babylonrat | 23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe
Size

2.3MB
MD5

86b78d0385dcd977ec0bb2d65a11611d
SHA1

d756ae4d08c2bff65455a0a4699436594cb57396
SHA256

23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358
SHA512

7ae019ab651ec23b3b98bb86af992e2cc44bb5dbec3d8f29278d2fb994fcca679842b23e985b4361af9ebe47771dc989a8aac2a4c2392acf4cfed4e1c36f83c9
SSDEEP

24576:x1r43sfARB7U4kieI1SqjEDKcSrJIvJiu/AxWt+:Pr43o67TrXIqjbcS6vJT6Wt+

Score

10^/10

babylonrat discovery persistence trojan

Malware Config

Extracted

Family

babylonrat

doddyfire.dyndns.org

doddyfire.linkpc.net

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat

Executes dropped EXE 1 IoCs

pid	Process
1068	ComputerBalance.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe
1972	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProcessorDistrict = "C:\\Users\\Admin\\AppData\\Roaming\\ProcessorDistrict\\ComputerBalance.exe"	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1068 set thread context of 2576	1068	ComputerBalance.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ComputerBalance.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2576	vbc.exe
Token: SeDebugPrivilege	2576	vbc.exe
Token: SeTcbPrivilege	2576	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1068	1972	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe	31
PID 1972 wrote to memory of 1068	1972	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe	31
PID 1972 wrote to memory of 1068	1972	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe	31
PID 1972 wrote to memory of 1068	1972	23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe	31
PID 1068 wrote to memory of 2576	1068	ComputerBalance.exe	32
PID 1068 wrote to memory of 2576	1068	ComputerBalance.exe	32
PID 1068 wrote to memory of 2576	1068	ComputerBalance.exe	32
PID 1068 wrote to memory of 2576	1068	ComputerBalance.exe	32
PID 1068 wrote to memory of 2576	1068	ComputerBalance.exe	32
PID 1068 wrote to memory of 2576	1068	ComputerBalance.exe	32
PID 1068 wrote to memory of 2576	1068	ComputerBalance.exe	32
PID 1068 wrote to memory of 2576	1068	ComputerBalance.exe	32
PID 1068 wrote to memory of 2576	1068	ComputerBalance.exe	32
PID 1068 wrote to memory of 2576	1068	ComputerBalance.exe	32
PID 1068 wrote to memory of 2576	1068	ComputerBalance.exe	32

C:\Users\Admin\AppData\Local\Temp\23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe
"C:\Users\Admin\AppData\Local\Temp\23b101ef7ee302d8ef4fb86266343f54a7d1250080a68b3aad7f7fd1bdb78358.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe
  "C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F

Filesize
834B

MD5
543ff9c4bb3fd6f4d35c0a80ba5533fc

SHA1
e318b6209faeffe8cde2dba71f226d2b161729af

SHA256
40c04d540c3d7d80564f34af3a512036bdd8e17b4ca74ba3b7e45d6d93466bcd

SHA512
6257994ac1ec8b99edcf0d666838a9874031a500adac9383d9b4242edc6c6ffec48f230740d443c1088aa911a36de26e7ce3b97313e3d36b00aede5352a8cf5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_EB45958463869A839B2E6A0ABE8A149F

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A89DFCC31C360BA5CBD616749B1B1C5D

Filesize
71KB

MD5
70ded9a2a6cfe1b02b5f8125e1130217

SHA1
29fd7f0bec45e6bf5385a7676e35d0bb677ae1db

SHA256
108ff73f2b347b12802395016abeccf4cf78aa12152e8cafc8330a6e50015cfd

SHA512
d5a77037f7581be7083af1eb49b26b337ea331be16e58b4da5188f167c8177e131914dfdae60663ab28b7db6d4af7e9a2ec142213a5b95edc687b51ae3cb53e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
404B

MD5
80605950327db695ae861c19f61d4d9a

SHA1
cd31b02a2ec4fe27ef67dba6c00a81a6616a0228

SHA256
9d54f0317be8e33a6cd73123c32d9bd1bb05f2a07351c784c022ad1d24601646

SHA512
f4d8a9283255c28c26ac12b748cd426abc1adc2e288f82b332dbc4b9071d258553e6c51b90ff5e0b6997ecf3c162d5e23b1bea6669a03e90c1426e331d68c8e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F

Filesize
188B

MD5
e1f7dfe7aadcab7e0154b857d1f54ea7

SHA1
d9d1430c15e067b73eaafa3bf923d9d1a63fe18c

SHA256
d06905c019b361097b6a58fd378574fedb582abd09e5e2aac6ee8cd11b4d8b74

SHA512
9faac8e6dd0439132eed9e1a1277e50ebf013a6c487746fb242c463709d1e6bb8e442d6a7f19852ddd18a686c1e5be46e69c01c22cb20bc15bbbc86d67306ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c38e0d38081fbb7a44a5a4728c712f8

SHA1
aafa6f24f517483a6c941a632dfd67634d90d105

SHA256
f6930cd6cc0b89e3d438f6b5e6d0630405a77777737e41e8e7cfa91113f1eca9

SHA512
09fd69e8cae62068d41d8830509a2d309737642bd1734468f295a76a7e7580e34569d2f09a7437c208c1bd43c898e2109ea55b783676f4b35eb4cb3549c6cad8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77b2995676fd11e4023143536b0eeab9

SHA1
856785fd6d0931d1af7711caa0b8b232ae7050f1

SHA256
d0fc849087646903796cf65baf722d6118f5ca9a719029b511b21230f25abc24

SHA512
fd7882cb9082271bacf6c23388e03e2a19b4251a075f239e6b095381d2f2bd6c1c6209f57fc97a9cbc16cfeb4cc6c15e194f474f2827848d64509030891fdbaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_EB45958463869A839B2E6A0ABE8A149F

Filesize
394B

MD5
6e7ba0d68e09e9511b114137be023173

SHA1
678d00ffdf83624df0063f6f29de59f8838dbcf4

SHA256
8ae91ac4685531cf5c693079a6368f68ea2311123bf8700f44198be37c1b9292

SHA512
fb3dbdc38ea28d8f61f43b189e5e64c402d4e7948f31e51b38b4065a18f8f602e5961041a0bd151dc8e4cb9a73d4c0f364cf333c6d6e9c1125330ec47714a0bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A89DFCC31C360BA5CBD616749B1B1C5D

Filesize
170B

MD5
8c6b3d262a21d3fcc6d23bab4be01826

SHA1
c9a89d4577ac0033fd80f4f817d534d92d9d746b

SHA256
d4ff2d4caca96b5729ed1aefab5055b054b7571c3635028f13696341a5febdce

SHA512
b6fd5203467d08eb58380023177369a06330831bf83fe952158f47cdc389b2b97fd60583c0d444f4317934535afeb25ce187d6e5ece4e335838099f9e7923144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
187056a4ba20e647433f657cbc4f102a

SHA1
79b8903d73788da58d0439c744c689d2dc30d28c

SHA256
12e147eef57f3d2c8afee6fd9e7512e3cec24a9048539b287049170df3adc7d4

SHA512
16871b9153b20edbe73e2a09e8f1478206b862d0555d4764826d451b679c0e796321f170a56b248bc4a21ae82c1801bb8f7bbb494cff4de1ddeec628199634a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE7A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE8C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe

Filesize
2.3MB

MD5
e0769e3c9d019abcc31be2134484e432

SHA1
cf15feb27103f490fb7dbc024b73eda633419582

SHA256
d72e3d35d4c738e83b43203c1c8d40290028e3b6e75eb597f8c8cc08b33519ac

SHA512
0c99de7dbd838dbb1189d0a20219b93d2a698d486e5c142b0bb985bff67eef6b013fa24db77f0e52fbb85d528f3eafb22a01014c64f4cd94c9f6b0f2fe00f799

Download Submit
memory/1068-189-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/1068-122-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/1068-186-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/1068-121-0x0000000074871000-0x0000000074872000-memory.dmp

Filesize
4KB

Download
memory/1972-0-0x0000000074E21000-0x0000000074E22000-memory.dmp

Filesize
4KB

Download
memory/1972-108-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-107-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-2-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-1-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-119-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/2576-198-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2576-188-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2576-190-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2576-193-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2576-191-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2576-192-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2576-194-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2576-196-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2576-187-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads