revengerat | def80f5379a616c7985d76932c65e4d35b53287eba6ad964a08a3e9d589be0bf

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe
Size

472KB
MD5

04f9cd1f32905fa8282895840e8d3645
SHA1

ac932595c0cc0fb578e08ac91ebfdd829e64d8d0
SHA256

def80f5379a616c7985d76932c65e4d35b53287eba6ad964a08a3e9d589be0bf
SHA512

94832cfdd761f6e2128f0b53ab79be5fb70bef59d767c48f946878c706ee4af5e0d59053ac99b515719b253c37f521d60d2296338285fbb4075c81b061e00ae2
SSDEEP

6144:7SwCUX1hmXi5Zhr9Dc4f4y3u3VwiaVYu5oLC9:751R35B

Score

10^/10

revengerat yeah bb!persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

yeah bb!

xd.zapto.org:1990

Mutex

RV_MUTEX-aawrHJfWfhaRCl

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/3972-6-0x000000001BAC0000-0x000000001BACA000-memory.dmp	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	Service Host Network Service.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe

Executes dropped EXE 1 IoCs

pid	Process
3476	Service Host Network Service.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host Network Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Service Host Network Service.exe"	Service Host Network Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3972	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe
Token: SeDebugPrivilege	3476	Service Host Network Service.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 3476	3972	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe	91
PID 3972 wrote to memory of 3476	3972	JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe	91
PID 3476 wrote to memory of 1412	3476	Service Host Network Service.exe	92
PID 3476 wrote to memory of 1412	3476	Service Host Network Service.exe	92
PID 1412 wrote to memory of 4032	1412	vbc.exe	94
PID 1412 wrote to memory of 4032	1412	vbc.exe	94
PID 3476 wrote to memory of 3444	3476	Service Host Network Service.exe	95
PID 3476 wrote to memory of 3444	3476	Service Host Network Service.exe	95
PID 3444 wrote to memory of 3288	3444	vbc.exe	97
PID 3444 wrote to memory of 3288	3444	vbc.exe	97
PID 3476 wrote to memory of 1168	3476	Service Host Network Service.exe	98
PID 3476 wrote to memory of 1168	3476	Service Host Network Service.exe	98
PID 1168 wrote to memory of 2964	1168	vbc.exe	100
PID 1168 wrote to memory of 2964	1168	vbc.exe	100
PID 3476 wrote to memory of 3224	3476	Service Host Network Service.exe	101
PID 3476 wrote to memory of 3224	3476	Service Host Network Service.exe	101
PID 3224 wrote to memory of 3724	3224	vbc.exe	103
PID 3224 wrote to memory of 3724	3224	vbc.exe	103
PID 3476 wrote to memory of 2236	3476	Service Host Network Service.exe	104
PID 3476 wrote to memory of 2236	3476	Service Host Network Service.exe	104
PID 3476 wrote to memory of 3248	3476	Service Host Network Service.exe	107
PID 3476 wrote to memory of 3248	3476	Service Host Network Service.exe	107
PID 3248 wrote to memory of 1068	3248	vbc.exe	109
PID 3248 wrote to memory of 1068	3248	vbc.exe	109
PID 3476 wrote to memory of 4592	3476	Service Host Network Service.exe	110
PID 3476 wrote to memory of 4592	3476	Service Host Network Service.exe	110
PID 4592 wrote to memory of 1740	4592	vbc.exe	112
PID 4592 wrote to memory of 1740	4592	vbc.exe	112
PID 3476 wrote to memory of 4256	3476	Service Host Network Service.exe	113
PID 3476 wrote to memory of 4256	3476	Service Host Network Service.exe	113
PID 4256 wrote to memory of 2244	4256	vbc.exe	115
PID 4256 wrote to memory of 2244	4256	vbc.exe	115
PID 3476 wrote to memory of 1980	3476	Service Host Network Service.exe	116
PID 3476 wrote to memory of 1980	3476	Service Host Network Service.exe	116
PID 1980 wrote to memory of 3820	1980	vbc.exe	118
PID 1980 wrote to memory of 3820	1980	vbc.exe	118
PID 3476 wrote to memory of 1272	3476	Service Host Network Service.exe	119
PID 3476 wrote to memory of 1272	3476	Service Host Network Service.exe	119
PID 1272 wrote to memory of 376	1272	vbc.exe	121
PID 1272 wrote to memory of 376	1272	vbc.exe	121
PID 3476 wrote to memory of 4176	3476	Service Host Network Service.exe	122
PID 3476 wrote to memory of 4176	3476	Service Host Network Service.exe	122
PID 4176 wrote to memory of 4756	4176	vbc.exe	124
PID 4176 wrote to memory of 4756	4176	vbc.exe	124

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04f9cd1f32905fa8282895840e8d3645.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5sb7ca2n.cmdline"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6E04F204FDC41BBBE8A685CBB75F2B.TMP"
      4⤵
      PID:4032
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-1khgjat.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C32.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2127E8CF92A4EE39C35FAE199119B0.TMP"
      4⤵
      PID:3288
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8ao8ff6t.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6975081C77B547D786F55125B4EB2C41.TMP"
      4⤵
      PID:2964
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v2wx3vea.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D1C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E80F3B3E82F41F5ACBC3E8561675847.TMP"
      4⤵
      PID:3724
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bpr-b21g.cmdline"
    3⤵
    PID:2236
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D6A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc535EA09E70914D89A234248C683A18EB.TMP"
      4⤵
      PID:3568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\poajmnfb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DC8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EEE7D765507463AB7E19081468CC90.TMP"
      4⤵
      PID:1068
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9nqkfzfd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E64.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC491A1ECF8842BD9E4128B9A437B17D.TMP"
      4⤵
      PID:1740
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nvzsebac.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3066CBB931F546FD982FDAF34B142933.TMP"
      4⤵
      PID:2244
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqh1zruy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F3F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B3341407F81447F9D815EDA99DC017.TMP"
      4⤵
      PID:3820
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xpq99dhd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FCC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6239AC41820047B9AAFF8FCB560E5AE.TMP"
      4⤵
      PID:376
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\inounkbv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5049.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7466F81B30941BFB9FD5C32AC8D2181.TMP"
      4⤵
      PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-1khgjat.0.vb

Filesize
285B

MD5
9937274aa9155415413d4e732496b039

SHA1
b081b3ee06832c1b005984e0e6b72094f53c329c

SHA256
088894e20416fa106a18fb2fce336387955fca015e5e85c01849037213c5684b

SHA512
4b01926cb0820bb21370075d573a5d8847b22c8e24fcd5c306aa1b7bb3cbbc49dc7b83e34576bd6b50513a024725bce786b114036b5b2901b90f62ee8937528a

Download Submit
C:\Users\Admin\AppData\Local\Temp\-1khgjat.cmdline

Filesize
156B

MD5
64eed109a94013871e181c43b16e0f86

SHA1
3b18320e4fca664f2a511a55fef39b79f2321c36

SHA256
a77a35fb016c4332fc23fd5a22e139f48d8173c561e9456f255227b3a22b26c4

SHA512
fcb7572bc65bd029fe0eb9ae71b56c29494e9c478746d26a9e5e9f04e7ab780778beac7ba47b4ff44b79d6160b930dc2230e7fdd9124afdbe49f08985be6b466

Download Submit
C:\Users\Admin\AppData\Local\Temp\5sb7ca2n.0.vb

Filesize
219B

MD5
3fd23b7ac82058d02d246490f3fcdafb

SHA1
5cd215eebb49950dee64daffe5d2d059c6873710

SHA256
5773f45f6c95c87bdd15b0cdd07b10d65b60beb756a04a820ef6eda0bdf5c509

SHA512
a6bdf5b0b994a7f8c96271955a81ce8bd9ed650d3649bfbe9619c693b574b0da20696a902864a768618f53859fd00b5981b20dece7ee7f92153ec780f9bc5751

Download Submit
C:\Users\Admin\AppData\Local\Temp\5sb7ca2n.cmdline

Filesize
216B

MD5
19e8b10e931c67216fd9fa86fd635454

SHA1
767d8c2405b1209bb6899b0e1f37b07935d4a2af

SHA256
6ba419d83cebf3b10938f2f1c05b3938c8fdfc28b77f8363b5485c57778f87a3

SHA512
cc4fa039e058d1f3ea621169368a918c6e88017745ab03e781e484ce45c7f761404ae07db0406b244210cdd3545b1fd5023ec4354dc6c6bceebd538d370e5d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ao8ff6t.0.vb

Filesize
291B

MD5
a76a60c2684ac4773ce5b1e8b5bd30ea

SHA1
ea5fb32cc347f622ecbe9144daf9af5e47345aae

SHA256
a1e7e84a661d7e999a959d5780c81422b451858de68e78571d0d743f2be1c766

SHA512
1c67a05c6273118a79f8e95f2f0cd5b3ca09875b7267420908f61c95a5764b07c16f6a232b57078883d8ed814763e6128caa9289a897bad5194b8f92e79fcec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ao8ff6t.cmdline

Filesize
162B

MD5
178ecda68a6736b4c6ec793f7e39e5f0

SHA1
43eb3a00f062d47a2fa52317a65758bb360c5552

SHA256
8a7c30672e46c186437108868c981f0cfb65ca609cb4910ed55de3522cbb9313

SHA512
f62cb7844f4ab5740e713dae05587596635cc09fe75bd177d6f4c4cb1b9b33bace802e64228a4577d48c422d972b6ecbc8eb629ac69833aa9d5de71f50355173

Download Submit
C:\Users\Admin\AppData\Local\Temp\9nqkfzfd.0.vb

Filesize
300B

MD5
4b36dfddd9b618ed2ce607f1ea4611f5

SHA1
5810d843192e59f7b99be454995ee14f3fe6cfd0

SHA256
37f1f908ba95ab1951658bdba677b39ea861512ceef74aaa92ef2cfd83650a9d

SHA512
e0b8575d21630847239d777f7df6a56cc4ff201f5c4e438b6acb18591605c716fc248c07998b5b2ab41f186ee979f7b2f7eb0818adaca8efcd43a76c7f5081e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9nqkfzfd.cmdline

Filesize
171B

MD5
41279bcc5445b9410a46b78bb6c30793

SHA1
b50f6c89d7f0c7326e50f53d49dfc9e511b7d506

SHA256
9a8bc6542ef950757c28fe8c1f6f6c4b07981dc56b6cbd072ddb1a2ea9a1ab3c

SHA512
913a8a581887e46f059a845cd14cf13787cbf11a6a7f518738034e43088a474afe19b4a1101fbd2f95c04ad6948a181cabb7d8fed21381f17e0d168ee26a8222

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A1F.tmp

Filesize
1KB

MD5
cdb7eb45d8dd9be3936c550bb7e557e1

SHA1
eebacadff846490682ef41fbd555c5cece8d8481

SHA256
8cc7f92b095e0bd924f8f8bbdabf4f45e9138d1ab541a0434b4e2c17e0fd242f

SHA512
46d1736dffa07d69c7c30348bb9e6a5bca5807aa97b416c3eb78f6d407ea29f33a2cee61a8c863b8a6813b9bf9283bdf7627b78d7bed20c613e0727f4cbcb394

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C32.tmp

Filesize
1KB

MD5
3ae57e7a57a7fc48d5548912559e450a

SHA1
6e0d6901ebe6eebebbaad4b2b9f422fa6a275269

SHA256
2e650874c39fd1ae5de87fd2377d9d7ab5513487ad266a067f03e872ad3c2a64

SHA512
93ab6ab50bfa3b440371b1e2035b6aff8342bd618d9b0c9a476179c84a3ba5c6699a204025b6b7b70211a4ad25e7f47e65b8a12dfc692f6828613f0fad16190e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C9F.tmp

Filesize
1KB

MD5
0243a572274e275c18e40b00a774f3eb

SHA1
48cd39f639378d325d5b419474eb2edfb15bb3a4

SHA256
7805a363585677e21b25d382cc5b296924133d60de888a674fd518113bc42754

SHA512
43feb5289597353250a5e45c0acc7c51d62c375a0efc14d46d3ec1714c2c9db33af592de7074d5f5dab56b038856ff9922550904ea548c7546c22b69580feca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D1C.tmp

Filesize
1KB

MD5
08106209ffc15ac7da2af58c24f9a77b

SHA1
703118da498682e39eb3ea444123d420556f9713

SHA256
44557f2c05fd02986fa5f4d64af2cd30464181b536433c5f91a363e71882954f

SHA512
2739f784fa516da011b2b9a1c0aff3eaef7a7530ec77b6a19a7e944041ff27771c939f37303c90fe388f713d652acd6180aff97444c56633400d7de9f64debd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4DC8.tmp

Filesize
1KB

MD5
e910826a2bba6d69da374b34c3735400

SHA1
80d2c9a16ec1a16da4eb3411921fc88c597743a9

SHA256
8374a59c2582763392fcba32ddaa14460c682894193d9c90493a102e86157f85

SHA512
a5c0e79f2dbdcf9be2f7e98e17c3a4da5f24f9f9418971a00923a4b5e69828772541d689b6c27d383c900bcb18680e860194702d54e1542b6b9a917bedc031ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E64.tmp

Filesize
1KB

MD5
b94ec57c71e939fc0f2ea2e32aee4095

SHA1
4c18d9cd5e6e7480c09e9afd0d277484b2abf83b

SHA256
b83fe2d3d918a78d02301e3c01361eb8c5e0d0834cbd24d98e4f193b53f7bb05

SHA512
e2e0b1ae72215607ddd12a49e1538ddc989f9d85a6320c4e01dcf87fcb1cecc82c0c745f3386aa899c04143bffe3357b0e2091a1c42b0c427f0fd028bcbc99d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4EE1.tmp

Filesize
1KB

MD5
645fc75620b19b7b53130de25fcd12b4

SHA1
20f6b67e042efaaeaa0bc5617201cf06a3e6b44d

SHA256
a54b055f818e0f24b3a832025e3800dfc4607e6384adf99902582776d2f165cf

SHA512
d4d6d4bdd3311fd68dca55c2f7e4c5167703f9e1688487b1d3637307928fe7d98da75ac1c6b462aaf9f5dc973cf37961a296837c1fe8a9890ab1b6d88857c9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F3F.tmp

Filesize
1KB

MD5
c74d4bb2e700708888155b52a02f8133

SHA1
300f3f91071c77494d7746ba4099016de51f053d

SHA256
07a60ab1ebd6f478e77ac1ed7b6fccdba350b6a96d95d5bf6880650340ef5ea3

SHA512
65cc9b8bb3a79530100edb1af547847af17b893a7ccc26109248844b317b8f0957bbd21d67ddb16c68fe225cb213dc7e9e9b701f0432abf4058c4c01aad3ea8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4FCC.tmp

Filesize
1KB

MD5
7f2365b38abef62052cfeda89340a405

SHA1
8f3bca29c95cdb831c98283ff5e29c4044dfdc39

SHA256
8311c990aa94c9b97997c119fa5c9698ed5642d0783cb41a1000991b379a8858

SHA512
405f3f5429efac91fdf6e8991f4f660c32181b3915e49dfbf1abf7b1c098961812a1a20d08d5506a68f73472144f986e5bc642379a415cf198bb6c59ead3f43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5049.tmp

Filesize
1KB

MD5
7ce9313225e6bbe13c2a1f6e7d6c7c6e

SHA1
48cc1cd71137d0a6a2766af6e6eb28a91915bef7

SHA256
816e377b48e969b7933374b8ed6f4d8e0fc1bb5005d97b1ddb883d128893ed2c

SHA512
41f7ea1f2fd2ac2e384a932ed87a518b423b19bc053aa46b912f99ed8205e909e11e343da53185fcb3e9a250902ea63f7949b998714ea8fc0356964020d036be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqh1zruy.0.vb

Filesize
293B

MD5
e88b145f8a68c93526cbaec5a6936869

SHA1
759b7f383f3bda95fdcf1cc8aecf37169ac58e13

SHA256
0f9c9ce6dedfc73cea95da54e5c6240d4ba8a7a5806c28c002baf9728b1f2401

SHA512
2132264dbd363fcc67290e47787f0cd8f3682d65acddcb35fc74f5c509a63a663fbb37ec6c994ed3d08c4cfb3f4b00de7f57ad74d176ed390add498c7822d3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqh1zruy.cmdline

Filesize
164B

MD5
5b28e2a62ec8bf0b03457bbfcea8ebe3

SHA1
7c26f7c2ad4519b0a7b84631fdbabf2e54f13d43

SHA256
f35b0e3700af8b78136675abb04e3441202d7ecfc2de3ba523ce8076b3905533

SHA512
a760dbc68cb2f85f4a2019e82339ba4834c83cc98930daf3ff8c8f1bf3af19058d63a92ee345888cd5fc494db93dde38efd59af5f146e3208acc5d540560e9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\inounkbv.0.vb

Filesize
302B

MD5
2164f94f71ebb52939d82f2ec171103c

SHA1
ffd28d94cbf94c6cba8d0f845e71fb664eab459f

SHA256
040c54f8e7a92092eca8268c4303cca5431cecb9ca26a76f40d131bb499e051a

SHA512
1dd9c4e0a9f0f75749efc8a0e8e42403efa3d001f4d8d44d4b8aae060099bd6e9258bf1e0b80c36e1a05b09ad6202ba5f5c161ccb99b9d0fc1ca0bcd92a00e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\inounkbv.cmdline

Filesize
173B

MD5
acb47894a52f56315090a1804bcfdccb

SHA1
227f775294d67fefc0c05ce97be4a7502fcefe3a

SHA256
a22ac126230690623ac81296ec7e700df264ef1251d0ed8cc4ebaf61022dfaf3

SHA512
c5b0c7321a7a74b01bc820c77e49964e119e3c9708003c1351c2cfecd0c5302f359a40fc24e298303ce760f84da9c68bb0f8bae9dc41b322ca5acd60b0998adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvzsebac.0.vb

Filesize
303B

MD5
88fb850f0257c82ee76fa75f4ba4ab95

SHA1
404178b2a849869caf000e1c99d56402dfa37fc1

SHA256
caaad0b37111b3a9135164250b28486791cc3d09c274d99f79dbfef5be80ea5f

SHA512
bcb76c1136e8b340439581ce1ed296c9f6d4302bd3c93679c620a651c1acf5dab9a97aa9c04162a5b286e1cfaf76eb4c77a781a5c11fe2aa99c567012c1f2f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvzsebac.cmdline

Filesize
174B

MD5
b7ca8fe3742461c190da23bf9e351ab9

SHA1
bab1b47bd67b09a5dcf6dba18aee6493777d6d7a

SHA256
b9f9d2c9e3375566550f4030ef78514912d6c24cac3e3f5609ca778148c128da

SHA512
fe36a44589ca159d2c308600a5215fe4e0135c558fc512e798320a71fc67b91b0d2e804b85fac73283266d92de505947c76cd9845585aeeaee7c2ceae7c12a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\poajmnfb.0.vb

Filesize
301B

MD5
e325d730cefa78779f5ab7ae79358bb5

SHA1
1abdf5dc68162ad9cd50aa14b552b9b1048eaef1

SHA256
cd4a50ad4a453b8d01e94ed087399bd1df1495a9e6096fe7eb54cbc4eae317ea

SHA512
c4a10c565c716399ad38d6090a81b1b1dacac9198777b833d762888d02e10c1cdfc58db9e3a459e7cb12cf0aed6385597f54c22b33006b032d4a61d49673aeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\poajmnfb.cmdline

Filesize
172B

MD5
cbcdd02b0a67f01ba74ddf3eda63083a

SHA1
78a9c32d2bac4049c00806bb604b33a55fd33754

SHA256
de34c593a833140f43c5752c08d45d2a208dfa2061336d67a374b225e47b6466

SHA512
0441234610126958b51b82f39f33f324f414ff54a5b6297a4d1afa05694a99c357e307bb80ed7e1ec4b08ecade685f4e6d33a7ae23abb14371d16597d5d823a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2wx3vea.0.vb

Filesize
292B

MD5
5bc15b56388746a39483ead9fa7460c2

SHA1
fd16d74120d38434eaaf32ea970de1f1abbbd946

SHA256
77f14957337e861fdf7a4a2d9e28736915001505ee6502fbb302ebee3fa97b67

SHA512
909e33fa2182daf04f4c339f224b124a4369a7d5cfc4a3fc8d9144e34c29bdd9952453bb255b5d78ce15aebc90a99473057538453296bf1a5df0cfea550d6c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2wx3vea.cmdline

Filesize
163B

MD5
587e0e0dbecea009853d397abcf5de3e

SHA1
d70b5b754b327230a8b3cb8b15ce0ca559cb19aa

SHA256
035e94e003f5e49b02f7c3bde8ff998539c1468753190d659af1c0a5e65ff484

SHA512
e9b73ef8ebba830e5fb0e4e5d06b57953bfe6cdccd81f15c3dad6767c4d8b5e1d50ca925a6029bd87de4a2231ca9b8dbac12fa5114a94a0bf43657a84b29308e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3066CBB931F546FD982FDAF34B142933.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3E80F3B3E82F41F5ACBC3E8561675847.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6975081C77B547D786F55125B4EB2C41.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7466F81B30941BFB9FD5C32AC8D2181.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE2127E8CF92A4EE39C35FAE199119B0.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF6E04F204FDC41BBBE8A685CBB75F2B.TMP

Filesize
732B

MD5
d1ab5cd7b8edf473611603f7c0523c86

SHA1
9735a5ee3505c8d44491ff5fc329ad1de7926c81

SHA256
01a4da2c8dfc942b92d11f4e7ad7d2778cc897656ad6533078157042ffaf8ba9

SHA512
eeb2ef49281d2469e23340ddc195defa178a8aaed59147f0213904232bd09d8a46022eb16785e609589861082395dc7546ba0c2181418c421b959001922925c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpq99dhd.0.vb

Filesize
299B

MD5
9cc9962fb06fd96f5b0f45813d86b15e

SHA1
369ae611e8119a6e15bf13809ee5f71646eb6f42

SHA256
5808ef69bff26e689e4d16c87ea094643e8d288d470efb7922864069975f4c6b

SHA512
27c1b47ccb7560c59b4729cc5fafe3950ebf35d1ea5d8e5a2c22f71ab83e9f158b47c0e5b61e8c9425edcee278535c9edef02a495a9b7b26c29ab51b7aed37ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpq99dhd.cmdline

Filesize
170B

MD5
70723e39a672e03faca2780eaa6d62b1

SHA1
5a8e13a414163e93ab2c53269482a9dbfa54e389

SHA256
e8127d27425461446373d7ed69068a82b8e8e20ca0078d2fc3f0bb0ae1aa44a4

SHA512
9a842c9dc4535f2117c83f0949ed280c4041021c5202e1e6e5bc758d76c8b63b27a083d4ac8ba84323a616c703242bf6d010be0472d2f48422e6560b0d84bfc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe

Filesize
472KB

MD5
04f9cd1f32905fa8282895840e8d3645

SHA1
ac932595c0cc0fb578e08ac91ebfdd829e64d8d0

SHA256
def80f5379a616c7985d76932c65e4d35b53287eba6ad964a08a3e9d589be0bf

SHA512
94832cfdd761f6e2128f0b53ab79be5fb70bef59d767c48f946878c706ee4af5e0d59053ac99b515719b253c37f521d60d2296338285fbb4075c81b061e00ae2

Download Submit
memory/3476-25-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/3476-176-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/3476-26-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/3476-23-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/3476-41-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/3972-10-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/3972-7-0x000000001D590000-0x000000001DA5E000-memory.dmp

Filesize
4.8MB

Download
memory/3972-6-0x000000001BAC0000-0x000000001BACA000-memory.dmp

Filesize
40KB

Download
memory/3972-5-0x000000001C7B0000-0x000000001CCBE000-memory.dmp

Filesize
5.1MB

Download
memory/3972-8-0x000000001BD40000-0x000000001BDA2000-memory.dmp

Filesize
392KB

Download
memory/3972-0-0x00007FFE85055000-0x00007FFE85056000-memory.dmp

Filesize
4KB

Download
memory/3972-4-0x000000001BB80000-0x000000001BB88000-memory.dmp

Filesize
32KB

Download
memory/3972-3-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/3972-2-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/3972-9-0x00007FFE85055000-0x00007FFE85056000-memory.dmp

Filesize
4KB

Download
memory/3972-1-0x000000001B9E0000-0x000000001BA86000-memory.dmp

Filesize
664KB

Download
memory/3972-24-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads