63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ce

Analysis

max time kernel
91s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
Size

3.3MB
MD5

ceef92d4499e291b76822c9a08501970
SHA1

ad234fb1df0a24e7bcda9dfbdbc1a3ae6bd1499d
SHA256

63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ce
SHA512

5289f5451a996f891fda629150d52e000a351ed5eb122ffb791a811d4add18e3f71fd5e8d6dada95c572dca673f95ecbb404b2d9ba28014004a2f1e5aa0c0a69
SSDEEP

49152:g7J7A7yD7q7yD7c747q7yD7A7yD7q7yD7H747q7yD7A7yD7q7yD727Q:gdMmD2mDAc2mDMmD2mDrc2mDMmD2mD6c

Score

10^/10

defense_evasion discovery evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CCJBVTGQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CCJBVTGQ = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CCJBVTGQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1884	avscan.exe
2712	avscan.exe
2776	hosts.exe
2744	hosts.exe
2668	avscan.exe
1200	hosts.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	REG.exe

Loads dropped DLL 5 IoCs

pid	Process
2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
1884	avscan.exe
2776	hosts.exe
2776	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
File created	\??\c:\windows\W_X_C.bat	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
File opened for modification	C:\Windows\hosts.exe	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
448	REG.exe
2596	REG.exe
912	REG.exe
1644	REG.exe
2208	REG.exe
1880	REG.exe
2180	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1884	avscan.exe
2776	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
1884	avscan.exe
2712	avscan.exe
2776	hosts.exe
2744	hosts.exe
2668	avscan.exe
1200	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2208	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	30
PID 2512 wrote to memory of 2208	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	30
PID 2512 wrote to memory of 2208	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	30
PID 2512 wrote to memory of 2208	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	30
PID 2512 wrote to memory of 1884	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	32
PID 2512 wrote to memory of 1884	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	32
PID 2512 wrote to memory of 1884	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	32
PID 2512 wrote to memory of 1884	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	32
PID 1884 wrote to memory of 2712	1884	avscan.exe	33
PID 1884 wrote to memory of 2712	1884	avscan.exe	33
PID 1884 wrote to memory of 2712	1884	avscan.exe	33
PID 1884 wrote to memory of 2712	1884	avscan.exe	33
PID 1884 wrote to memory of 1896	1884	avscan.exe	34
PID 1884 wrote to memory of 1896	1884	avscan.exe	34
PID 1884 wrote to memory of 1896	1884	avscan.exe	34
PID 1884 wrote to memory of 1896	1884	avscan.exe	34
PID 2512 wrote to memory of 2764	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	35
PID 2512 wrote to memory of 2764	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	35
PID 2512 wrote to memory of 2764	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	35
PID 2512 wrote to memory of 2764	2512	63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe	35
PID 2764 wrote to memory of 2776	2764	cmd.exe	38
PID 2764 wrote to memory of 2776	2764	cmd.exe	38
PID 2764 wrote to memory of 2776	2764	cmd.exe	38
PID 2764 wrote to memory of 2776	2764	cmd.exe	38
PID 1896 wrote to memory of 2744	1896	cmd.exe	39
PID 1896 wrote to memory of 2744	1896	cmd.exe	39
PID 1896 wrote to memory of 2744	1896	cmd.exe	39
PID 1896 wrote to memory of 2744	1896	cmd.exe	39
PID 2764 wrote to memory of 2640	2764	cmd.exe	40
PID 2764 wrote to memory of 2640	2764	cmd.exe	40
PID 2764 wrote to memory of 2640	2764	cmd.exe	40
PID 2764 wrote to memory of 2640	2764	cmd.exe	40
PID 2776 wrote to memory of 2668	2776	hosts.exe	41
PID 2776 wrote to memory of 2668	2776	hosts.exe	41
PID 2776 wrote to memory of 2668	2776	hosts.exe	41
PID 2776 wrote to memory of 2668	2776	hosts.exe	41
PID 1896 wrote to memory of 2160	1896	cmd.exe	42
PID 1896 wrote to memory of 2160	1896	cmd.exe	42
PID 1896 wrote to memory of 2160	1896	cmd.exe	42
PID 1896 wrote to memory of 2160	1896	cmd.exe	42
PID 2776 wrote to memory of 2112	2776	hosts.exe	43
PID 2776 wrote to memory of 2112	2776	hosts.exe	43
PID 2776 wrote to memory of 2112	2776	hosts.exe	43
PID 2776 wrote to memory of 2112	2776	hosts.exe	43
PID 2112 wrote to memory of 1200	2112	cmd.exe	45
PID 2112 wrote to memory of 1200	2112	cmd.exe	45
PID 2112 wrote to memory of 1200	2112	cmd.exe	45
PID 2112 wrote to memory of 1200	2112	cmd.exe	45
PID 2112 wrote to memory of 2992	2112	cmd.exe	46
PID 2112 wrote to memory of 2992	2112	cmd.exe	46
PID 2112 wrote to memory of 2992	2112	cmd.exe	46
PID 2112 wrote to memory of 2992	2112	cmd.exe	46
PID 1884 wrote to memory of 1880	1884	avscan.exe	48
PID 1884 wrote to memory of 1880	1884	avscan.exe	48
PID 1884 wrote to memory of 1880	1884	avscan.exe	48
PID 1884 wrote to memory of 1880	1884	avscan.exe	48
PID 2776 wrote to memory of 2180	2776	hosts.exe	50
PID 2776 wrote to memory of 2180	2776	hosts.exe	50
PID 2776 wrote to memory of 2180	2776	hosts.exe	50
PID 2776 wrote to memory of 2180	2776	hosts.exe	50
PID 1884 wrote to memory of 448	1884	avscan.exe	52
PID 1884 wrote to memory of 448	1884	avscan.exe	52
PID 1884 wrote to memory of 448	1884	avscan.exe	52
PID 1884 wrote to memory of 448	1884	avscan.exe	52

C:\Users\Admin\AppData\Local\Temp\63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe
"C:\Users\Admin\AppData\Local\Temp\63ad247fa5ab8cbedfae1f70f4d29b4a80f9b8dc6ae19f5a685b5c264fe661ceN.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Impair Defenses: Safe Mode Boot
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2744
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      System Location Discovery: System Language Discovery
      PID:2160
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1880
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:448
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1200
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2992
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2180
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2596
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1644
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
6.7MB

MD5
36400315b648156b79c835884ea2e0f3

SHA1
05c1d746e9fe7bb4d11f5c9c13c26806ce3657b7

SHA256
5b5c2e0467d759f9d9065132e59bc682b5a807d5e60fe8cc37644c21cd5ae964

SHA512
87270025383b19376c54baa3d8263754ef60b4f8106adc70c70cf9137bef5e9a45b8fef90e83c998ccb20e3b9c5aae9c0bd5a1a1f02b72a83123bed80cd5d4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
13.4MB

MD5
ff723327095a84e8f6e3050df0b3ab59

SHA1
246a3e5e7f9fe03428ad4d1fc5e586a70a693323

SHA256
dba00d033703260fad7be08fe3df73b1f56403a92b1b1fe4d2d69075e7ea8094

SHA512
c2821da11be334b70fa5d07e671948bbd5c3020b3529a58f59706843c5e61f6532aca4088eb4f00ffa0067b2ece168080a60b1fbfdb369f6ab72a13ba93b5136

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
13.4MB

MD5
fd402976a44e49ddcd07b051e1706509

SHA1
07d8eb9bd6219a79f2de4d403081e4ed083bf548

SHA256
05b3fa0076f551d522301a8a886c78150e975dd0521321de0e2423e145e7bf55

SHA512
02e923083d0ea431e82f66a8870ff3aba7127432409dd482a03045cd0679c700b871095cf2739e1e453d6f74f4616e9125658e4b7394089c7427aecf3174aa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
20.0MB

MD5
b954a5f707a27ea6a529898ba5e28bca

SHA1
19ea364943ec54aa1e5293528885a53ccaa4a5cd

SHA256
3ee252838bd04440c204d499353370a5821b6b8ee849c60a680a39e3bc497f08

SHA512
6c175c0eb791901066874660e8e24382c56792b17808879a4b6301f5a9f32575ca2ace4769d8fbf027278ad7d1948f31939aa831b94abd868f0ea52273463fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
20.0MB

MD5
c772ebb5fdaf32907fd80a1fd8cdac28

SHA1
a556a8e25ccce550d484d9c7d0f2dabd357b8cd3

SHA256
c34f3c40c8dc186aba45e5cb0e76afd058564dfa812afc9cdf5f5eac5e71b1ef

SHA512
ce18e5ce00074b94bf1bf97dd551aec216d860f3a0702e3d629451bff9ec4dbcc97bd573a9076b1f96e378061369320a262271b224fc18a90cddfc4386df71bd

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
71afe05995ab9855480e1b5b0cbd516f

SHA1
4c96a6537720ec4770ac3cd1e59a914f007fe3ba

SHA256
8bdfb6dfdb2722c9f23b40d28f507f897f113c3e74f032f2944580b771ae9640

SHA512
d5579eedf848f4d689394ead51a70e16db07241920eccbdc18b572ec46383eb7050ee06339cacf8113d59344e50aef0f202197517a03090cf70e2cbf30770ba6

Download Submit
C:\Windows\hosts.exe

Filesize
3.3MB

MD5
d7bcbbcc38d5081f6e5601bc527e94d9

SHA1
52609db654eafc485506f89b9c0aeb37f4f7bb79

SHA256
fa846cfd22848eb3daa42bab79f09d34258beaf72393a8d74e154992fb5ff677

SHA512
48f4d1d71f98f052a90c16a81b927df5a689b7a591291f73d69d40521ee093b3ea63745a97db8d84700edb87cafc6e6381bca087fb0b817aa5c557cd4d7ac88f

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
3.3MB

MD5
d339c121a6c9e327d9ed350b7de7c1dc

SHA1
d09da4bb6305372921385a1425ea3a5def914300

SHA256
6f7e608be05bf1e7a48f8b053aacd6677d57ff62cac12b83ae6fdffff2d4f073

SHA512
052620c231e574f5389588512bcba96f1e6d7336cd3a4f2adef4261b2964bdbd819a6143d7feef840a14c5562761a926f5c2446757cc4dd5f1e72ed1c2bfd82a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads