xworm | fc16219abe3f5272052e7238be66431e1d1b3e7d2faf996c701ce576cce74290

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bloxstrap-v2.8.1.exe
Size

11.2MB
MD5

5d16971f4e0d6e5f99d18d28672cc621
SHA1

bcd7f4fe26313fe3ced6ced1f5952d6429fac416
SHA256

fc16219abe3f5272052e7238be66431e1d1b3e7d2faf996c701ce576cce74290
SHA512

fae8a171467bb1e33f4920f93a9defdc5743d478d5c90446b43132ea1d45aaa7edf1ebbfce4b8ed27a8a70c9197492a4dc7694cf2a411a46f563b28dcd5668c9
SSDEEP

196608:ISHBLJKbIWxA63vYjVQ4SvrOXvH0RG1jT7ub1EBKnQtD794BYb:FBVKNAGvcmTWUc1jT7FKnyJ

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

192.168.68.139:2068

tell-outcome.gl.at.ply.gg:2068

Mutex

SXJOPv2u5QpF0aEa

Attributes

Install_directory
%AppData%
install_file
FileExplorer.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000186f8-10.dat	family_xworm
behavioral1/memory/1872-12-0x0000000000FF0000-0x0000000000FFE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
1932	Bloxstrap-v2.8.1.exe
1872	XClient.exe
1240	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2668	Bloxstrap-v2.8.1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\FileExplorer = "C:\\Users\\Admin\\AppData\\Roaming\\FileExplorer.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2732	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438460308"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF676021-A8FB-11EF-B729-F2BBDB1F0DCB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000ba6b9be8ab81111425f2b715e9083edc33f1cb7ab309189df0705a75671edffc000000000e8000000002000020000000cddd08a7004151bb954ad3ce1a87b4a7e8a58408cdaa8b15f9884b9c7501f83c9000000070307c4bd2562bae99a3dea527a6344ac42f05dec56e47fb3e10252dc09b0d8cc857987ebe2d1f3e4a1812813283a51829666d78dfdcc241d08d60c9d5b098a4f96dae937151eede8acc33be198120ad6c59654662c8918efb65a86315dd1fde3d32b9bbfd158a1859a42550e5e69b600d59162dc107accd3a9e6344f9b9fe4371173c140a925edfbb2e46ce8e8fdf8040000000d41db4406aaba985a321ce5b9f819e00cad9aaba989558c84494acc5b0536c962f75cdfa5b718101e9e73e8ab9b327c3e164bf82be8a7eae5d43cdebf44a21a3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000072d46a888e27f49284618606b1e5e3d7fea96d31594e2e16831cbee1d191abd5000000000e80000000020000200000004d0b8f0f678ab3f6074499bc87ff95b43495f746aaa1e3be7757ae52757ebe6520000000e6aab52a4bfda0890d3112762f1470abcd1d3bb50d3f27851047e8f49b12f45440000000c667576c8b877c40ec91b16ff615a117ac47ba99d21345efc6ddac9ca31709790729a97263a9a70018fde570d7ae4dbf33b047e6395e9dc9b54bcdc58d900d3e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90bff286083ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	XClient.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2732	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2732	iexplore.exe
2732	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1932	2668	Bloxstrap-v2.8.1.exe	30
PID 2668 wrote to memory of 1932	2668	Bloxstrap-v2.8.1.exe	30
PID 2668 wrote to memory of 1932	2668	Bloxstrap-v2.8.1.exe	30
PID 2668 wrote to memory of 1872	2668	Bloxstrap-v2.8.1.exe	31
PID 2668 wrote to memory of 1872	2668	Bloxstrap-v2.8.1.exe	31
PID 2668 wrote to memory of 1872	2668	Bloxstrap-v2.8.1.exe	31
PID 1932 wrote to memory of 2732	1932	Bloxstrap-v2.8.1.exe	32
PID 1932 wrote to memory of 2732	1932	Bloxstrap-v2.8.1.exe	32
PID 1932 wrote to memory of 2732	1932	Bloxstrap-v2.8.1.exe	32
PID 2732 wrote to memory of 2740	2732	iexplore.exe	33
PID 2732 wrote to memory of 2740	2732	iexplore.exe	33
PID 2732 wrote to memory of 2740	2732	iexplore.exe	33
PID 2732 wrote to memory of 2740	2732	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.8.1.exe
"C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.8.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Roaming\Bloxstrap-v2.8.1.exe
  "C:\Users\Admin\AppData\Roaming\Bloxstrap-v2.8.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.35&gui=true
    3⤵
    - System Time Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2740
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ed054e357a5be58070e114191bc2ec7

SHA1
5efc9144b9bc25e47d62aebf2ae7f76962fdb8c5

SHA256
a8363178379a8964e204b805d3d4ae8906b8d47c4c061af6ac6bdada09c12685

SHA512
c0938abe64a7a289c6a5eb8c91a32579bea065ba96c31dd2d6fdec29b108cba62d59e9f93cc6e062146432ed38d33354c4aff514a3b948ad9025b4bd7e851edc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0daf2f363af1195ef3449d4cdc38439e

SHA1
5bb89b198fde7895780ba485c425a698f1007dff

SHA256
2033ce9d6133179ba2f326439cd79732a6c5dadb92a0cd3e5ee68cb41c4aaf72

SHA512
8fc8100f8861fb9ea279f8a5e26910f0996e2892ff507e7adfe748bc9474b92f1aea3bf8b1e8b0552fa90a9c5ccb9cca31faad46c588807685f02d2a4924617c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
095e81e66f49d659dca49ad5297246b4

SHA1
ecf552946391f66121d4bb017281409419ec5d44

SHA256
e3e9c54993ebe992178af01f1961218289c693f9f2a9a609fd9a182a6172dc2f

SHA512
d1a348a93600f2c02b959a69a40f68584b22f9e5101cc5d504f80fef93b1d4263e01da52aa75d9b9bf7002239b6ce8857e5fed257fdbb084c0da41af094c0211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da530dea194c14e1e64c88a5af3c9690

SHA1
193aec916463cc966bd34170ce00b9d39ff43d7b

SHA256
310d8938f9b6b684edf1866f0695346bef8fe0e303969579ebc3d2fb3954f043

SHA512
2cecfb21028f65484c7fd84ebd560be9e2626288231822ba57a6ba7bf886c155b50e34089a5fc594b1176d0e953e3375052002e8801384b981103802f2f2f517

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd7fd5ef7873fe739da366738faf11d6

SHA1
71d41e336e262dde30776977747dac6ab9dfcab9

SHA256
990478c86966178d1bd8e221fc18383ad3d7f2a1eceb0aa351fd6566acfa19d5

SHA512
35d5a3d7b832be6c8c3b71b57422e65fbbde57afbb94ad2c42ab157f8db730a5f25f2716928e67153cc0ea39b465e7744ad5a3b86963735259063515a1411d91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ed228c01421afe2e8185b3c4ffe552e

SHA1
86a6b7e9ceb32ae21d260d6aef2a3756d57e51de

SHA256
d3c8bb3108d6a7b9f708aa743d712efae3be297662946643a20adbd9b55b9b39

SHA512
f39d23f68f7c47940da620a0d1f5b6d8d9eec0885b001546276417289224b4664a81dd1f0c64e7a54ab5c77288cf4ebdd2bdb35d12e2ab5f0e36d2b867d8649a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea370c14e034ae8610c8aa4a15f7c92a

SHA1
4c3e1a2b9b1b3cc48b0a7de0dfe08630705130d5

SHA256
db26cb88e5151bdeda24e91011131dc112c0af2b4c4e5ec016a5abf533f98f6a

SHA512
f2cd56ea6d97d805a276b27a2b48a2f106dacc9de28bde8cb960a15481d77e7f3388ecfe0b47f596e225a205aef3224557441ee470f2c539b292314e355fc805

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fc4bd9001feaa009c55201769966a09

SHA1
2cc281e15aec16c81673b3927043ffbe6712d6f2

SHA256
e3d2fd51a764d6b9117d0aa5c96258a5c94ee4b81d66d241cde22b9e30152037

SHA512
122916cc5a493e959b52abb010c0fcad0b80ed08424128ba3a370c87599081ba85da9fab77eeac56802d0f821beb0fdcf873a4c9b5a108c8cc633fe4c72e0036

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a6977fd117fb4b2336ffab959756805

SHA1
72e45c4e523475b7aa2bc83b04f2f8045b347feb

SHA256
fd510d3108337595ae5488ce07a9fd83cd10fa0bd052a0a0919d9d36ab3155e7

SHA512
0a1b93f10bb7539ca3c58d55239513a31e7843bd3990015aa9f5899b6d19a6fbd1788f6dad81816349989d7d9a936f6a09fe4dfc5a777977d416359f88e8144e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4786bedc01dce75fb3ead3b1031cbf4d

SHA1
c7942403c90cb9336a2dbec5f401ff991127f298

SHA256
a9e2f6233e8991a91868e18cd254729f5376b8ee057548b0ff031b0afb51d2e1

SHA512
98b0a8ee0ffbe29009008141c55ecefa65609897e6b07cf9eabc371d0a206ed4c25865faa82907f198314e9fd24d21d0425fd762d605a5e0ec0ad14e25c3f682

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dc64ad5e4e5cde4192d199671f8be5f

SHA1
9f6c8a8795d5ea9b0301214d6aa2dc1dbada58cd

SHA256
7968b8d05cd56284ae7cda47690a86cdf75959bcd9ad3227138f3e16e2cc2a63

SHA512
599776783e38d22472002e6338686ab4e290eff5d7f5a96dd851984c3336d537ff3b357d5eaafb29e653b2607d124cd0d2f9019c57689f91a573d3994e69292e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0180b90e231eaea5ae7ae5cdb5738a11

SHA1
d65b231b20884132652b77b65c5be8adcc7999b1

SHA256
64521a4b16163a6c996923a7bd541c9d1dd16dadac0f377032c709140abd01e4

SHA512
97f6e28cdcfb4dd9ba127faf15e50c12d6357c71aa595ef8d3009e49f148a815634f27645b51283f057d295cbaecd06d76a6f7812715ced56fb9612402ab62b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c70e1e082438c3941e5d48ad3df4a7a8

SHA1
cd21368d1ea4f35846b80974be26974c0403583b

SHA256
50c848764887fffa21d02b9a5fe1ea5b0356862f81831837bfb435ee2f3c3763

SHA512
955a82c3fd413753082bd710fa43d593359f503b79893af4ac03dd3bb326e5a6e5226cee16371c1ba896c53d9950794686c211d8eb2321ef584393f02b2f6e74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67f69caaae2274f122cec46b38e3d648

SHA1
b2ede2b47fcff8373cdc87aca16c80e6eaf2da87

SHA256
5cefbcae62ff6f29efa5b589123ddaaf4dfa1ecf2012c7f6b7bc440cd98fb99e

SHA512
b50810c40d54e7e1a13fb5f49484d73a7d06e538be4b1dba46e7aa66cc2e5c7bf002b422101bc1b5c810e387de84388d19861ff7692d3f0567acb32406a7d2f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0484636a7ed663ff9565ba28bf780746

SHA1
32b63f9842014761e623be9d790db1934e326dd1

SHA256
916bd862c8c5953c2b0b1edcfed3cfb00a780e5ab94196b4f78cb42df8a1da4c

SHA512
09be4b13d5825120c5c4e53a39612e487074d8bca6dfafbff579d26eda992023b044869912b793ed1d7f2d14da34aa49eec5f822abcb22cdb63fd35b186de051

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a99ddec0a81a6afb9c2d3f073b939344

SHA1
431994bbee6102ea8c42e2da9c58876934b78720

SHA256
6422d3d1b308fb6144ecb3e1a67db196da5fed0342f4a58892b62e8d68f44671

SHA512
d73ec3ce9a538633a5b35ed9d7c788580891c41c283a537ad5cfed3cac87a4fb7c292ec271b3c0c78abecbcdfa009e49c0060d8276e6be29285eb9400b61b89c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9153d41446fcb335abbdc7ad95afaae9

SHA1
76694db47fac8a9cd77a2a16714560c28552df08

SHA256
b6492ffcc064a9bf11b19eb6eea3a732a114d34682012360156da0931701ed4b

SHA512
03fdea0835b13176dd4bc00b26441f432a4f3ffd4032844c7ca502741640be2c35c575dd9560206abd8185a1e1897c4e968462d2d7295c99bc977ff9ae508c19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8c73c7cdb1e5b934acdd123b92e6368

SHA1
2d998b83f2b55918b9f91c72bc49428cca26f164

SHA256
77e62b62d1c32175122f12f2cb5ca8384f4758b742983a03b0cbeb159ecd1281

SHA512
79d47da9a291644ad1ae34589fc910435a9fa212722d2bc1487941b733f857720062e27bdea8de049be9452aa42537f40c52743de08a8bfb1220aee8f1e9af3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ddd808d06669d2ed4884fa81423a264

SHA1
9e8b55a641b2e3d224e040082a6dd86b031c384d

SHA256
211e3bdea6bbdf3bf2f9a2d0054b262335680ee62e454bf58f7bce652ae5693b

SHA512
17a52b1de4760d72ecc92bcdab2ae1064fc9c10c1f123b9076b2ae87831892a3c136161638585f02998a7e0b6bf9ed4eb545ab55bb0073972d2ce3bf5a6c5aca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96d3ce2a1c6070fca4d8d5d9ee6ec7dd

SHA1
1845165ae8f6b16e8587c379163ae081a9840b23

SHA256
5662ae299b2458ecd9d8a8c9461d9d4e1fcf56fd4069773483916debbe1ef157

SHA512
d82f22f6de071917c31bf931d2d17473787d02a1317d4b91c24d69c4fbda18ca79c070fda8948c2d67c8d48460777644c9b82e35689ec3c0d773675fd174a048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f426bf64c3d3f23e853c6ff0a4ead45

SHA1
cf493a6b459ea862b98dd58d200838a63993d35c

SHA256
ff1de248d50ee052b652a43cde749366434b7f913fd3fe062090df2214edfda2

SHA512
f8df4a35c1b34740fe3741039afb67f828d073828341d9059bfcc8c8925a868da14979aa0e5ba180e2bb941e738c142f2447a3aa8644ad6eb990fb2b709d6a2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc6ac937322e541d8771c006c4077f22

SHA1
b350c4f97aec7b06941d8c0addec06f55da9641f

SHA256
50a48921fcdd1810b2c0d05bc67c0c549ee2444c05a7fac887c0fcf3e4a0ea0f

SHA512
7b9506e8040225fecba9b49e0d812ce076c86ffb6721afd581766577b7d927247c5aa0e89874cbfdbec5e9a0216a8cf0a477a884dd98cfe0c40fb10e1e250693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1052420ea5d72f0532af66b79e8e2f67

SHA1
e3b29a2fa72507dcc2baad576c7f57bbe5d33443

SHA256
0f27633c2469e8786bf4646d6dae59c8c5f6eadf77c87408f5f33d3249de3503

SHA512
81c909dc8c0a90afdaae5e4eb78cbd983dd62fced192bcb6fe6189c1f6d6fc6354725d8e454360e9af3478025f81d8ffb23d8cc97e0038ba51ca9de6f16d6f1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c113280de78f95f0501b9dc75d464f0

SHA1
d5fa0774e1914b6036af22786eea27b75f19b57c

SHA256
486520829ae654865a272286e51f826213caff892cc7d53917feeda6aca799eb

SHA512
beb0ca7e31de2ae20252634b8750eb36365e7d18c4242c9e53b17b91dd1786acf2d078b66efeaeace1c426b20c0e1c0f0b7ac41dd0f3650b6ebbd3e690537baf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b812aa39d69753163e4e3931aaebc6a

SHA1
eb1431945dacf03fe49179871ac31365a955da34

SHA256
25b4e5a3d50d389437f784401b89e07215e55d25f5b2c87c79f0566c3486ee33

SHA512
3d277a45492ebe5bc37525bb1530dee95419f560dcec09726d518e8eb27f50f918fde46a75275fbbbbb92664e238a7607bfcf106f0806446f56a54f7b3c7aba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48323b934aa0c9cad8f245bfc03a1c6a

SHA1
76a09e246f17eb46d360b2e71915f2ab64ecc00d

SHA256
c6e7a7abc1c1c44e5bb168c6df6c208e032e98872a02eece2d7d021a3585be22

SHA512
fe0c888061867a82e7c79fc8b00dfce8198b205067f4835254b430633993405ed46769b15ea2209a6ad89e53c670997180fdcd0358044eec3958f1405321739d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85c8919f108f1453db67384c06d3d6e0

SHA1
bb1781afb82d5810b50e4c048ff794ff780d1a26

SHA256
a0e99dc85ffd65c68368779a7fe7329ac726e9c26d6d1d6aca90238ebbb065fa

SHA512
8ef5c3f6ec13dff4ff3ca432c729af884ab2c250d7cb465747fb0f23c4ee9cf0b1c0c3da4bf8f349aebae36fbef3b5543b2bb5285eb7cb3b97358b1bce74567d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2526c0ad54ead6973e5d4a729e102cd5

SHA1
89ed68b3b28f9fb48f6bbe30a336fcf2fd2ecdc1

SHA256
aa0d9c071c9ac2783386a0c129606f892976cc3b5f77db33cf4118e7273c804e

SHA512
c6a920f96278aa833284b982d0c35ac7f99f02d880fa3d5033e9d7c3af3a7a6e932b1a2b17db833d98c040f4e0c6106b3b5b1f46a0da3aa64b8384913fa44681

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE78.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF74.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Bloxstrap-v2.8.1.exe

Filesize
11.1MB

MD5
60246a70b28a9d7ef6a2dfe009e48075

SHA1
8dd51b8460307f785690008657918540a8ee4998

SHA256
e9091fa15944a451e792674cf408e400a5e6391cd31160040210b494bd723f17

SHA512
551ffebc64b11e21a234b3ac5a1e103e5cf0ff4fd4d5b71628d0c4215b24fbca946cc7dc14571667214dca86ae9c3327c928b996be456529f84bb2f4a0901e5f

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
33KB

MD5
edd87a78e02a4c11c82bb8ccce9815d6

SHA1
a5c6753e71e4d4ad83325c60ec88780471297272

SHA256
da98f8de94a1f21adebde64bd45a11921fedeaec036035c46b80621b619f017b

SHA512
3bbdafa95291ac1df2fb4545f9f3818c1a5b817a4d6f3dde182a3996e71d2fd118df1447ddaf855c4432b8bdda454ae0aa26a31c4333785f87b744f34492a4cd

Download Submit
memory/1872-102-0x000007FEF6110000-0x000007FEF6AFC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-16-0x000007FEF6110000-0x000007FEF6AFC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-14-0x000007FEF6110000-0x000007FEF6AFC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-12-0x0000000000FF0000-0x0000000000FFE000-memory.dmp

Filesize
56KB

Download
memory/2668-0-0x000007FEF6113000-0x000007FEF6114000-memory.dmp

Filesize
4KB

Download
memory/2668-1-0x0000000000E00000-0x0000000001940000-memory.dmp

Filesize
11.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads