9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81

Analysis

max time kernel
121s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
Size

2.1MB
MD5

8e3c20227c45fb59c9a595c3a78448de
SHA1

85b16583812a18d1d718222bd423dc0dd92eaddb
SHA256

9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81
SHA512

30fdcf629c43cc0ed2118a3d4ddb591d803b93e2b54c3451b7f046d662315dd5a0916ec4a22068d423a977e6847b697a8f597b749f7a505dda3b660486f7c9e1
SSDEEP

49152:g727d7A7yD7q7yD72747q7yD7A7yD7q7yDD:g65MmD2mD6c2mDMmD2mDD

Score

10^/10

defense_evasion discovery evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZQABOPWE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZQABOPWE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZQABOPWE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
320	avscan.exe
2564	avscan.exe
528	hosts.exe
2660	hosts.exe
2068	avscan.exe
2856	hosts.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	REG.exe

Loads dropped DLL 5 IoCs

pid	Process
2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
320	avscan.exe
528	hosts.exe
528	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
File created	\??\c:\windows\W_X_C.bat	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
File opened for modification	C:\Windows\hosts.exe	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1344	REG.exe
2404	REG.exe
828	REG.exe
1940	REG.exe
2008	REG.exe
1628	REG.exe
2668	REG.exe
2504	REG.exe
2164	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
320	avscan.exe
528	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
320	avscan.exe
2564	avscan.exe
528	hosts.exe
2660	hosts.exe
2068	avscan.exe
2856	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2668	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	30
PID 2400 wrote to memory of 2668	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	30
PID 2400 wrote to memory of 2668	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	30
PID 2400 wrote to memory of 2668	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	30
PID 2400 wrote to memory of 320	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	32
PID 2400 wrote to memory of 320	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	32
PID 2400 wrote to memory of 320	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	32
PID 2400 wrote to memory of 320	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	32
PID 320 wrote to memory of 2564	320	avscan.exe	33
PID 320 wrote to memory of 2564	320	avscan.exe	33
PID 320 wrote to memory of 2564	320	avscan.exe	33
PID 320 wrote to memory of 2564	320	avscan.exe	33
PID 320 wrote to memory of 2652	320	avscan.exe	34
PID 320 wrote to memory of 2652	320	avscan.exe	34
PID 320 wrote to memory of 2652	320	avscan.exe	34
PID 320 wrote to memory of 2652	320	avscan.exe	34
PID 2400 wrote to memory of 2836	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	35
PID 2400 wrote to memory of 2836	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	35
PID 2400 wrote to memory of 2836	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	35
PID 2400 wrote to memory of 2836	2400	9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe	35
PID 2836 wrote to memory of 2660	2836	cmd.exe	38
PID 2836 wrote to memory of 2660	2836	cmd.exe	38
PID 2836 wrote to memory of 2660	2836	cmd.exe	38
PID 2836 wrote to memory of 2660	2836	cmd.exe	38
PID 2652 wrote to memory of 528	2652	cmd.exe	39
PID 2652 wrote to memory of 528	2652	cmd.exe	39
PID 2652 wrote to memory of 528	2652	cmd.exe	39
PID 2652 wrote to memory of 528	2652	cmd.exe	39
PID 528 wrote to memory of 2068	528	hosts.exe	40
PID 528 wrote to memory of 2068	528	hosts.exe	40
PID 528 wrote to memory of 2068	528	hosts.exe	40
PID 528 wrote to memory of 2068	528	hosts.exe	40
PID 2652 wrote to memory of 2988	2652	cmd.exe	41
PID 2652 wrote to memory of 2988	2652	cmd.exe	41
PID 2652 wrote to memory of 2988	2652	cmd.exe	41
PID 2652 wrote to memory of 2988	2652	cmd.exe	41
PID 2836 wrote to memory of 2980	2836	cmd.exe	42
PID 2836 wrote to memory of 2980	2836	cmd.exe	42
PID 2836 wrote to memory of 2980	2836	cmd.exe	42
PID 2836 wrote to memory of 2980	2836	cmd.exe	42
PID 528 wrote to memory of 2160	528	hosts.exe	43
PID 528 wrote to memory of 2160	528	hosts.exe	43
PID 528 wrote to memory of 2160	528	hosts.exe	43
PID 528 wrote to memory of 2160	528	hosts.exe	43
PID 2160 wrote to memory of 2856	2160	cmd.exe	45
PID 2160 wrote to memory of 2856	2160	cmd.exe	45
PID 2160 wrote to memory of 2856	2160	cmd.exe	45
PID 2160 wrote to memory of 2856	2160	cmd.exe	45
PID 2160 wrote to memory of 2408	2160	cmd.exe	46
PID 2160 wrote to memory of 2408	2160	cmd.exe	46
PID 2160 wrote to memory of 2408	2160	cmd.exe	46
PID 2160 wrote to memory of 2408	2160	cmd.exe	46
PID 320 wrote to memory of 2504	320	avscan.exe	47
PID 320 wrote to memory of 2504	320	avscan.exe	47
PID 320 wrote to memory of 2504	320	avscan.exe	47
PID 320 wrote to memory of 2504	320	avscan.exe	47
PID 528 wrote to memory of 2164	528	hosts.exe	49
PID 528 wrote to memory of 2164	528	hosts.exe	49
PID 528 wrote to memory of 2164	528	hosts.exe	49
PID 528 wrote to memory of 2164	528	hosts.exe	49
PID 320 wrote to memory of 2404	320	avscan.exe	51
PID 320 wrote to memory of 2404	320	avscan.exe	51
PID 320 wrote to memory of 2404	320	avscan.exe	51
PID 320 wrote to memory of 2404	320	avscan.exe	51

C:\Users\Admin\AppData\Local\Temp\9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
"C:\Users\Admin\AppData\Local\Temp\9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Impair Defenses: Safe Mode Boot
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2408
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2164
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:828
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2008
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1344
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      System Location Discovery: System Language Discovery
      PID:2988
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2504
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2404
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1940
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
4.2MB

MD5
d6d4d02e23b7d2f825e658bc8f485170

SHA1
9c44926d5619860203a64ae70bcf1e02e5b4d666

SHA256
6ea875fb194948b92a1934cb8bc518737e4c9ee436da3a1c68e35c6525f422f3

SHA512
61feee0438a6187230da74fbf5059a1a8b416c7217bdee6d4c462f4570df7b15371325a14f5d9bd3ecd5b2e7eff8bd697674489271b639b1688d1ad7862b1f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
6.3MB

MD5
9a89847130e84878d0e03d42c7a0cb83

SHA1
f8d0a2f36c74b28229a57861c9d2985417b6c90d

SHA256
3c338bcdaa66fc51d78e03ea43bc1b287056c19edcd7fc45fa5d1cd1424ac523

SHA512
bfbd885f4bcda64bddf86f09e36f02df4a1c800786f6ec57e86dd1a83761d8f16e363d76b2f5547efd72c537e472e768781609eaca1f8253ec6ac46f49a44134

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
8.3MB

MD5
4d94501c6c22373d75756e49c4eeaf10

SHA1
e25f6f84c3a440b0db2d6dd916c6e9716bc26f6c

SHA256
d127fe03023c75bf48e6f9ad7c57e9ffa5ff32bbbb45dc36b92bcaa32675eb27

SHA512
f3b80be44d9b382a8083d6b0bbd7f8e349202ade3d7f2f21cfb42a51fff598e89eab18f0e6862a3922568a6dfcd35502738fcf9ec128b2e2ade078e79d37fad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
10.4MB

MD5
c69023dd7537344590ec403a9e02f308

SHA1
4e354c57f7bb06518b1cceaa6ebbae6dc4767331

SHA256
061653f10f8316064136cb3c7aa33e1fb797f02fbec417d70ab62746484a36f0

SHA512
14e26581b32798769b6178552db96c19db51f108ed8b877b7aa40ce9925342a14b65c020ac10f417d950084fabe60ff69fa17ea876b91aee39306dade41ee7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
12.5MB

MD5
2986d0b1449712c5dfa95f3cdd3f5b16

SHA1
f6369261e7f5f0cbf0a81dc1371f9dba9e20f82a

SHA256
914e198cc8f68a95ecdd435813935c4936b1cc2c99c50f8bce200bb7c622f473

SHA512
a939f0906f6247ae165f36f08975fbdae7d072ac38cf137f18b2484e969e70cb8e7aef43a9068ef991dc9b2f9e25f968cf37b00a0ffbefa39a723e533d8f4db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
16.7MB

MD5
c922367db7938e318ad3b676aca6853f

SHA1
67c70f079b66d31664a33184006642e68caa2d46

SHA256
8e4aee862f051876b3fcee2f87d2b81d3fb083d33d7c24f3e6f0fd6f9b7ea0a7

SHA512
a9ad926556f50831dae307ef5c4ba85d90e079e1c942ad4f6fb9c8d11afbf3393b90962808ff22f7560702e0251996278e4c3f043057655eb416c20a8eb9deed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
16.7MB

MD5
29011c7035c9073fda65d572eb57e4af

SHA1
63dccd55d21d6a01ad7ea9505c9ad02130d8f377

SHA256
65c1cd81012ecc74bc38e10f6c7c2ec23a71508ab4a207757026f5de2ac9fcbd

SHA512
6a48bf047022ce9581ae9c8c4bfac2f8dd7bf32aef6d7749269d8ad90eb0f23cb2ec0a45770d73e27dca81b3599548b6ce8535937bf05cd14fe43a41f5b4bf30

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
3c4e84045a74e5f159fa3f27f6c7fd04

SHA1
b094707d7433252e936e8877f7979a5d6eb92313

SHA256
ca96696a0a3986bf08859c1db04be21dbd09ac1421649ab970b437e560ff5944

SHA512
37bfc7c5fa0dbf998cd6e856b53483dc53acac2c4f8544e122e43bc96fe55f1880ad7fe5069f4fe2e23affd3671f999ae805023a501ffd4b41644fc5579777a3

Download Submit
C:\Windows\hosts.exe

Filesize
2.1MB

MD5
9ce9e6938972d42866faf4e710bd8952

SHA1
9f8b6496561d591e6187eed95f4284dcb33cca75

SHA256
a346efab5e56ff7385cae953872b09edca0bdc6542d1578e912a47f54c1ca068

SHA512
f49919f0ba88b84d48f51e30213f02bb59886f8f874912eca747f90303605c12fa431f77dd88ea973af681ef6066ab7571c89ebb0debc030a6bb75d3130f57c1

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
2.1MB

MD5
973c91ff228ae8fd2e883e2334b67fef

SHA1
fe1ced2a781febdef84e479472aa9456fec1cf8c

SHA256
d2b994d285e70626ce30846dbf64c2a2b401189428223358aa6f0eb7ed8048d8

SHA512
3ac1d8196095d0b4ade2a827e0328b8cc1b8382ff57ed6fb202ccb65230d9a60440f2049d78173af94912b7feeb9d8d8ceb3231973cc98ee8384f83e79ebd58b

Download Submit
memory/2652-63-0x0000000002550000-0x0000000002650000-memory.dmp

Filesize
1024KB

Download
memory/2836-64-0x00000000023B0000-0x00000000024B0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads