a7fc1c27de4e6b0628595298ac4caa0980a66054efdb85e49d92a4a1077dc3c7

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 03:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Size

201KB
MD5

45b2cd945920582aa29f97f4a30a63ae
SHA1

368fd11c183d57967d22e70215e94d50c9ac68e6
SHA256

a7fc1c27de4e6b0628595298ac4caa0980a66054efdb85e49d92a4a1077dc3c7
SHA512

523245aa1e5b8b737c6e60d58a507ef0d76935f1ef284906849f3578eaf9a7e09d1e83be25e07ae87d25d78b7d085a98367f28c1f51686d34fde05df06f9570f
SSDEEP

6144:HHTLINfFtWNiHS5Jhm3VC/iVDOlFIerHv:H4Nf3eUS5JAFC/iQFI6v

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2352	UPNECVIU.exe

Loads dropped DLL 2 IoCs

pid	Process
108	WScript.exe
108	WScript.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon\ = "%SystemRoot%\\\\system32\\\\SHELL32.dll,3"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	UPNECVIU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon\ = "%SystemRoot%\\\\system32\\\\SHELL32.dll,3"	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³µÇÂ¼½ø³ÌÎÄ¼þ = "C:\\Users\\Admin\\AppData\\Roaming\\UPNECVIU.exe"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³µÇÂ¼½ø³ÌÎÄ¼þ = "C:\\Users\\Admin\\AppData\\Roaming\\UPNECVIU.exe"	UPNECVIU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UPNECVIU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	UPNECVIU.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.0344.net"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.0344.net"	UPNECVIU.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\D\ = "É¾³ý(&D)"	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\D\Command	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\ShellFolder	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}	regini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\ = "Internet Explorer"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\DefaultIcon	UPNECVIU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\D\Command\ = "Rundll32.exe"	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\·ÃÎÊ(&H)\ = "´ò¿ªÖ÷Ò³(&H)"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\ÊôÐÔ(&R)	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon\ = "%SystemRoot%\\\\system32\\\\SHELL32.dll,3"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\ÊôÐÔ(&R)\Command	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\ShellFolder	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\ShellFolder\Attributes = "0"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}	regini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\·ÃÎÊ(&H)\Command	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\D\ = "É¾³ý(&D)"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\DefaultIcon	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell	UPNECVIU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\·ÃÎÊ(&H)\ = "´ò¿ªÖ÷Ò³(&H)"	UPNECVIU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon\ = "%SystemRoot%\\\\system32\\\\SHELL32.dll,3"	UPNECVIU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\ÊôÐÔ(&R)\	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\ÊôÐÔ(&R)\Command	UPNECVIU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	UPNECVIU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\D\Command\ = "Rundll32.exe"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\ÊôÐÔ(&R)\	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}	UPNECVIU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\·ÃÎÊ(&H)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" h%2t%2t%2p%2:%2/%2/www%2.%30%33%34%34.net"	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\D\Command	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\DefaultIcon	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\·ÃÎÊ(&H)\Command	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\ShellFolder	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\ÊôÐÔ(&R)	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\DefaultIcon	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\ = "·ÃÎÊ(&H)"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\ShellFolder	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\D	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\D	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\·ÃÎÊ(&H)	UPNECVIU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\·ÃÎÊ(&H)	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell\·ÃÎÊ(&H)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" h%2t%2t%2p%2:%2/%2/www%2.%30%33%34%34.net"	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65083357-5614-5614-5614-859310895204}\Shell	regini.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\"%ProgramFiles(x86)%\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046}	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\"%ProgramFiles(x86)%\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046}	UPNECVIU.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 108	1628	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe	29
PID 1628 wrote to memory of 108	1628	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe	29
PID 1628 wrote to memory of 108	1628	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe	29
PID 1628 wrote to memory of 108	1628	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe	29
PID 1628 wrote to memory of 2396	1628	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2396	1628	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2396	1628	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2396	1628	45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe	30
PID 2396 wrote to memory of 3040	2396	cmd.exe	33
PID 2396 wrote to memory of 3040	2396	cmd.exe	33
PID 2396 wrote to memory of 3040	2396	cmd.exe	33
PID 2396 wrote to memory of 3040	2396	cmd.exe	33
PID 108 wrote to memory of 2352	108	WScript.exe	34
PID 108 wrote to memory of 2352	108	WScript.exe	34
PID 108 wrote to memory of 2352	108	WScript.exe	34
PID 108 wrote to memory of 2352	108	WScript.exe	34
PID 2352 wrote to memory of 2364	2352	UPNECVIU.exe	35
PID 2352 wrote to memory of 2364	2352	UPNECVIU.exe	35
PID 2352 wrote to memory of 2364	2352	UPNECVIU.exe	35
PID 2352 wrote to memory of 2364	2352	UPNECVIU.exe	35
PID 2352 wrote to memory of 2604	2352	UPNECVIU.exe	36
PID 2352 wrote to memory of 2604	2352	UPNECVIU.exe	36
PID 2352 wrote to memory of 2604	2352	UPNECVIU.exe	36
PID 2352 wrote to memory of 2604	2352	UPNECVIU.exe	36
PID 2604 wrote to memory of 2680	2604	cmd.exe	38
PID 2604 wrote to memory of 2680	2604	cmd.exe	38
PID 2604 wrote to memory of 2680	2604	cmd.exe	38
PID 2604 wrote to memory of 2680	2604	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45b2cd945920582aa29f97f4a30a63ae_JaffaCakes118.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\604763.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Users\Admin\AppData\Roaming\UPNECVIU.exe
    "C:\Users\Admin\AppData\Roaming\UPNECVIU.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\604763.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c regini C:\Users\Admin\AppData\Local\Temp\qq.ini
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\regini.exe
        
        regini C:\Users\Admin\AppData\Local\Temp\qq.ini
        5⤵
        Modifies registry class
        
        PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c regini C:\Users\Admin\AppData\Local\Temp\qq.ini
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\regini.exe
    regini C:\Users\Admin\AppData\Local\Temp\qq.ini
    3⤵
    - Modifies registry class
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\qq.vbs

Filesize
1KB

MD5
9a8a5fc4945db6dbc7a68d30ff520995

SHA1
ca49bd1c336caddb67f28bed142716d38baad5c2

SHA256
b17466b865718ea47f3f86f69ea4364abe94077d2b354afedd09f0c1802cc31a

SHA512
79757961f4eb28acacd9b9a5548871c4c848e0dc5f0063784bcd9d1c18dedbd7e48fcf9600a93215384b659717e5fd223eaabaaab674ff6265e3c1fa9ae45cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\604763.vbs

Filesize
1KB

MD5
b57bdcf164136b28bccdaf7d1af1967b

SHA1
3f3c01286d4745dd52a4029257b8d5595108a349

SHA256
926e07a89a8a3755ecfc75f2e1fd37515c44d3afb1eb80534c9f42ed9a13d627

SHA512
c03ee34153ad4ccd37e6edc7a807c31a10e380325cbe64d459d33a56ed8fbd13d14069e72f24aca3bbb6354e4790a62a8ef87d3fc3ba0a6453c3743dd3d98a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\qq.ini

Filesize
533B

MD5
ccaa790b77e22cc6a1cc8c0ff2d2daf8

SHA1
944fce80110b1074afafda3619d8b54747e397b9

SHA256
8011ccb88e26f947cd8377d855f0d8953809b86768e60199919e7c1edce219a3

SHA512
94b06d551c75c8930cc6cb12423ad5603f5e0555bb1b1b28551572860ce724573090a57b510cfa0d411b6ea47c0320e82e39acc07c83d722be881cf88905cedf

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU.exe

Filesize
201KB

MD5
45b2cd945920582aa29f97f4a30a63ae

SHA1
368fd11c183d57967d22e70215e94d50c9ac68e6

SHA256
a7fc1c27de4e6b0628595298ac4caa0980a66054efdb85e49d92a4a1077dc3c7

SHA512
523245aa1e5b8b737c6e60d58a507ef0d76935f1ef284906849f3578eaf9a7e09d1e83be25e07ae87d25d78b7d085a98367f28c1f51686d34fde05df06f9570f

Download Submit
memory/1628-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads