7c3b108ec6887eea992b1883c8640a8f42aa5826eeceb3336982b879ed350077

Analysis

max time kernel
121s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
Size

769KB
MD5

2626e3ceb0a5959eb1a4eafe724234ad
SHA1

60410283e2430c9667e2d3c58da0f94ed4dd9bb3
SHA256

7c3b108ec6887eea992b1883c8640a8f42aa5826eeceb3336982b879ed350077
SHA512

022434bdc0b4c039d4cdd11da7d8a14ad9612d13f22f4ded3e5191f0734421cb052e9c7f16434b229cacad6133b5ba397e6c5e08c1bb285f02e78c8327c20ac5
SSDEEP

12288:g72bnuJ2372bnuJ2K72bnuJ2372bnuJ24D:g72zV72zQ72zV72zO

Score

10^/10

defense_evasion evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HKULBIBU = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HKULBIBU = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HKULBIBU = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

Processes:

avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

2632 avscan.exe
2724 avscan.exe
2576 hosts.exe
2480 hosts.exe
1840 avscan.exe
2476 hosts.exe

pid	process
2632	avscan.exe
2724	avscan.exe
2576	hosts.exe
2480	hosts.exe
1840	avscan.exe
2476	hosts.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

REG.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	REG.exe

Loads dropped DLL 5 IoCs

Processes:

2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exe

pid process

2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
2632 avscan.exe
2576 hosts.exe
2576 hosts.exe

pid	process
2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
2632	avscan.exe
2576	hosts.exe
2576	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

Processes:

2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exe

description	ioc	process
File opened for modification	C:\Windows\hosts.exe	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
File created	\??\c:\windows\W_X_C.bat	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

pid process

1540 REG.exe
2536 REG.exe
1920 REG.exe
2996 REG.exe
1252 REG.exe
2524 REG.exe
3000 REG.exe
976 REG.exe
2268 REG.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

avscan.exehosts.exe

pid process

2632 avscan.exe
2576 hosts.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
2632 avscan.exe
2724 avscan.exe
2576 hosts.exe
2480 hosts.exe
1840 avscan.exe
2476 hosts.exe

pid	process
1540	REG.exe
2536	REG.exe
1920	REG.exe
2996	REG.exe
1252	REG.exe
2524	REG.exe
3000	REG.exe
976	REG.exe
2268	REG.exe

pid	process
2632	avscan.exe
2576	hosts.exe

pid	process
2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
2632	avscan.exe
2724	avscan.exe
2576	hosts.exe
2480	hosts.exe
1840	avscan.exe
2476	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.execmd.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 2200 wrote to memory of 2524	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	REG.exe
PID 2200 wrote to memory of 2524	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	REG.exe
PID 2200 wrote to memory of 2524	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	REG.exe
PID 2200 wrote to memory of 2524	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	REG.exe
PID 2200 wrote to memory of 2632	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	avscan.exe
PID 2200 wrote to memory of 2632	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	avscan.exe
PID 2200 wrote to memory of 2632	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	avscan.exe
PID 2200 wrote to memory of 2632	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	avscan.exe
PID 2632 wrote to memory of 2724	2632	avscan.exe	avscan.exe
PID 2632 wrote to memory of 2724	2632	avscan.exe	avscan.exe
PID 2632 wrote to memory of 2724	2632	avscan.exe	avscan.exe
PID 2632 wrote to memory of 2724	2632	avscan.exe	avscan.exe
PID 2632 wrote to memory of 2556	2632	avscan.exe	cmd.exe
PID 2632 wrote to memory of 2556	2632	avscan.exe	cmd.exe
PID 2632 wrote to memory of 2556	2632	avscan.exe	cmd.exe
PID 2632 wrote to memory of 2556	2632	avscan.exe	cmd.exe
PID 2200 wrote to memory of 2472	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	cmd.exe
PID 2200 wrote to memory of 2472	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	cmd.exe
PID 2200 wrote to memory of 2472	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	cmd.exe
PID 2200 wrote to memory of 2472	2200	2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe	cmd.exe
PID 2556 wrote to memory of 2576	2556	cmd.exe	hosts.exe
PID 2556 wrote to memory of 2576	2556	cmd.exe	hosts.exe
PID 2556 wrote to memory of 2576	2556	cmd.exe	hosts.exe
PID 2556 wrote to memory of 2576	2556	cmd.exe	hosts.exe
PID 2472 wrote to memory of 2480	2472	cmd.exe	hosts.exe
PID 2472 wrote to memory of 2480	2472	cmd.exe	hosts.exe
PID 2472 wrote to memory of 2480	2472	cmd.exe	hosts.exe
PID 2472 wrote to memory of 2480	2472	cmd.exe	hosts.exe
PID 2576 wrote to memory of 1840	2576	hosts.exe	avscan.exe
PID 2576 wrote to memory of 1840	2576	hosts.exe	avscan.exe
PID 2576 wrote to memory of 1840	2576	hosts.exe	avscan.exe
PID 2576 wrote to memory of 1840	2576	hosts.exe	avscan.exe
PID 2556 wrote to memory of 2708	2556	cmd.exe	WScript.exe
PID 2556 wrote to memory of 2708	2556	cmd.exe	WScript.exe
PID 2556 wrote to memory of 2708	2556	cmd.exe	WScript.exe
PID 2556 wrote to memory of 2708	2556	cmd.exe	WScript.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	WScript.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	WScript.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	WScript.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	WScript.exe
PID 2576 wrote to memory of 2800	2576	hosts.exe	cmd.exe
PID 2576 wrote to memory of 2800	2576	hosts.exe	cmd.exe
PID 2576 wrote to memory of 2800	2576	hosts.exe	cmd.exe
PID 2576 wrote to memory of 2800	2576	hosts.exe	cmd.exe
PID 2800 wrote to memory of 2476	2800	cmd.exe	hosts.exe
PID 2800 wrote to memory of 2476	2800	cmd.exe	hosts.exe
PID 2800 wrote to memory of 2476	2800	cmd.exe	hosts.exe
PID 2800 wrote to memory of 2476	2800	cmd.exe	hosts.exe
PID 2800 wrote to memory of 1216	2800	cmd.exe	WScript.exe
PID 2800 wrote to memory of 1216	2800	cmd.exe	WScript.exe
PID 2800 wrote to memory of 1216	2800	cmd.exe	WScript.exe
PID 2800 wrote to memory of 1216	2800	cmd.exe	WScript.exe
PID 2632 wrote to memory of 1540	2632	avscan.exe	REG.exe
PID 2632 wrote to memory of 1540	2632	avscan.exe	REG.exe
PID 2632 wrote to memory of 1540	2632	avscan.exe	REG.exe
PID 2632 wrote to memory of 1540	2632	avscan.exe	REG.exe
PID 2576 wrote to memory of 2536	2576	hosts.exe	REG.exe
PID 2576 wrote to memory of 2536	2576	hosts.exe	REG.exe
PID 2576 wrote to memory of 2536	2576	hosts.exe	REG.exe
PID 2576 wrote to memory of 2536	2576	hosts.exe	REG.exe
PID 2632 wrote to memory of 3000	2632	avscan.exe	REG.exe
PID 2632 wrote to memory of 3000	2632	avscan.exe	REG.exe
PID 2632 wrote to memory of 3000	2632	avscan.exe	REG.exe
PID 2632 wrote to memory of 3000	2632	avscan.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
2⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
PID:2524

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\windows\hosts.exe
C:\windows\hosts.exe
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\windows\hosts.exe
C:\windows\hosts.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2476

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
6⤵
- Adds policy Run key to start application
PID:1216

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:2536

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:1920

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:976

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:1252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
4⤵
- Adds policy Run key to start application
PID:2708

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1540

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:3000

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:2996

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\windows\hosts.exe
C:\windows\hosts.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
3⤵
- Adds policy Run key to start application
PID:2672

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
1.6MB

MD5
b7a7d0f555c55e74ddb44eac81d5e5a9

SHA1
70fd7258d6186c8884d9fa6437f6d15ad24c7d24

SHA256
cba8623b09b7c90e3ad2752e4de1f4d09e25a4fe63eec0022b7747024f232898

SHA512
fd8c1c45f628f5d71006b1479f14c09821152ef904e388c185d4daad3cd088402d6dc94a3d9c375db5fb694954c881f601adca69dc39823ff2868f04758b8009

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
2.3MB

MD5
c265a5dc808057c5398fd772f12392f1

SHA1
6268496d4de1586d2d47dd3c2999ca5bfd2d892a

SHA256
08d6e4038bae984c8290aa8f5d40ed6323403ad0c68897f3d4cb4353218ef1de

SHA512
c617a1382a0ca54841b562db0ed81a869838669ca0462229edd92f6b670254b27433076c79653f4489c2575429fb8bd743962c0d2d5bb00762cc15aef1e22b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
3.1MB

MD5
141bf10dcdaea11997c446b808436bdc

SHA1
0f6aa92ba71ad63cb53b8d0252ce8aa377e391ae

SHA256
488523eb9d70389b5a05abaa0531352ddf6887177d40cd601286281d170481b6

SHA512
a3d3c03a65c7d543ae6f6661eb2afb68fefbc39e22f1760352dce925121b68490d1fa26d6e4b6d30fec4b26012eb30d3f340b5ccda87aae1cc2210f42f1757f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
3.8MB

MD5
e2b1a2420956f221d32119c83a319ccd

SHA1
2cb52ea266e082d7109cc16332a3b0ea119fdd50

SHA256
4b276c54925361908a2e9a684ff620910b51326bebef225af18a0563596f0d5e

SHA512
11c392a13d643e36e752efa71846e297671eeab7948a5cbec815598d4e95c3bf7df35ecc9409aa3e6422253106bf144f8c5bb55ee78cefc3a85131b6448097d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
4.6MB

MD5
49e7d9606bd3685b03d8bb4beb6a49f7

SHA1
0780e5be07492e11d023bfca026dc265f1be55c4

SHA256
cf0c9a2091a3b252dbf05af2869cb8b552e2ca3c322fd7c4616c4b102465cf44

SHA512
a3de2dab84daadbb8b1914c27c4c5dbb4756b385d695a6034b2da3bf5f599c58a07af26e52bebcec43fcfb30437e58624a33a81f15686fed3f42a84248a38fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
5.3MB

MD5
6567cd940d87f7ed0a703daacfdbf437

SHA1
e488a0d21ff302d56ff3d63b39833a6e871445c3

SHA256
6d6af6c7a8dd4c30805ef93ecc70b7c1408dc73b0f5f7517c4bd85c7a67a43b6

SHA512
fcc4e4278f33a2b61d061a5a5bf8564b6356fc468c4193b15773c54c72ffd1a33f6951412d552ec24a2a3d1bde7629f913fc994a82620fc50f9f433a5c45798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
6.1MB

MD5
c96abbf77dea18ef6dd17c638a9cf6ab

SHA1
ce6460ddc4aef7fd4937ebd86907b280bb81ccbf

SHA256
9eeeb6827b89ce118893990802a72b9e15fed82988344e5b634b787a2cb9d168

SHA512
87eed286bd6b3736900d1de55d602d4d0466fd25367ba1ee3e9080568d3a10f5b93a02958b8d762a0192da3ea976ac9edfbb8085349c47ea4b3d5d4480e5020b

Download Submit
C:\Windows\W_X_C.vbs
Filesize
195B

MD5
48be31f3b385b25234d50fee7d3cdc33

SHA1
c66a6bd8c2b306dc128f837a91c4808cc64f5e9f

SHA256
7b0f52e98dc92ff9a366d43d0140542d480cb44f5beccf0a97be1e871a98fb3c

SHA512
07681e3171b98c67611c6ce7fe565eba5816647040d7f8449262a4f37d2b6ebcb5501a21144878776ec94aaae870d3d561ccceae22346003b7d8b23d57061b44

Download Submit
C:\Windows\hosts.exe
Filesize
769KB

MD5
6373eb5df078e1adb896713041222464

SHA1
fde5b4b5fc215b99ef841b9a5d9c5ac888f9aafc

SHA256
9ff91d31e0097bb71f450557149899ef1de0b7f1c51c32cdaa808215b4517c8f

SHA512
2c758183e3dfb1ac92853a79dcda06d25e205076bc23609f65bcda79622eda33cc50a2870291fd05341b3ec57c4f3b55f0e37acfd351e356a2657ef8991e7c27

Download Submit
\??\c:\windows\W_X_C.bat
Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
Filesize
769KB

MD5
3c639b342efd2f23aa67e0fe793db550

SHA1
94e355b78618baebd32926c88672abd5a3ff3e35

SHA256
1a4895e545c0e49b513a0a9051f587dcc09ce4e9396bb43ae1ab46bf9c71d61f

SHA512
ebbc3be8534e88c2005480c328661497a6a379513ce3061280e89093e6d94652426616e41303bc45c5819621dd9b538c1cbf651f95b5c4a10f977d9ddef4d6f3

Download Submit
memory/2556-61-0x0000000002500000-0x0000000002600000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads