a12f6fa66f9ec9dbb96addf2d4cc55c0

SHA256
a436d816b20fb00764d9baf442850a6499c3ec44fcf033c1790a727afb40ab73

SHA512
73fff95900e3bb0e53a976448d53052f86de7e8fa8a9554f66777cb5b019a64011442c39803deecbf5a6ca5349765aee01e978d70fb8fac58ffaa01306bb6536

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaa50272bf78c9125fba1f157dccaa67

SHA1
0adf39293e2f6f34a4805f18afc8bcc611d63d62

SHA256
8c7b9f51fb90fb2f809363c770ce95b1567498dc4de4492b69631c989e3274e7

SHA512
f40922850297ac42e36decad468d0d77fa9d85dd9b66e1cf1b277baea0b31b81e0cab155df9bedcb9251931e5fc72eb6e9080e039253bf062783625e0662eb77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b125e808ef57308d5db01400a7abdfd0

SHA1
f7a449d7f13c04b23840718989556ca31c189cac

SHA256
37e934fb00c0ebb0962d333f33bdd850eb87f835ac9697d68d33695f58a851ec

SHA512
83f6a936127802318fccab1dd75c2b11fdea18d2a7b5edfaf67df358e5fc28d96d05b44064cf0e9f73cd05b01b2560c08ba489dc64ee950da179b15ebf3398f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f386d154dfa29ebacb2c1d938cefc335

SHA1
d2621b5b7a9d7e14cfd90aa5c856cadaf6b8a0d3

SHA256
04e8f8c4f22c145dc226610ab3c0818b0243b3096060d0fd5442b01a74efbe44

SHA512
8adb7db182f2305cef63630bd833ec5b8da4bda67b9428cb23ba344f7ed4f8ed8fb390e0976383bbb398810243b425d00d6050f50d65f97c7652ac33bf171fa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1adaa0948a0354fb7ac950725ed3cb4

SHA1
af88b31153627aafb66e74f04e3240f295112485

SHA256
d0d008a2fea99c22e5ffead19cb569efd9e99a45717adb3730e86392fb1865a2

SHA512
a2221d3bad3ff3f95ab824eb276c5e668187b8428d176b3c4939ca4e1f7f2f52e74f48773345f4bdadeda6692b1a7f53c8ecb26742cd254b7b05254e9076b4aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0461b664f0cdffbf277ed8161549b7a

SHA1
c24c475ab42bce0c220c504d891fa0c3ba59b671

SHA256
d1a414a486d71ef021b81a6ec9af5ae32d080cfd2da414983e2087cf59d611c8

SHA512
3cb4fcb39dffcf9063bf13e7d930d12593c66e1921b0b3cbad582a6fa4024efc587aaaf70b55eed696d71b4edfb5095d1bdee82988798c4f0cf77cc334733ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcf98c0ef1a5d7fa384580d70b0eb3f0

SHA1
10fdd7a6c2225451e98fc62f0f786dbabd9ddaf0

SHA256
9859e709fef383b2ac1230ec934e7dc322385e2f6c62c2ddee5a2a902568e2fe

SHA512
17b383be50301aa823f3168586a58b1ef2d095aa7d1d097a84c5c8d0d539e557dabbb4ec3ba6aa23311c3eb333dc5aef183d42d09c38d1127b720191a6743b50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b363f70a2808442bd905ffc122a2006

SHA1
01e2a7f9a9c7c985384233bcfa35e8188dbc56b9

SHA256
7cd19a6a1b85586f1981cb9556d2501e797977cc8acb87778674a689450db174

SHA512
5d3d86507fc70ddbb250ec501638ba3a1765c9b2f6f265e33cd982c1cbe511dffccc0bd2360ba45ed833b66ef42aeeec587bf3f2a6bd4b747c4dc56342de0f71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2df90f80e9cc677489c089d0647b8a93

SHA1
419f8f704ca62f899eb44b5ae291694a58db8304

SHA256
3fb79d0fe8ba3e730d49ff9fa5501671e1d4c94284d5e0406d13c2c532386fd9

SHA512
2bb765804b366a3068072218f210cc26215f2848a8f2765c7d6e918d147bac0293cdbff2b4ef10470d4154df1bc1fca0136b12de2830b179bc8af1741c56737b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
f199f5d86431da473742e3b4ea6bb989

SHA1
3acfe26a43d370abf8e04194f9b12249db455b64

SHA256
c1f05f2eed5a93b22994dfc570e4df351f92a4d88ec7674709992c8efd35f1da

SHA512
e0c2e5eae196251c8554811e0527c108000100dce04c358d509fe2a1151a737c2165049bda06be239d9782ae3c88bef4cd9375c7100ccb81b135dcf743e6d993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
2KB

MD5
c20b26e5934fbec1ff050fd792d7da03

SHA1
aad09ef74b24eeb3ba340fe7741b18ab7147de14

SHA256
919c838896f59afadae905d94bcdf365f830ea9e27592a5b5fa6502b9f945deb

SHA512
e63768b128f760c94d1f4c9a92c31465f05df355b131a1ec65e3f3ecc4cd17d90124f2d67a2129b82e9be24c8d0ca3744e781d8c10dfb6528ec39a9cf96016f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\favicon[2].ico

Filesize
2KB

MD5
d6d6e89a3c8bfb5772af2d8559ff032b

SHA1
2e60a51fb9465a3b441329019bc28533928e066d

SHA256
930db3ea0db95957186d760e72eb8315e2a17630bae21d12226b26887f530187

SHA512
d1b7787ce13459b93622c4cfea8510558969c3303714e9b4cd38e8960da8fcd1d74ddaa4e193362008a79cda6d4611fb6dc30e6902dbe2bf183411878113a0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab94A3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9552.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2156-524-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/2156-38-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/2156-34-0x000007FEF6F50000-0x000007FEF6F9C000-memory.dmp

Filesize
304KB

Download
memory/2156-1397-0x000007FEF6F50000-0x000007FEF6F9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads