2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299

Analysis

max time kernel
111s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe
Size

64KB
MD5

13764c022a1f54a7fac8133822dd8620
SHA1

01d99bc817eb147b2d27791d0e3b39b42b790bea
SHA256

2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299
SHA512

b3041ae8398a601fd2af2912d92ead422a7849fa11316bf7874c75608ed2f2a72efd334033b3a67dfdec30767021368296db18999391aada229afff992435402
SSDEEP

1536:SVmlLfDIi7wujHdLqR/gOyyEpMnRPvLmEpMLRPvL3EpMoRPvL8EpMFRPvLVEpMGT:WmlfhjHdWBiyEpMnRPvLmEpMLRPvL3Ep

Score

10^/10

defense_evasion discovery evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NNYJZAHP = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NNYJZAHP = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NNYJZAHP = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2936	avscan.exe
2888	avscan.exe
2784	hosts.exe
2900	hosts.exe
2600	avscan.exe
1944	hosts.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	REG.exe

Loads dropped DLL 5 IoCs

pid	Process
2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe
2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe
2936	avscan.exe
2784	hosts.exe
2784	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe
File created	\??\c:\windows\W_X_C.bat	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
2376	REG.exe
1740	REG.exe
1080	REG.exe
900	REG.exe
3008	REG.exe
1508	REG.exe
1940	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2936	avscan.exe
2784	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe
2936	avscan.exe
2888	avscan.exe
2784	hosts.exe
2900	hosts.exe
2600	avscan.exe
1944	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2376	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	30
PID 2184 wrote to memory of 2376	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	30
PID 2184 wrote to memory of 2376	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	30
PID 2184 wrote to memory of 2376	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	30
PID 2184 wrote to memory of 2936	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	32
PID 2184 wrote to memory of 2936	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	32
PID 2184 wrote to memory of 2936	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	32
PID 2184 wrote to memory of 2936	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	32
PID 2936 wrote to memory of 2888	2936	avscan.exe	33
PID 2936 wrote to memory of 2888	2936	avscan.exe	33
PID 2936 wrote to memory of 2888	2936	avscan.exe	33
PID 2936 wrote to memory of 2888	2936	avscan.exe	33
PID 2936 wrote to memory of 2620	2936	avscan.exe	34
PID 2936 wrote to memory of 2620	2936	avscan.exe	34
PID 2936 wrote to memory of 2620	2936	avscan.exe	34
PID 2936 wrote to memory of 2620	2936	avscan.exe	34
PID 2184 wrote to memory of 1612	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	35
PID 2184 wrote to memory of 1612	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	35
PID 2184 wrote to memory of 1612	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	35
PID 2184 wrote to memory of 1612	2184	2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe	35
PID 2620 wrote to memory of 2900	2620	cmd.exe	38
PID 2620 wrote to memory of 2900	2620	cmd.exe	38
PID 2620 wrote to memory of 2900	2620	cmd.exe	38
PID 2620 wrote to memory of 2900	2620	cmd.exe	38
PID 1612 wrote to memory of 2784	1612	cmd.exe	39
PID 1612 wrote to memory of 2784	1612	cmd.exe	39
PID 1612 wrote to memory of 2784	1612	cmd.exe	39
PID 1612 wrote to memory of 2784	1612	cmd.exe	39
PID 2620 wrote to memory of 1300	2620	cmd.exe	40
PID 2620 wrote to memory of 1300	2620	cmd.exe	40
PID 2620 wrote to memory of 1300	2620	cmd.exe	40
PID 2620 wrote to memory of 1300	2620	cmd.exe	40
PID 2784 wrote to memory of 2600	2784	hosts.exe	41
PID 2784 wrote to memory of 2600	2784	hosts.exe	41
PID 2784 wrote to memory of 2600	2784	hosts.exe	41
PID 2784 wrote to memory of 2600	2784	hosts.exe	41
PID 1612 wrote to memory of 2964	1612	cmd.exe	42
PID 1612 wrote to memory of 2964	1612	cmd.exe	42
PID 1612 wrote to memory of 2964	1612	cmd.exe	42
PID 1612 wrote to memory of 2964	1612	cmd.exe	42
PID 2784 wrote to memory of 2680	2784	hosts.exe	43
PID 2784 wrote to memory of 2680	2784	hosts.exe	43
PID 2784 wrote to memory of 2680	2784	hosts.exe	43
PID 2784 wrote to memory of 2680	2784	hosts.exe	43
PID 2680 wrote to memory of 1944	2680	cmd.exe	45
PID 2680 wrote to memory of 1944	2680	cmd.exe	45
PID 2680 wrote to memory of 1944	2680	cmd.exe	45
PID 2680 wrote to memory of 1944	2680	cmd.exe	45
PID 2680 wrote to memory of 2324	2680	cmd.exe	46
PID 2680 wrote to memory of 2324	2680	cmd.exe	46
PID 2680 wrote to memory of 2324	2680	cmd.exe	46
PID 2680 wrote to memory of 2324	2680	cmd.exe	46
PID 2936 wrote to memory of 1740	2936	avscan.exe	48
PID 2936 wrote to memory of 1740	2936	avscan.exe	48
PID 2936 wrote to memory of 1740	2936	avscan.exe	48
PID 2936 wrote to memory of 1740	2936	avscan.exe	48
PID 2784 wrote to memory of 1080	2784	hosts.exe	50
PID 2784 wrote to memory of 1080	2784	hosts.exe	50
PID 2784 wrote to memory of 1080	2784	hosts.exe	50
PID 2784 wrote to memory of 1080	2784	hosts.exe	50
PID 2936 wrote to memory of 900	2936	avscan.exe	52
PID 2936 wrote to memory of 900	2936	avscan.exe	52
PID 2936 wrote to memory of 900	2936	avscan.exe	52
PID 2936 wrote to memory of 900	2936	avscan.exe	52

C:\Users\Admin\AppData\Local\Temp\2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe
"C:\Users\Admin\AppData\Local\Temp\2d0a67c2a018bb04d074f9691e63327a093324468031a128865a7a6470358299N.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Impair Defenses: Safe Mode Boot
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2900
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      System Location Discovery: System Language Discovery
      PID:1300
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1740
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:900
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1944
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2324
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1080
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3008
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
176KB

MD5
72cfe6e9a3265d5133dcd1e84aced959

SHA1
62f1d0fd73f6277350fd1501bfe38530a6ab6409

SHA256
280bc50697acb09dca3fd3007aabfb6f56197a2f6e2bf91d963de6da094051b1

SHA512
1e18f1f1252c96a3196c738e9c8829328b51f17e1f97a38af7afc241e7798332047e8532891d02511b75549ea3a6d6b60940d117b624bbe93d44ecc34d359737

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
240KB

MD5
9af88c150e13c37b7ed087d207d4e281

SHA1
ce7bcdf4c914969bd4feb586836931e294bb5145

SHA256
00de61fac66274bcddf98e6d86d4b00cd0ec03f399d30d6e606c7f951f5b1678

SHA512
9eb271951a8af1fb9a4362c1bcefb2b39d32b769761fbe1601b34160bf20b3bca73ba5b7160e909e92d47cd6ae678cab26973e5386f8ad34519f0e427a7f9483

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
304KB

MD5
b65e6d8101eb96061288eca96f1e8c47

SHA1
a90d147891465e1205a0cb0455628fa8654e762e

SHA256
7bd37e6451a3ba6ec5b835c9274babe38893f6d55f866dc66e39576e39045544

SHA512
5fd42b1c4a27698d950528495ab74cfc795b04b931b3fe83cd6463eb12e7c7f36003bb26bfe8bf76bb022324f177e8301d414be2932c43e654b72409b3bb5004

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
368KB

MD5
c827ec46842a3f0e660eb87189254dc7

SHA1
284407fc6eff2d2827eea9abb0afa236c0686d07

SHA256
039fdb6574fbe0bf2d702fdb13d999c26d8819e7f989d33254f30a3ad57bc2d4

SHA512
226808886b8709b932c16cdd9fb1a03ce02abb36d01af423c02c02f277c069cdec5c15f2521f019265f3d62558479407a92a45c9c4643c848d587d58d2c394a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
432KB

MD5
08b692b97dcad6f717c15b795d9edc1f

SHA1
a048a414f7de170fc018f1ac8c0921d46bc14c12

SHA256
19f762870e44614f4d174f99459dae462fc59ace024c5551d030c8d201fd1cc0

SHA512
30f3c0769674291b1fade45446575a1da8d87ac5446e87e41024504ed2d285d895a82388c50fbcf1e4cc22e28ba8cc03f9fb280cf307887efcc0ca89fd412f0c

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
e1551d79cbac725a6adfcbb4290820bb

SHA1
d66b66449fceeaa6715bea11a69986fe2ea0483f

SHA256
c7619c996c4bb083af1901d74b765b5058b4b0268d772c5f58c8215987734113

SHA512
e85b74bd0e11ef737753e323a6f6a587da48feda162c87d048840c58721a6ef1be6462fa3a2e855c6a846ba45da7280b134935dbbf246807f0b662352bded0df

Download Submit
C:\Windows\hosts.exe

Filesize
64KB

MD5
175881440c6090fb4c615967334c4631

SHA1
995cb5daf4f17dfad8f2694dc872ee456d4df3cd

SHA256
64ff6946c176e89691cd417c7d139f0c3349f5e4a0c60722ca85138d0acb1b3b

SHA512
789715fc2e45a0cb94b0abd6fb2fc11f6e1981b77a30c2b9b3b0928872d4f4aafcd46cc381534130163319c90883388bd09795b9329aa3cb98eff44702aa6a15

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
64KB

MD5
1310de693337a7f8a9db2b4a0c37f76f

SHA1
4cc2dadcf8894331c5b7a33260b3bcbfab7e1cc0

SHA256
43ebc5c40770a3c2e2ab151f9fb5eedd2c99c3b6de379ddc487d026f2f0c90c9

SHA512
fcd07daeeae524ac7b543896b3cbfb65c3a95760c79c62b8d5f20c70cdf976b4dc3f13d5ddf6eb916ee0cf03326179876356e9606481341a31f82be06b1bebcf

Download Submit
memory/1612-49-0x00000000001D0000-0x00000000001F5000-memory.dmp

Filesize
148KB

Download
memory/1612-50-0x00000000001D0000-0x00000000001F5000-memory.dmp

Filesize
148KB

Download
memory/1944-126-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1944-105-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2184-19-0x0000000001D50000-0x0000000001D75000-memory.dmp

Filesize
148KB

Download
memory/2184-43-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2184-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2184-3-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2184-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2184-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2184-5-0x0000000000401000-0x000000000041D000-memory.dmp

Filesize
112KB

Download
memory/2184-20-0x0000000001D50000-0x0000000001D75000-memory.dmp

Filesize
148KB

Download
memory/2184-44-0x0000000000401000-0x000000000041D000-memory.dmp

Filesize
112KB

Download
memory/2600-95-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2600-102-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2620-48-0x0000000000170000-0x0000000000195000-memory.dmp

Filesize
148KB

Download
memory/2680-124-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/2680-103-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/2680-121-0x0000000002460000-0x0000000002560000-memory.dmp

Filesize
1024KB

Download
memory/2784-53-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2784-149-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/2784-89-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/2784-128-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2888-40-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2888-34-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2900-61-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2900-80-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2936-96-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2936-22-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2936-148-0x0000000000430000-0x0000000000455000-memory.dmp

Filesize
148KB

Download
memory/2936-26-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2936-23-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads