5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
Size

179KB
MD5

91fbab1f0cc56706e5721646f07a5162
SHA1

8b513324ad0a237c1e15477ce7e08291e82f1f8a
SHA256

5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca
SHA512

f691e7cc808ad9198175887da1a48a4af2fadee1cdd24a19f0ce3555f1c034d89995f35e985f064af60eece730df7ef479ba708a1d7b35d8776ade5d134a75f4
SSDEEP

3072:PvaY46tGNttyJQ7KRQ1Gny0is1iygSw01IZ1ymklBF5TjZqMNl:p46tGdyjR3gSZ1IZ1yjrvl

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe

Deletes itself 1 IoCs

pid	Process
2824	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2856	Logo1_.exe
2584	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe

Loads dropped DLL 1 IoCs

pid	Process
2824	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2852	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	30
PID 2968 wrote to memory of 2852	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	30
PID 2968 wrote to memory of 2852	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	30
PID 2968 wrote to memory of 2852	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	30
PID 2852 wrote to memory of 2720	2852	net.exe	32
PID 2852 wrote to memory of 2720	2852	net.exe	32
PID 2852 wrote to memory of 2720	2852	net.exe	32
PID 2852 wrote to memory of 2720	2852	net.exe	32
PID 2968 wrote to memory of 2824	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	33
PID 2968 wrote to memory of 2824	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	33
PID 2968 wrote to memory of 2824	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	33
PID 2968 wrote to memory of 2824	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	33
PID 2968 wrote to memory of 2856	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	35
PID 2968 wrote to memory of 2856	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	35
PID 2968 wrote to memory of 2856	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	35
PID 2968 wrote to memory of 2856	2968	5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe	35
PID 2856 wrote to memory of 2740	2856	Logo1_.exe	36
PID 2856 wrote to memory of 2740	2856	Logo1_.exe	36
PID 2856 wrote to memory of 2740	2856	Logo1_.exe	36
PID 2856 wrote to memory of 2740	2856	Logo1_.exe	36
PID 2740 wrote to memory of 2572	2740	net.exe	38
PID 2740 wrote to memory of 2572	2740	net.exe	38
PID 2740 wrote to memory of 2572	2740	net.exe	38
PID 2740 wrote to memory of 2572	2740	net.exe	38
PID 2824 wrote to memory of 2584	2824	cmd.exe	39
PID 2824 wrote to memory of 2584	2824	cmd.exe	39
PID 2824 wrote to memory of 2584	2824	cmd.exe	39
PID 2824 wrote to memory of 2584	2824	cmd.exe	39
PID 2856 wrote to memory of 2388	2856	Logo1_.exe	40
PID 2856 wrote to memory of 2388	2856	Logo1_.exe	40
PID 2856 wrote to memory of 2388	2856	Logo1_.exe	40
PID 2856 wrote to memory of 2388	2856	Logo1_.exe	40
PID 2388 wrote to memory of 1460	2388	net.exe	42
PID 2388 wrote to memory of 1460	2388	net.exe	42
PID 2388 wrote to memory of 1460	2388	net.exe	42
PID 2388 wrote to memory of 1460	2388	net.exe	42
PID 2856 wrote to memory of 1188	2856	Logo1_.exe	21
PID 2856 wrote to memory of 1188	2856	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
  "C:\Users\Admin\AppData\Local\Temp\5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2DE.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe
      "C:\Users\Admin\AppData\Local\Temp\5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2584
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
b09d62164c8f7098876ae37af9785964

SHA1
a949a6104c60ac0e41ea0c5bb5cbd94087a54e7b

SHA256
f845ff7a207b5dca7eb0334341257e879a7d9e8601d7b4f4c817251e6947baed

SHA512
3a32a266bd3eaab950efe1cf44da22b1a4b6859065bbef4f144d809ab22b05ba109d69e91f0c961468fb5bccb07138d19a5d73d39626e8fd661bbec537572b41

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
6a69ce6928676e96da75ff133c378a5d

SHA1
d7906fa148c1bc6b22a81231c83bf02c30efdfe9

SHA256
7213ffb4ea5f57902d832479d1eac60337c17ddf99cd09b5cd35231c09ea8012

SHA512
5a0c78abce8fd1a5153dccd611fc75e5d5da865b277764e3a3e46ac9c91cd985a789e929dd78958e4d255aaa1221a0776a794e0be1c3983b8638c9d1a0a3479f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2DE.bat

Filesize
721B

MD5
a64f2c0205c319cb64b383dd7c39f6f6

SHA1
183a5295889f001a9bb5ca70b09a17cbcc401ee0

SHA256
1e0a8e43b8eb4e14c1348901adade5e604d6dc1e61dff7051dafb06bc5477dfd

SHA512
2fab5effb10dead9ec1b2910524ad60e163763f9a6c2d15a23008ad1e24b0d3baa20a710511e3a94ad7e7c71c0da110c87cccccc0bcb923e62ac52567416b365

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
10757c60942f55811de387485f9aa197

SHA1
9e55ee8d21052abf5b1eeaeb650387f895dffad2

SHA256
bcc2900bd81e376a8a1965991ddf991a06a1fab7045793f3243b2e5f22bf6139

SHA512
cb8c02e083e2639e203113a4ba891e553d690e80d4c3551b030e618cedc85a02b08a7183190d38dd5bb0858fabfdb1f59c485b9ac9a24825c7cd5e480979b07a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
832B

MD5
7e3a0edd0c6cd8316f4b6c159d5167a1

SHA1
753428b4736ffb2c9e3eb50f89255b212768c55a

SHA256
1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

SHA512
9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\_desktop.ini

Filesize
9B

MD5
5412111268dd2c1fb1cf8697bfab9b6c

SHA1
16d0b289e83c74cb50a004edd7c5750ac706f321

SHA256
f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

SHA512
13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

Download Submit
\Users\Admin\AppData\Local\Temp\5d17ba6d6e3f6d866cd6ec43fde07603d8d99ba89220e66db218b60934e03dca.exe

Filesize
145KB

MD5
f0003bbe2ddbc6a86bcd8bb3e59a459e

SHA1
72a13c7a33c9262cc60037aeaf120f54a21cdeb6

SHA256
6b3875c773db867834fe34c0efe43263908cfd264b77336f4c99977927650914

SHA512
7603900304bfd5f31e6165554a30d2dcbaa62d2d60debf55e9e7fb4c8c3d9f86a78725beb435ff9c85bd57562d538d527645cbe5dfbcb73efa9b2c5e600ab7a7

Download Submit
memory/1188-31-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/2856-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2856-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2856-2964-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2856-4157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-18-0x0000000000240000-0x000000000027E000-memory.dmp

Filesize
248KB

Download
memory/2968-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-13-0x0000000000240000-0x000000000027E000-memory.dmp

Filesize
248KB

Download