gh0strat | 48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
Size

3.1MB
MD5

5286bdb9041867beb47e916e4f69b1b5
SHA1

4d4ecbb6f3f0fc305660caca7a57decd156a5fc9
SHA256

48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54
SHA512

61932b014263fcddd5e42061fc3ca7a4074b552d9775bd080bd1e3102738fef6d3db654d8c14c6b638d706fed8183b67a9cc47afb239afe028b536dfafadb514
SSDEEP

49152:RCwsbCANnKXferL7Vwe/Gg0P+WhjtDsLnsHyjtk2MYC5GDe/Q:cws2ANnKXOaeOgmh6Lnsmtk2aRQ

Score

10^/10

gh0strat purplefox xred backdoor discovery macro persistence rat rootkit trojan upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2816-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2816-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1936-45-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1936-44-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1936-46-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1936-50-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1936-70-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016ce0-6.dat	family_gh0strat
behavioral1/memory/2816-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2816-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1936-45-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1936-44-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1936-46-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1936-50-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1936-70-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259436183.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x00060000000195e0-137.dat
behavioral1/files/0x0009000000016cf0-148.dat

Executes dropped EXE 9 IoCs

pid	Process
2104	R.exe
2816	N.exe
2832	TXPlatfor.exe
2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
1936	TXPlatfor.exe
1316	._cache_HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
2912	Synaptics.exe
2804	._cache_Synaptics.exe
2092	Remote Data.exe

Loads dropped DLL 15 IoCs

pid	Process
1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
2104	R.exe
2068	svchost.exe
1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
2832	TXPlatfor.exe
1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
2912	Synaptics.exe
2912	Synaptics.exe
2068	svchost.exe
2092	Remote Data.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\259436183.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2816-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2816-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2816-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1936-45-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1936-44-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1936-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1936-46-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1936-50-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1936-70-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remote Data.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2780	cmd.exe
320	PING.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
320	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1224	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
1316	._cache_HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
2804	._cache_Synaptics.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1936	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2816	N.exe
Token: SeLoadDriverPrivilege	1936	TXPlatfor.exe
Token: 33	1936	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	1936	TXPlatfor.exe
Token: 33	1936	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	1936	TXPlatfor.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
1224	EXCEL.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2104	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	30
PID 1300 wrote to memory of 2104	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	30
PID 1300 wrote to memory of 2104	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	30
PID 1300 wrote to memory of 2104	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	30
PID 1300 wrote to memory of 2816	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	33
PID 1300 wrote to memory of 2816	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	33
PID 1300 wrote to memory of 2816	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	33
PID 1300 wrote to memory of 2816	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	33
PID 1300 wrote to memory of 2816	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	33
PID 1300 wrote to memory of 2816	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	33
PID 1300 wrote to memory of 2816	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	33
PID 2816 wrote to memory of 2780	2816	N.exe	35
PID 2816 wrote to memory of 2780	2816	N.exe	35
PID 2816 wrote to memory of 2780	2816	N.exe	35
PID 2816 wrote to memory of 2780	2816	N.exe	35
PID 1300 wrote to memory of 2856	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	37
PID 1300 wrote to memory of 2856	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	37
PID 1300 wrote to memory of 2856	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	37
PID 1300 wrote to memory of 2856	1300	48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	37
PID 2832 wrote to memory of 1936	2832	TXPlatfor.exe	38
PID 2832 wrote to memory of 1936	2832	TXPlatfor.exe	38
PID 2832 wrote to memory of 1936	2832	TXPlatfor.exe	38
PID 2832 wrote to memory of 1936	2832	TXPlatfor.exe	38
PID 2832 wrote to memory of 1936	2832	TXPlatfor.exe	38
PID 2832 wrote to memory of 1936	2832	TXPlatfor.exe	38
PID 2832 wrote to memory of 1936	2832	TXPlatfor.exe	38
PID 2780 wrote to memory of 320	2780	cmd.exe	39
PID 2780 wrote to memory of 320	2780	cmd.exe	39
PID 2780 wrote to memory of 320	2780	cmd.exe	39
PID 2780 wrote to memory of 320	2780	cmd.exe	39
PID 2856 wrote to memory of 1316	2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	40
PID 2856 wrote to memory of 1316	2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	40
PID 2856 wrote to memory of 1316	2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	40
PID 2856 wrote to memory of 1316	2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	40
PID 2856 wrote to memory of 2912	2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	42
PID 2856 wrote to memory of 2912	2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	42
PID 2856 wrote to memory of 2912	2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	42
PID 2856 wrote to memory of 2912	2856	HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe	42
PID 2912 wrote to memory of 2804	2912	Synaptics.exe	43
PID 2912 wrote to memory of 2804	2912	Synaptics.exe	43
PID 2912 wrote to memory of 2804	2912	Synaptics.exe	43
PID 2912 wrote to memory of 2804	2912	Synaptics.exe	43
PID 2068 wrote to memory of 2092	2068	svchost.exe	47
PID 2068 wrote to memory of 2092	2068	svchost.exe	47
PID 2068 wrote to memory of 2092	2068	svchost.exe	47
PID 2068 wrote to memory of 2092	2068	svchost.exe	47

C:\Users\Admin\AppData\Local\Temp\48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
"C:\Users\Admin\AppData\Local\Temp\48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:320
- C:\Users\Admin\AppData\Local\Temp\HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
  C:\Users\Admin\AppData\Local\Temp\HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\._cache_HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1316
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:2448

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259436183.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2092

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1936

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.3MB

MD5
0445d52b514f03eec8e7305e86ba08ec

SHA1
e2f8da8a0e68e9b409289dba3993ba9823d27ba6

SHA256
12fde7642f171352ea88427887f8ea5cbdc75a4e69a281715feb03e1cd978fab

SHA512
2e2e0e2e850abde574e7b35c5d7879847fa3d16d3e2c15d5233027172945b486863adfc61d1709d30b372f88709836b58589ca9338e1de56d39cee85a7c568dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xRLlDluz.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\xRLlDluz.xlsm

Filesize
27KB

MD5
ea187e3df38e0c25c7c927b3cbccbbcb

SHA1
010e656ea7d7b52dd8521a42bcfd204d6f4d547a

SHA256
b3c726a03aba983461a63a111c9b7d0629856f63fe6dc436b923532cc9c5028a

SHA512
d9733b746148f5103de9809fc40f56ef11a648c106f72edb2fdf6b1b4f148f439465a0384288174a3905fa1a1485104e1b5f443042476a50eb2d44ee69f37772

Download Submit
C:\Users\Admin\AppData\Local\Temp\xRLlDluz.xlsm

Filesize
29KB

MD5
f08e3c51943aa8299e634b207b90f05c

SHA1
f6805fd46903c8db66579e51ee236e31a6a02227

SHA256
39fbf15b3cc320ab7761d8356096e4b44041f3a01d8d746f5e8b79d2da532483

SHA512
7c8b218832e889ca2ad7de6bf605baf1a0f012375832592b702420055499194fd5ae67a4ca36d4121c58669916b8ccb6969e13161dd0ec5faff898717e979319

Download Submit
C:\Users\Admin\AppData\Local\Temp\xRLlDluz.xlsm

Filesize
30KB

MD5
2549b4e810a8be74adf9fd23cf3b9f11

SHA1
f72edd3c2d25961553606f87c53f0ae694764a44

SHA256
334fe3a222e42b4360da6a2ab55e4c052366d96909cc9d357dd23eb2021e5081

SHA512
e8b4685d089c962d23aa9fcd9f9c4ba3907d9cf7054be820a87edf88af6baa841a3a97c6816c5032b9537b26eb36c9c71d95cf2ebee81a001402458cbe07e88a

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe

Filesize
27KB

MD5
953e9a0a96753d35e10fb466cf4387a5

SHA1
a85cbd2b507b19b6b546c92d505c3df46a464453

SHA256
75ace23350072600b50db92bd03fa26a3ee3d53aa50a7a93bee4f2346bf60fd3

SHA512
4bb518bc8d75dc8f402d3ae0093e0b39a82e0a1664d066739857eab1369fa93d44985f43baf75e303b915016a6550ebe226dc5c3545516bddaf4ac52dbffe633

Download Submit
\Users\Admin\AppData\Local\Temp\HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe

Filesize
780KB

MD5
81ee1e4e5c7ba69b8aea91fe4f12173c

SHA1
bae1f4d7cf67666e9d3e52f6b107ec3e7873d0b2

SHA256
d65bc856c5d9ed02b20ad7a7671beef5414e69839dbcfa2f8e7230fcaca439f3

SHA512
1d7419205aa40306e2cdf0d0680be30e9d5244278f5a537df895cbafbf3b09a344fcf967460ae2b498c8e5bed15be6fb87b2da99238209482131b6602847d787

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Windows\SysWOW64\259436183.txt

Filesize
899KB

MD5
ee891a88e64f067b5acf5bdbf59c87d5

SHA1
c4e9a12d68518167740b56509c2dc784a41d90b9

SHA256
0a8132346967e0e819ec8565d4c5cd802bd3c3efc789071ac5cb7489138b74fb

SHA512
3d92a2edb516e5677f94763bd9a20dde665af00046f8731be788e5bb3cac4060aa7ce74036d330db52684fb844b738465166f5541c783c06f00817461ddeb09c

Download Submit
\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1224-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1224-152-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1936-50-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1936-70-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1936-45-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1936-46-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1936-42-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1936-44-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2816-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2816-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2816-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2856-79-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2912-159-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2912-161-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2912-195-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download