Overview
overview
10Static
static
10241105-dtx...ed.zip
windows7-x64
1241105-dtx...ed.zip
windows10-2004-x64
1d91912b4b9...37.rar
windows7-x64
1d91912b4b9...37.rar
windows10-2004-x64
10di3x.exe
windows7-x64
100di3x.exe
windows10-2004-x64
10201106-9sx...ed.zip
windows7-x64
1201106-9sx...ed.zip
windows10-2004-x64
12019-09-02...10.exe
windows7-x64
102019-09-02...10.exe
windows10-2004-x64
102c01b00772...eb.exe
windows7-x64
102c01b00772...eb.exe
windows10-2004-x64
731.exe
windows7-x64
1031.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows7-x64
33DMark 11 ...on.exe
windows10-2004-x64
342f9729255...61.exe
windows7-x64
1042f9729255...61.exe
windows10-2004-x64
105da0116af4...18.exe
windows7-x64
75da0116af4...18.exe
windows10-2004-x64
106306868794.bin.zip
windows7-x64
16306868794.bin.zip
windows10-2004-x64
1CVE-2018-1...oC.swf
windows7-x64
3CVE-2018-1...oC.swf
windows10-2004-x64
3DiskIntern...en.exe
windows7-x64
3DiskIntern...en.exe
windows10-2004-x64
3E2-2020111...59.zip
windows7-x64
1E2-2020111...59.zip
windows10-2004-x64
1ForceOp 2....ce.exe
windows7-x64
7ForceOp 2....ce.exe
windows10-2004-x64
7HYDRA.exe
windows7-x64
10HYDRA.exe
windows10-2004-x64
10Resubmissions
01/04/2025, 21:24
250401-z8184awycs 10Analysis
-
max time kernel
142s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/02/2025, 23:21
Static task
static1
Behavioral task
behavioral1
Sample
241105-dtxrgatbpg_pw_infected.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
241105-dtxrgatbpg_pw_infected.zip
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337.rar
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337.rar
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
0di3x.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
0di3x.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
201106-9sxjh7tvxj_pw_infected.zip
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
201106-9sxjh7tvxj_pw_infected.zip
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
2019-09-02_22-41-10.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral11
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral13
Sample
31.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
31.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral15
Sample
3DMark 11 Advanced Edition.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral17
Sample
42f972925508a82236e8533567487761.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral19
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral21
Sample
6306868794.bin.zip
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
6306868794.bin.zip
Resource
win10v2004-20250217-en
Behavioral task
behavioral23
Sample
CVE-2018-15982_PoC.swf
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
CVE-2018-15982_PoC.swf
Resource
win10v2004-20250217-en
Behavioral task
behavioral25
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral27
Sample
E2-20201118_141759.zip
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
E2-20201118_141759.zip
Resource
win10v2004-20250217-en
Behavioral task
behavioral29
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral31
Sample
HYDRA.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
HYDRA.exe
Resource
win10v2004-20250217-en
General
-
Target
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
-
Size
669KB
-
MD5
ead18f3a909685922d7213714ea9a183
-
SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf
-
SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
-
SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
-
SSDEEP
6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2752 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\647f2ae1-9f7c-4696-8dbf-8b72bd210353\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart" 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 api.2ip.ua 28 api.2ip.ua 32 api.2ip.ua 3 api.2ip.ua 4 api.2ip.ua 9 api.2ip.ua -
resource yara_rule behavioral19/memory/1768-0-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral19/files/0x000600000001c764-18.dat upx behavioral19/memory/1768-19-0x0000000003FA0000-0x0000000004049000-memory.dmp upx behavioral19/memory/2720-25-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral19/memory/2720-42-0x00000000026A0000-0x0000000002749000-memory.dmp upx behavioral19/memory/2056-44-0x0000000000400000-0x00000000004A9000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1768 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 1768 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 2720 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 2720 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 2056 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 2056 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 2292 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 2292 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 348 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 348 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2752 1768 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 30 PID 1768 wrote to memory of 2752 1768 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 30 PID 1768 wrote to memory of 2752 1768 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 30 PID 1768 wrote to memory of 2752 1768 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 30 PID 1768 wrote to memory of 2720 1768 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 31 PID 1768 wrote to memory of 2720 1768 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 31 PID 1768 wrote to memory of 2720 1768 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 31 PID 1768 wrote to memory of 2720 1768 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 31 PID 2720 wrote to memory of 2056 2720 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 35 PID 2720 wrote to memory of 2056 2720 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 35 PID 2720 wrote to memory of 2056 2720 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 35 PID 2720 wrote to memory of 2056 2720 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 35 PID 2720 wrote to memory of 2292 2720 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 36 PID 2720 wrote to memory of 2292 2720 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 36 PID 2720 wrote to memory of 2292 2720 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 36 PID 2720 wrote to memory of 2292 2720 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 36 PID 2056 wrote to memory of 348 2056 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 37 PID 2056 wrote to memory of 348 2056 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 37 PID 2056 wrote to memory of 348 2056 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 37 PID 2056 wrote to memory of 348 2056 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\647f2ae1-9f7c-4696-8dbf-8b72bd210353" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2056 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt14⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:348
-
-
-
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2720 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt13⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c9be626e9715952e9b70f92f912b9787
SHA1aa2e946d9ad9027172d0d321917942b7562d6abe
SHA256c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4
SHA5127581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD535cd15e0cc6e23f1fc7edc535d293e8c
SHA1c0cd3263350911b0e1c99d12d62b53cb525e0fc1
SHA256c412a049a388bbd541b3c1c655181c984340b69008df366d7866c5dfcb35924e
SHA5127035a246fa90fd587004c006cb5a9e7178e3e0a126bd2cca9df084f9c926d4dc8b23625fb934aa68978d381093e510ccfc85261ab17d4686591e42bcea8d8f0a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e56e93ff4e5594764b7f5980c10711ff
SHA14dad947718ac12d914e4acd793bf855d18dbd81d
SHA2560e80e306a4b50a588770a0312e73ceee769604883a9520666884c9b3636f94ca
SHA5121cec50cd8f43403cd56b833afc8908156125a1d9197939b97e3e1b9ac4aea3d2a28878157bbd48b8c99382a7c5c250a6625ba43f9e54d096de88a1a658e932ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD55252a5ab1d69ab7faf8498192865916c
SHA19b1b7a3d31000594667c3fe157f2cd49e0c7d0bd
SHA2566fff85bf799c1c18930511351d2dc903081da75d7db5148f1ff2fae8b2b7d05f
SHA51298fad1cddf6543411d62ac4ffef64136144e836460b3dc5416ede668c563fa86bf85b0a237ef1f187b40719af8f62bb64c6f387724058b4de59e850508f93d15
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5d79f1bd0f2bcba67be348755f7f838db
SHA1bcac3c7c812b7ba4ea793779c2c956dc77095503
SHA256cea85879bf8eadf138a6413b19fe426ded91e43bcebe3e7e57ae58348a22fbda
SHA512fcb323050b9b102ab0911cda065bb4ce85d965e85661e5c745e66a4ba1a3c52bf128c844f05c14071a28de0618dcdedfdc50ed1303e36490281faa1f20ae4e70
-
C:\Users\Admin\AppData\Local\647f2ae1-9f7c-4696-8dbf-8b72bd210353\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Filesize669KB
MD5ead18f3a909685922d7213714ea9a183
SHA11270bd7fd62acc00447b30f066bb23f4745869bf
SHA2565da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA5126e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b