bdaejec | aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
Size

899KB
MD5

66bdd4395672267e01f4dfdc12bfb140
SHA1

bc6e038dd193b34a155c53f8eea8eaa5c1adf661
SHA256

aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612
SHA512

c2eb33bbd03727eb1692b80efc02cc7dcd250b74f6d5b181b1b0f57bc60b421740116c5d5e2caec59796fbbb1e46de3422f09a4a932988ba7be46a085cad70f0
SSDEEP

12288:Aaxr7vr7fYnPHv3jz/jDnTnbPr7Hf/TLzAHr3fP37bv/4wDvbwt2ThTA0eOzkv4d:Aad7PThXJkQFMhmC+6GD9Yuu1OUjezCu

Score

10^/10

bdaejec xred aspackv2 backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral1/memory/2688-198-0x0000000001150000-0x0000000001159000-memory.dmp	family_bdaejec_backdoor

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000016d6f-56.dat	aspack_v212_v242

Executes dropped EXE 7 IoCs

pid	Process
2628	svchost.exe
2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
2552	svchost.exe
2096	._cache_aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
2688	hYQTRm.exe
2684	Synaptics.exe
3036	._cache_Synaptics.exe

Loads dropped DLL 12 IoCs

pid	Process
2628	svchost.exe
2628	svchost.exe
2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
2096	._cache_aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
2096	._cache_aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
2684	Synaptics.exe
2684	Synaptics.exe
2684	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	hYQTRm.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	hYQTRm.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	hYQTRm.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	hYQTRm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	hYQTRm.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	hYQTRm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	hYQTRm.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hYQTRm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2880	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2880	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2628	2416	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	30
PID 2416 wrote to memory of 2628	2416	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	30
PID 2416 wrote to memory of 2628	2416	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	30
PID 2416 wrote to memory of 2628	2416	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	30
PID 2628 wrote to memory of 2596	2628	svchost.exe	31
PID 2628 wrote to memory of 2596	2628	svchost.exe	31
PID 2628 wrote to memory of 2596	2628	svchost.exe	31
PID 2628 wrote to memory of 2596	2628	svchost.exe	31
PID 2596 wrote to memory of 2096	2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	33
PID 2596 wrote to memory of 2096	2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	33
PID 2596 wrote to memory of 2096	2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	33
PID 2596 wrote to memory of 2096	2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	33
PID 2096 wrote to memory of 2688	2096	._cache_aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	35
PID 2096 wrote to memory of 2688	2096	._cache_aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	35
PID 2096 wrote to memory of 2688	2096	._cache_aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	35
PID 2096 wrote to memory of 2688	2096	._cache_aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	35
PID 2596 wrote to memory of 2684	2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	36
PID 2596 wrote to memory of 2684	2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	36
PID 2596 wrote to memory of 2684	2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	36
PID 2596 wrote to memory of 2684	2596	aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe	36
PID 2684 wrote to memory of 3036	2684	Synaptics.exe	37
PID 2684 wrote to memory of 3036	2684	Synaptics.exe	37
PID 2684 wrote to memory of 3036	2684	Synaptics.exe	37
PID 2684 wrote to memory of 3036	2684	Synaptics.exe	37
PID 2688 wrote to memory of 2928	2688	hYQTRm.exe	43
PID 2688 wrote to memory of 2928	2688	hYQTRm.exe	43
PID 2688 wrote to memory of 2928	2688	hYQTRm.exe	43
PID 2688 wrote to memory of 2928	2688	hYQTRm.exe	43

C:\Users\Admin\AppData\Local\Temp\aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
"C:\Users\Admin\AppData\Local\Temp\aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
    "C:\Users\Admin\AppData\Local\Temp\aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\._cache_aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\hYQTRm.exe
        
        C:\Users\Admin\AppData\Local\Temp\hYQTRm.exe
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4bd721bd.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        
        PID:3036

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2552

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.1MB

MD5
15e2192b38b8c6162f477113b8ce027d

SHA1
673074054a49a25e9baf6fe2fc7cf8cfc8ae110a

SHA256
4a20c212912cb30990048b595bb1bd396672200f97518e01cc810d4566bb3a52

SHA512
d2427b1c786c13723697f55377a12be0a9cf097d01fd6ec16ec5777e79cc0a1234d5f82d52705e7a9b4a73815e0ce097d2ee39d90317b9fc776cffb15736065a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B8D5F38.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bd721bd.bat

Filesize
187B

MD5
8aa718ee93efb771085b9daab6a9edb8

SHA1
a83bf3fb2d1b81bd50cf75e7b6f3d5a5820a59bc

SHA256
1b49e3ba866768cd2f82c60247b411c1a48d766436059be0a068a0fb4e889a81

SHA512
3ab7230ce0b7a51e55c8513142203f07b11447e35a27449af23a58708209332849ee9c40599cec3271ac9d844f3652ccc2e9f85003d00bdbefde156fc2fa2c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\fVzSB3tE.xlsm

Filesize
21KB

MD5
27b215801c7ff3dd4bef80fba6c7ca25

SHA1
b00662b7677d8c8090762bf40470e271747ace66

SHA256
956936cb6411918a6545194f50130988392b8f02a47aa51603506290030f45b7

SHA512
904b4be758be6297f27fc8bc1c675d4f96e045683f71720df9247385eb924cf7cde3e50561871c35c7812080dc4830b98d1dfeda475049e285adeaa86abd4390

Download Submit
C:\Users\Admin\AppData\Local\Temp\fVzSB3tE.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\fVzSB3tE.xlsm

Filesize
22KB

MD5
73d6dad93bb808d7d0096198f33a0936

SHA1
3268887f3e2fd73e5eb03646e683171788144bec

SHA256
7011193d457053d7846db38bbcaa6588e55631e4cd283c89aedc17f482de9f86

SHA512
0b8f0af17cc55d7f93e05ec7b6a453531c313a165ca123abb555cf20f1706291f5de61766b7220c17775e86600a5cd0303a4643997956fd0fea798cdfc67f8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fVzSB3tE.xlsm

Filesize
22KB

MD5
44e7918a02704e242cd97b5d2ce4703a

SHA1
38efbbc2fd2563dd67d672a77c864cc160527fba

SHA256
4f89bedaf95957f5e2c1fe5d3ed001ab0321f2fb0a7ab9bb5d41cc5756ac6fbb

SHA512
29413cbb845bef856099ea3ab140b869393d85b5465d245aadead3af8fe77995069cc3f104771bf2caa83a96d8e979fd43ebd356dd4973d72856a61d4cac7d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\fVzSB3tE.xlsm

Filesize
23KB

MD5
b65c0071df162c55a1b81d0d2cb51077

SHA1
2071cb86e0345fa3510e214f22da5843013af75b

SHA256
6807a68fa8107416daf397bf4756c163e5245f3060b7a525f0f659729ff7875e

SHA512
1e135356f674963ee329a84174a31504c5cf071988ad0b219e04c1b3684a5951ac4e82c5ec241e1471cf822df497cd6236001c13132fe8c815d010bf92a0258c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fVzSB3tE.xlsm

Filesize
24KB

MD5
fa5391fa1441dd8a6048509d95fa0459

SHA1
8fd13cb96dfd156ef1a894c6532b083872e5eb2d

SHA256
24be72449076cfe765a1d303a01926b11fbb9185fb5f2448ad5b3fc3e7bf9bae

SHA512
f7e04e9632723aadff081a93c6e520d693493ffc196106b8925c6dfed764e67786192ffb83da2fc05e7dbd938053978a65d7f2ee42335982225e021cf44abdec

Download Submit
C:\Users\Admin\AppData\Local\Temp\fVzSB3tE.xlsm

Filesize
25KB

MD5
fbcfc195c7c7ebc15cced5ed90e326ef

SHA1
d238a1f056b208a967958e4b1f043e4f9766a6f0

SHA256
72fe9ae45acf90bad9003b661f26dfa0b60fe1bd1c7921974959da9c04cc1966

SHA512
ffb1ea77cafd4cab0e578ce8ba6b08d417a5364e23cfbebcd9b582283f0cf10e5066d1d7f8cf2e46bf17ad6b98a74d6305cb068a7b571673dd07ae93a1274a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYQTRm.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\Desktop\~$LimitTrace.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe

Filesize
108KB

MD5
838c86c10651a998d6b5bbefdfe0e057

SHA1
85b8e551bd52573971dcd535c49b1041cf1f787b

SHA256
7ee62526c811e92685adc487e96ce65f7cf803b09d7805a3696e021dfdbd3cab

SHA512
5db840904ebdf9cbae64b580577f544f4c3cf8c3f37a743e74fcc1d53525c5e67d3c7af4a6e7a1281f3199b7f5c2e3e8521c4b3bcfdd18cac0146e1c5f902f18

Download Submit
\Users\Admin\AppData\Local\Temp\aaa3be69951ce3c7ecfd3b8fcbcabce1a3dfd7286842b29561c6bfe253c89612N.exe

Filesize
864KB

MD5
113b5ddce3608d1a82553204b9618db0

SHA1
d392a7875368c481320679d4df59abe1547d4775

SHA256
dff9369274b5c2e386ff3460976d30583c2329f2db3d101502f65b4bc91bd60a

SHA512
979bcec6d8cdb4f78c9e44b3c55d74f3ac33f4d337f16d27e2b3059c5a396e378c732ff24dde705972d72aee6c3c5a61e57974a80560594838be2ceee45d3229

Download Submit
memory/2096-188-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2096-278-0x0000000001150000-0x0000000001159000-memory.dmp

Filesize
36KB

Download
memory/2096-45-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2096-54-0x0000000001150000-0x0000000001159000-memory.dmp

Filesize
36KB

Download
memory/2416-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-195-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2596-17-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2596-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2596-42-0x0000000003ED0000-0x0000000003EF1000-memory.dmp

Filesize
132KB

Download
memory/2596-43-0x0000000003ED0000-0x0000000003EF1000-memory.dmp

Filesize
132KB

Download
memory/2628-21-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2684-196-0x0000000004120000-0x0000000004141000-memory.dmp

Filesize
132KB

Download
memory/2684-199-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2684-75-0x0000000004120000-0x0000000004141000-memory.dmp

Filesize
132KB

Download
memory/2684-277-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2688-55-0x0000000001150000-0x0000000001159000-memory.dmp

Filesize
36KB

Download
memory/2688-198-0x0000000001150000-0x0000000001159000-memory.dmp

Filesize
36KB

Download
memory/2880-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2880-182-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3036-82-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads