sality | c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
Size

2.4MB
MD5

d571af1cb1302f25732c3e3277b0eae1
SHA1

42359ac1f5be4fb5027f7deec9ca19e954921269
SHA256

c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161
SHA512

7805762c9003691156244a77aa4e2ad4b9bcb184e6bc1db103ff5efc1478f2e72ed6643e5659367651afc1709511ec88b9f4bb3d0131d38adbf589cc131ac7d9
SSDEEP

49152:S7r707U2I7V7s7E73P7qh1wvSAD2o6thgGmB0Hz09xRFWCq211XAvD41e+:K3OhWvSp5wpFWCv1lX

Score

10^/10

sality backdoor upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2912 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

Logo1_.exec1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exec1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe

pid process

2916 Logo1_.exe
2652 c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
2584 c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exe

pid process

2912 cmd.exe
2912 cmd.exe
1324 cmd.exe
1324 cmd.exe
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/2652-34-0x00000000005C0000-0x000000000164E000-memory.dmp upx

pid	process
2912	cmd.exe

pid	process
2916	Logo1_.exe
2652	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
2584	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe

pid	process
2912	cmd.exe
2912	cmd.exe
1324	cmd.exe
1324	cmd.exe

resource	yara_rule
behavioral1/memory/2652-34-0x00000000005C0000-0x000000000164E000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\_desktop.ini	Logo1_.exe

Drops file in Windows directory 6 IoCs

Processes:

Logo1_.exec1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exec1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe

description	ioc	process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\rundl132.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
File created	C:\Windows\Logo1_.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
File created	C:\Windows\Logo1_.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid process

2916 Logo1_.exe
2916 Logo1_.exe
2916 Logo1_.exe
2916 Logo1_.exe
2916 Logo1_.exe
2916 Logo1_.exe
2916 Logo1_.exe
2916 Logo1_.exe
2916 Logo1_.exe
2916 Logo1_.exe

pid	process
2916	Logo1_.exe
2916	Logo1_.exe
2916	Logo1_.exe
2916	Logo1_.exe
2916	Logo1_.exe
2916	Logo1_.exe
2916	Logo1_.exe
2916	Logo1_.exe
2916	Logo1_.exe
2916	Logo1_.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exeLogo1_.exenet.execmd.exec1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.execmd.exe

description	pid	process	target process
PID 2972 wrote to memory of 2912	2972	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	cmd.exe
PID 2972 wrote to memory of 2912	2972	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	cmd.exe
PID 2972 wrote to memory of 2912	2972	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	cmd.exe
PID 2972 wrote to memory of 2912	2972	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	cmd.exe
PID 2972 wrote to memory of 2916	2972	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	Logo1_.exe
PID 2972 wrote to memory of 2916	2972	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	Logo1_.exe
PID 2972 wrote to memory of 2916	2972	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	Logo1_.exe
PID 2972 wrote to memory of 2916	2972	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	Logo1_.exe
PID 2916 wrote to memory of 2668	2916	Logo1_.exe	net.exe
PID 2916 wrote to memory of 2668	2916	Logo1_.exe	net.exe
PID 2916 wrote to memory of 2668	2916	Logo1_.exe	net.exe
PID 2916 wrote to memory of 2668	2916	Logo1_.exe	net.exe
PID 2668 wrote to memory of 2676	2668	net.exe	net1.exe
PID 2668 wrote to memory of 2676	2668	net.exe	net1.exe
PID 2668 wrote to memory of 2676	2668	net.exe	net1.exe
PID 2668 wrote to memory of 2676	2668	net.exe	net1.exe
PID 2912 wrote to memory of 2652	2912	cmd.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
PID 2912 wrote to memory of 2652	2912	cmd.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
PID 2912 wrote to memory of 2652	2912	cmd.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
PID 2912 wrote to memory of 2652	2912	cmd.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
PID 2652 wrote to memory of 1324	2652	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	cmd.exe
PID 2652 wrote to memory of 1324	2652	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	cmd.exe
PID 2652 wrote to memory of 1324	2652	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	cmd.exe
PID 2652 wrote to memory of 1324	2652	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe	cmd.exe
PID 1324 wrote to memory of 2584	1324	cmd.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
PID 1324 wrote to memory of 2584	1324	cmd.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
PID 1324 wrote to memory of 2584	1324	cmd.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
PID 1324 wrote to memory of 2584	1324	cmd.exe	c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
PID 2916 wrote to memory of 1208	2916	Logo1_.exe	Explorer.EXE
PID 2916 wrote to memory of 1208	2916	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
"C:\Users\Admin\AppData\Local\Temp\c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a193B.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
"C:\Users\Admin\AppData\Local\Temp\c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1BCA.bat
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe
"C:\Users\Admin\AppData\Local\Temp\c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe"
6⤵
- Executes dropped EXE
PID:2584

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2676

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
70a8e7418b1a9fa4af181f29bb8381ef

SHA1
7b4acecea4709c0ef636a671ecdef8c4a69af521

SHA256
8cd03b706de9ec51af8d04f28fd2514dfdae61efa6e5e4ce7a342ee547e33933

SHA512
1795430996586e7716912a287e407a5b6d76c978ef314734d225e9ae967e115e4657791ba734cd56a28801d1b75d63b1f83c8c71741132b195bb9890e9c00db0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a193B.bat
Filesize
722B

MD5
a4982ce9ff33f044c6a98bd46468b6f7

SHA1
3d81163abc5282fd0893f4b33cb119d868a1801e

SHA256
42633724b4cd892e09e2c98856540325614bacc09ff3736028cf5333d4cc446c

SHA512
53fcc128a20c2b1d7b076f8b636245772d3f5f6504060d7606c45c7ed23265f79a8f75d322cdd642849bb4df5a69bdbf78216b9b301bffa00f6d1a7bad306286

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1BCA.bat
Filesize
722B

MD5
aa8b5ba43e4356a2a4955b18b8e513e4

SHA1
03718d1c0c053ba72514be99fecd751c2180a89e

SHA256
23664aba83958baf7fcd438ff479fbc4291fd0d9f941106c0bb4e03b1d08552a

SHA512
8522d6bcb4002be5badcdbee9643af0e82680c488040145542ff6158832ba67ee88006e734f2648b73eb10151f41a3f07c774c0e4b3c0f59d977b4e451aae58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe.exe
Filesize
2.3MB

MD5
401ee50041bdb383d14d255153bed927

SHA1
6c669898b9685e1a63f52e48a81d0f2083ce8736

SHA256
64d730b5af7258db9f0297f4864404849ec15408765b742194d236f789ec3290

SHA512
ce8565c1d3124c4243a482377e9b3d87b37dfafc288a1cdc59e40483a4da3e392809082607bcdb5e9402f8cf628817a4995b38286badc2bfa0f63e496817917e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1bc260eff93f5e3801145aac1eba8ee3256103e988c6ca7e0e467555f728161.exe.exe
Filesize
2.4MB

MD5
80659b362caa9ebeef51fddcdca01508

SHA1
f99dedb00655eb023a20d79d5da21136c82a4e0e

SHA256
be41a8e32edfb8316f412f1fc9eef4502ea4d09dab95ea132f82fac5cb6163ca

SHA512
a06a5871c61a2446e2ec250faaac1c1cae2dae7ae90e55c659fcf58eab45f00fefb404c0d193c6b0262029a87141f078cc00fa59535db227d5854da6bc28d2ea

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
25d554cb31085408ebc19eb299eff6ee

SHA1
84a85483a36b3590469b13e386e3c660dc280fd2

SHA256
27167d524d34a0f3861d945fa3a241e9ddd14803c5bf7db81b4e14d1b463e5bb

SHA512
c76801e4a0ceadddce9f05a185289920f48c8a55872e1a09b801b499170f2ee77199f10eb0df390aa7c4f588f2c69d2878ac3b1204ad617725d94d8956a2abb7

Download Submit
C:\Windows\rundl132.exe
Filesize
26KB

MD5
b212d7645cfa951417740e9a0222c85a

SHA1
d216d0ed6940bad4855f7922f81368e18029c470

SHA256
e713cd86243a5837f97d227412416b0203639420f7674d3475faa197247240f4

SHA512
8dc357041e6f0db0c2b75288757a6c2b1d6914ba91da81541e0c2b7ad3befb3d8ed3b898d678cb08486cb3cf2b5cfb6fc65823e38246a7dbbb02cba51d1bc5a7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini
Filesize
9B

MD5
2822854d33e24347f613c750df46b810

SHA1
c2ea2529c032aa552d5a8301900cf27fc0f6045c

SHA256
73f2f888bdeaf9427c7aa3355fbe711e6570fb5e9e48c3f64cd229198ce85ad2

SHA512
21fff5d14e03a0420d9242a095c2e93ac2b7e6b9e49d12da907394ac9725bb746896721ceded88411895e9630a8ffbface168f0c02630b33300647d3d9e3326c

Download Submit
memory/1208-55-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/1324-50-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2584-53-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2652-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2652-34-0x00000000005C0000-0x000000000164E000-memory.dmp

Filesize
16.6MB

Download
memory/2652-46-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2912-30-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/2912-31-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/2916-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-1898-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-3359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads