cryptbot | 3d0c53b85d752355b9185c5d43a96dc028f2a56e73fb3358dc6a7f0882329e4e

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
Size

4.0MB
MD5

3f6f1b87fc7750df9421200e9e0aa070
SHA1

11cf49ecbb3b8ba5d76444cefd041435c95bfc47
SHA256

3d0c53b85d752355b9185c5d43a96dc028f2a56e73fb3358dc6a7f0882329e4e
SHA512

9a4e11817771ab6cbb17d2a21857f1f210eafb122df5fd55ae963595aae2263fcd8b6cbfa855f05e26b0e1a2a6f8ca751452cdc9bcdcee0fb44eed6f9763dbc5
SSDEEP

98304:XoUyCR9OdQA9BKQ+SQQUH80pvgsRGVdgTsPC:Xo1H+A9BLM80dwrb6

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

tuytee16.top

moriiikk08.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-353-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-355-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-372-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-397-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-399-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-402-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-404-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-406-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-408-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-410-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-413-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-415-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-417-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-420-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot
behavioral1/memory/1644-422-0x0000000000ED0000-0x0000000001400000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setup1.exe1.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup1.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe
Blocklisted process makes network request 5 IoCs

Processes:

CScript.exe

flow pid process

4 2636 CScript.exe
7 2636 CScript.exe
9 2636 CScript.exe
11 2636 CScript.exe
13 2636 CScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1.exe

flow	pid	process
4	2636	CScript.exe
7	2636	CScript.exe
9	2636	CScript.exe
11	2636	CScript.exe
13	2636	CScript.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup1.exe1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1.exe

Executes dropped EXE 2 IoCs

Processes:

1.exeSetup1.exe

pid process

1644 1.exe
2504 Setup1.exe

pid	process
1644	1.exe
2504	Setup1.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Setup1.exe1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	Setup1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	1.exe

Loads dropped DLL 9 IoCs

Processes:

3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe1.exeSetup1.exe

pid	process
1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
1644	1.exe
1644	1.exe
1644	1.exe
1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
2504	Setup1.exe
2504	Setup1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 iplogger.org
4 iplogger.org
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup1.exe1.exe

pid process

2504 Setup1.exe
1644 1.exe

flow	ioc
3	iplogger.org
4	iplogger.org

pid	process
2504	Setup1.exe
1644	1.exe

Drops file in Program Files directory 3 IoCs

Processes:

3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Mader\lase\1.exe	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mader\lase\Setup1.exe	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mader\lase\Setup1.vbs	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exeSetup1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup1.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

CScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	CScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	CScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	CScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	CScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Setup1.exe1.exe

pid process

2504 Setup1.exe
1644 1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CScript.exe

description pid process

Token: SeRestorePrivilege 2636 CScript.exe
Token: SeBackupPrivilege 2636 CScript.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1.exe

pid process

1644 1.exe
1644 1.exe

pid	process
2504	Setup1.exe
1644	1.exe

description	pid	process
Token: SeRestorePrivilege	2636	CScript.exe
Token: SeBackupPrivilege	2636	CScript.exe

pid	process
1644	1.exe
1644	1.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exeSetup1.exe

description	pid	process	target process
PID 1652 wrote to memory of 2636	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	CScript.exe
PID 1652 wrote to memory of 2636	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	CScript.exe
PID 1652 wrote to memory of 2636	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	CScript.exe
PID 1652 wrote to memory of 2636	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	CScript.exe
PID 1652 wrote to memory of 2636	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	CScript.exe
PID 1652 wrote to memory of 2636	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	CScript.exe
PID 1652 wrote to memory of 2636	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	CScript.exe
PID 1652 wrote to memory of 1644	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	1.exe
PID 1652 wrote to memory of 1644	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	1.exe
PID 1652 wrote to memory of 1644	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	1.exe
PID 1652 wrote to memory of 1644	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	1.exe
PID 1652 wrote to memory of 1644	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	1.exe
PID 1652 wrote to memory of 1644	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	1.exe
PID 1652 wrote to memory of 1644	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	1.exe
PID 1652 wrote to memory of 2504	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	Setup1.exe
PID 1652 wrote to memory of 2504	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	Setup1.exe
PID 1652 wrote to memory of 2504	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	Setup1.exe
PID 1652 wrote to memory of 2504	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	Setup1.exe
PID 1652 wrote to memory of 2504	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	Setup1.exe
PID 1652 wrote to memory of 2504	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	Setup1.exe
PID 1652 wrote to memory of 2504	1652	3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe	Setup1.exe
PID 2504 wrote to memory of 2992	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 2992	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 2992	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 2992	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 2992	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 2992	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 2992	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 1520	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 1520	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 1520	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 1520	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 1520	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 1520	2504	Setup1.exe	cmd.exe
PID 2504 wrote to memory of 1520	2504	Setup1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\CScript.exe
"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Mader\lase\Setup1.vbs" //e:vbscript //B //NOLOGO
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Program Files (x86)\Mader\lase\1.exe
"C:\Program Files (x86)\Mader\lase\1.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1644

C:\Program Files (x86)\Mader\lase\Setup1.exe
"C:\Program Files (x86)\Mader\lase\Setup1.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\vnsrievgotrk.exe"
3⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ymsawtldtf.exe"
3⤵
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mader\lase\Setup1.vbs
Filesize
126B

MD5
3ffc26d751f79fb801ecbb715885e852

SHA1
f54da1552aabfbf68ef07fa98234a8a1ff789a16

SHA256
8816d2a6adff6e256c6f478c46b283991feeb28dedc384914fe35f14f673d5d6

SHA512
08e00923d92f9141ec09ed420738126883772e359e6fc2e703a293020d0bb42b915d2a9961ba03676ab2ad43d8f4563b46778e119f22007073b1d9f1124c0d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9bca7d543cc344f541d8403690c9bc2f

SHA1
6b91115e62e00a19e3a61ce8fc192b2ce06cf5c0

SHA256
877e11d71f2bd36b233869a0275e3f0e67e7437fa438043f413d301db8e3531c

SHA512
e9a0ee887c13dd7ba5e52e05a8865f0137d6aacc9c800d7401cdbb09aebf95bff2e005e338dfe58e0303a5122f5d29a60277cfa2f41a6212aded4c65827c41ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab236A.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\RGQSYrry3lET.zip
Filesize
31KB

MD5
f5275fa3ca669ff78d3edd3343feb035

SHA1
164bf144c3bb507bb6ac247e00c026bb2221f567

SHA256
d043e974ed0872e4c6a865189d259499e08c6fb3b8246857f90d205374785206

SHA512
92d8c6c31e44f47d8c523b60143a820af69ebe60d3ff64daf99d1391d9d62b1b1f3c194f4c9301411803d793ca66f161d3690ec31e99218397da5211357c664f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\_Files\_Information.txt
Filesize
2KB

MD5
2032da333f0f4cfc1c06df7194ef5fbd

SHA1
df7cc8ea6a2419919f33dd098363be96a77d87da

SHA256
8f3b33430f99f46fba12d4d69ee8dc78a491a5763cb832a5e7a63a29095383d7

SHA512
2e2a63426df948c5e03aa4610c0d420982817557910f02661e8f0fb030d4c5df42a4b6a5c3c33db2227f91c23556eaa7d75dbd332500b872ee9cf5aafa75c649

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\_Files\_Information.txt
Filesize
4KB

MD5
8c5838f63ed2d3ad22dd552a4dd57390

SHA1
1efb3598eeca6fb7e0ba53724c0ca76d2c6eb215

SHA256
7420a9f2221de8104675abf58aa77aa88e9ccfbf17bed2f3b36aa4097cbcc1eb

SHA512
a3f2e8bbb12171bc4619451a6871efc27c7291cdcae81df37c1054942ed4ba8184f86fa9ffa4228fbb47ea62af6a48e0eb2c58310b2c6230ccc7a09bec2f075c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\_Files\_Screen_Desktop.jpeg
Filesize
39KB

MD5
81e35b428d500d64fd38eb806e9ff619

SHA1
fd1d0833f0c61848651d5bbfc7ce8cf3ce469582

SHA256
ed90919b0af9820c9a3222092dcd3750841dc5e6669478dccff04f84525d4025

SHA512
91231dc9241927ad8429b2b86453597d6d46225a028f96a4d98ffac946b890e86fc41ff680d9a0374d6c4136c36d1c2e16203360dc8e244d07c2519921d3bfb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\files_\system_info.txt
Filesize
1KB

MD5
8157eea54200f8e303337be47c8ba957

SHA1
581aec4261bb1fc937d840e758b0226c8a60023d

SHA256
8350612a8736a3f3d23ed631a77ff4aadc1ac6b9c1520eb88d3756f290bebb3d

SHA512
62b5acd1a96d1501b22ce6589671697234e404e70e068c4c9eceda66a95ef4d85bbded4960bc0241a4850b3ad46e732e1ddb6e65e33085ffd362ef1f8880933b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\files_\system_info.txt
Filesize
3KB

MD5
a9a69f59fe2e21305c1d8dd2636f61a6

SHA1
13f901d77432b58a9ea67fbcdaa2e84c0a25e7e5

SHA256
2d9b5b41811a0f4c7555863c18963e25d13394e45c3864f4550f62b6f318c169

SHA512
778d21d161c5b279d7fbc75c5a7b31696c94d3cae94468c669334f4930156b84e333b22b00457b4464c883e5146197f87aca4307c8a1623255f04874a024d3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTx6OcwdD\files_\system_info.txt
Filesize
5KB

MD5
9235c78b58240d412f845dc6b75a4570

SHA1
f33910daf56c611d0aa3a0892d6312e069d7fdd1

SHA256
574cd943cb312d7e3727fdd525a0333541c483eca6f09ca1a37369c344e92ae6

SHA512
d5c762eae518cf307a1b4680d752785abe019344f921fc0a3d78ec8490972d5d8b05531c4b3384a23461026388e7fa3e4c5cfe138111ae110c1142bcc557c4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar249A.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Program Files (x86)\Mader\lase\1.exe
Filesize
2.2MB

MD5
4ae318b79250c2969d663dee668f3a27

SHA1
57e5cd1eef257683efc4f82c369739621d8299ce

SHA256
753af3a9e8f98e03f71c700d6913933962a3510ffefb97cd57ccbc20991a98a4

SHA512
a925d50a05e423533a0aec8f552af0e6f55dd3c116bfbbd6ac49ae6c3dd6acd0641ca3dca70499f22a54860c2374f26c2a807f380475290220f74e53c9bf8aab

Download Submit
\Program Files (x86)\Mader\lase\Setup1.exe
Filesize
1.9MB

MD5
e79cf3b82c9bc3fd37c54b29d5986c15

SHA1
a96834689e3454ec7c3bee9872da85ddc900bc0d

SHA256
8972be1f2eb134a22c4d46fad916db5b13c5871dc15a7799246542b6de42170f

SHA512
1a4786d5b258e7bf450b66bedd6c63e8cd162570965449c87224f21a4c114cc0ac880b907787cce184e9374caef819685ae7dea7d7a43a200866f73e1d11edc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy20BB.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsy20BB.tmp\nsExec.dll
Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
memory/1644-399-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-372-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-120-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-127-0x0000000000990000-0x0000000000EC0000-memory.dmp

Filesize
5.2MB

Download
memory/1644-422-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-420-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-134-0x0000000000990000-0x0000000000EC0000-memory.dmp

Filesize
5.2MB

Download
memory/1644-406-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-353-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-355-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-356-0x0000000000990000-0x0000000000EC0000-memory.dmp

Filesize
5.2MB

Download
memory/1644-408-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-417-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-415-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-413-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-410-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-397-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-131-0x0000000000990000-0x0000000000EC0000-memory.dmp

Filesize
5.2MB

Download
memory/1644-402-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1644-404-0x0000000000ED0000-0x0000000001400000-memory.dmp

Filesize
5.2MB

Download
memory/1652-112-0x0000000003030000-0x0000000003560000-memory.dmp

Filesize
5.2MB

Download
memory/2504-354-0x0000000000850000-0x0000000000CDE000-memory.dmp

Filesize
4.6MB

Download
memory/2504-135-0x00000000010D0000-0x000000000155E000-memory.dmp

Filesize
4.6MB

Download
memory/2504-375-0x0000000000850000-0x0000000000CDE000-memory.dmp

Filesize
4.6MB

Download
memory/2504-374-0x00000000010D0000-0x000000000155E000-memory.dmp

Filesize
4.6MB

Download
memory/2504-373-0x0000000000850000-0x0000000000CDE000-memory.dmp

Filesize
4.6MB

Download
memory/2504-133-0x0000000000850000-0x0000000000CDE000-memory.dmp

Filesize
4.6MB

Download
memory/2504-132-0x00000000010D0000-0x000000000155E000-memory.dmp

Filesize
4.6MB

Download