f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903c

General

Target

f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
Size

206KB
MD5

2f8441bc4045d18e7d474b1df005b570
SHA1

000e2f70084f4c26163603f7099f1f172a903566
SHA256

f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903c
SHA512

4c7ef5504862ed94ae5cfdb2380cc47ef99c9cdf0225e49dbafa228040b28214ba46b93414f24e8b80e1ec865278c1477b5b87d74a8594777bec268ed61315ab
SSDEEP

1536:NdF6Y9JIXfLrhoCMI7C98AIaAekdAGDYEasJqkUssXOcfaAJzYU4r/1CbSYlIePV:NR2FoCMI2aAIam1asJjUfFOderYRHQ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usaf5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

pid	process
4120	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
1192	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 2 IoCs

Processes:

f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\UsaShohdi.asu	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	C:\Windows\SysWOW64\UsaShohdi.asu	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

description	pid	process	target process
PID 4120 set thread context of 1192	4120	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

Drops file in Program Files directory 64 IoCs

Processes:

f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Java\jre-1.8\bin\javacpl.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\misc.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\SETLANG.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javaws.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\msoev.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\jp2launcher.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Microsoft Office\root\Client\AppVLP.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\uninstall.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Google\Chrome\Application\chrome.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\javaws.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\misc.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSOUC.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ORGCHART.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Mozilla Firefox\updater.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Client\AppVLP.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\javacpl.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\msoia.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\msotd.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\POWERPNT.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1080 1192 WerFault.exe f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

pid	pid_target	process	target process
1080	1192	WerFault.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exef5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

description pid process

Token: SeDebugPrivilege 4120 f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

description	pid	process
Token: SeDebugPrivilege	4120	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exef5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

description	pid	process	target process
PID 3444 wrote to memory of 4120	3444	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
PID 3444 wrote to memory of 4120	3444	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
PID 3444 wrote to memory of 4120	3444	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
PID 4120 wrote to memory of 1192	4120	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
PID 4120 wrote to memory of 1192	4120	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
PID 4120 wrote to memory of 1192	4120	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
PID 4120 wrote to memory of 1192	4120	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
PID 4120 wrote to memory of 1192	4120	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
PID 4120 wrote to memory of 1192	4120	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
PID 4120 wrote to memory of 1192	4120	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
PID 4120 wrote to memory of 1192	4120	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa	f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

C:\Users\Admin\AppData\Local\Temp\f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe
"C:\Users\Admin\AppData\Local\Temp\f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
  C:\Users\Admin\AppData\Local\Temp\f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
    C:\Users\Admin\AppData\Local\Temp\f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa
    3⤵
    - Executes dropped EXE
    PID:1192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 80
      4⤵
      Program crash
      PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1192 -ip 1192
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN.usa

Filesize
105KB

MD5
5a559b6d223c79f3736dc52794636cfd

SHA1
5c4676b37fcd49990d21960a2df57af72ceef29a

SHA256
6f201afc797370ac6e33fafec41a794a2eb44c1bfd7d9079e3633ebe7bbb41e1

SHA512
7a12510fe2104a1860bccdd12d96449eb8b02e30f9757bf3fbb4aef3373c710afbaef380ad7f4b1f9fa8129d8bdc096b8f16cb6b1aada0495dba80db33fb9ce2

Download Submit
C:\Windows\SysWOW64\UsaShohdi.asu

Filesize
206KB

MD5
cc7d1f86828f7565526374f1fc181a26

SHA1
a4c7c41944c2bdf542a35277ec3bc0aac5d3863d

SHA256
922bd40f2ce9f5e2541fb0ae59800777db0a2d1fa78dab0da852c7192de907c5

SHA512
ff7ebcdc19ec1831181184968f462ab5747fb4ed9606f3ead256e0be225484c2cabafb9a977f45953b8175f90995d544e63c3091f2e8f27410ea79136e7a4643

Download Submit
memory/4120-4-0x0000000074A92000-0x0000000074A93000-memory.dmp

Filesize
4KB

Download
memory/4120-5-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4120-6-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4120-16-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads