dbfbc98581c82723ed3c35b156ef0924fad11271e0c3c6c6b8447e7e02b05a5d

Analysis

max time kernel
360s
max time network
362s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
Size

49KB
MD5

c2734e516454c7af7354a7a4d25cdfa1
SHA1

ad062ffc6cc642ed47549f172e085c15e4902466
SHA256

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97
SHA512

dc32973cbe1b12f27c9d78702f8efb307f48f521529d0ad4cd70426bfcacb697a3dd761246cc7bd40235c51d7b1bced2eeee78bd7ac82ad297c314a80d753367
SSDEEP

1536:dQFgpLzLiugEBVw9wrLM+7UUjl0FSrXaN:CF4zLi9EBpg+3XaN

Score

10^/10

defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README.hta

Ransom Note

<!DOCTYPE html> <html> <head> <title>SORCERY RANSOMWARE NOTE</title> <style> body { background-color: black; color: green; font-family: Arial, sans-serif; } .important { color: red; } h1, h2 { color: red; } </style> </head> <body> <h1>SORCERY RANSOMWARE NOTE</h1> <h2>What happened?</h2> <p>All of your files are encrypted and stolen. Stolen data will be published soon on our Tor website. There is no way to recover your data and prevent data leakage without us. <span class='important'>Decryption is not possible without the private key.</span> Don't waste your and our time trying to recover your files on your own; it is impossible without our help.</p> <h2>What is Ransomware?</h2> <p>Ransomware is a type of malicious software that encrypts your files and demands a ransom payment to restore access to them. Once your files are encrypted, you will not be able to open or use them without a special decryption key. In addition to encrypting your files, ransomware can also steal your data and threaten to publish it if the ransom is not paid.</p> <h2>What is a Decryptor?</h2> <p>A decryptor is a tool that can reverse the encryption applied by ransomware, allowing you to regain access to your files. The decryptor requires a unique private key, which is held by the attackers. Without this key, it is impossible to decrypt your files.</p> <h2>How to recover files & prevent leakage?</h2> <p>We promise that you can recover all your files safely and prevent data leakage. <span class='important'>We can do it!</span></p> <h2>Contact Us</h2> <p><span class='important'>Email:</span> [email protected]</p> <p><span class='important'>Enter DECRYPTION ID:</span> S10</p> <p>You need to contact us within <span class='important'>24 hours</span> so that we can discuss the price for the decryptor.</p> </body> </html>

Emails

[email protected]</p>

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (173) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2612 rundll32.exe
1940 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exerundll32.exe

pid process

2288 275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
2612 rundll32.exe

pid	process
2612	rundll32.exe
1940	rundll32.exe

pid	process
2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
2612	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exerundll32.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWMonitor = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\HWMonitor\\HWMonitor.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\README = "C:\\Users\\Admin\\AppData\\Local\\rundll32.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWMonitor = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\HWMonitor\\HWMonitor.exe"	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3YLjWsTbP.jpg"	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exerundll32.exe

description	pid	process	target process
PID 1700 set thread context of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 2612 set thread context of 1940	2612	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2024 vssadmin.exe

pid	process
2024	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

powershell.exepowershell.exerundll32.exe

pid	process
1996	powershell.exe
2656	powershell.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exepowershell.exerundll32.exepowershell.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1940	rundll32.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeBackupPrivilege	1484	vssvc.exe
Token: SeRestorePrivilege	1484	vssvc.exe
Token: SeAuditPrivilege	1484	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe
Token: SeSecurityPrivilege	2100	WMIC.exe
Token: SeTakeOwnershipPrivilege	2100	WMIC.exe
Token: SeLoadDriverPrivilege	2100	WMIC.exe
Token: SeSystemProfilePrivilege	2100	WMIC.exe
Token: SeSystemtimePrivilege	2100	WMIC.exe
Token: SeProfSingleProcessPrivilege	2100	WMIC.exe
Token: SeIncBasePriorityPrivilege	2100	WMIC.exe
Token: SeCreatePagefilePrivilege	2100	WMIC.exe
Token: SeBackupPrivilege	2100	WMIC.exe
Token: SeRestorePrivilege	2100	WMIC.exe
Token: SeShutdownPrivilege	2100	WMIC.exe
Token: SeDebugPrivilege	2100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2100	WMIC.exe
Token: SeRemoteShutdownPrivilege	2100	WMIC.exe
Token: SeUndockPrivilege	2100	WMIC.exe
Token: SeManageVolumePrivilege	2100	WMIC.exe
Token: 33	2100	WMIC.exe
Token: 34	2100	WMIC.exe
Token: 35	2100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe
Token: SeSecurityPrivilege	2100	WMIC.exe
Token: SeTakeOwnershipPrivilege	2100	WMIC.exe
Token: SeLoadDriverPrivilege	2100	WMIC.exe
Token: SeSystemProfilePrivilege	2100	WMIC.exe
Token: SeSystemtimePrivilege	2100	WMIC.exe
Token: SeProfSingleProcessPrivilege	2100	WMIC.exe
Token: SeIncBasePriorityPrivilege	2100	WMIC.exe
Token: SeCreatePagefilePrivilege	2100	WMIC.exe
Token: SeBackupPrivilege	2100	WMIC.exe
Token: SeRestorePrivilege	2100	WMIC.exe
Token: SeShutdownPrivilege	2100	WMIC.exe
Token: SeDebugPrivilege	2100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2100	WMIC.exe
Token: SeRemoteShutdownPrivilege	2100	WMIC.exe
Token: SeUndockPrivilege	2100	WMIC.exe
Token: SeManageVolumePrivilege	2100	WMIC.exe
Token: 33	2100	WMIC.exe
Token: 34	2100	WMIC.exe
Token: 35	2100	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exerundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 1996	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	powershell.exe
PID 1700 wrote to memory of 1996	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	powershell.exe
PID 1700 wrote to memory of 1996	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	powershell.exe
PID 1700 wrote to memory of 1996	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	powershell.exe
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	rundll32.exe
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	rundll32.exe
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	rundll32.exe
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	rundll32.exe
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	rundll32.exe
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	rundll32.exe
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	rundll32.exe
PID 2612 wrote to memory of 2656	2612	rundll32.exe	powershell.exe
PID 2612 wrote to memory of 2656	2612	rundll32.exe	powershell.exe
PID 2612 wrote to memory of 2656	2612	rundll32.exe	powershell.exe
PID 2612 wrote to memory of 2656	2612	rundll32.exe	powershell.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 2612 wrote to memory of 1940	2612	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 2932	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 2932	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 2932	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 2932	1940	rundll32.exe	cmd.exe
PID 2932 wrote to memory of 2024	2932	cmd.exe	vssadmin.exe
PID 2932 wrote to memory of 2024	2932	cmd.exe	vssadmin.exe
PID 2932 wrote to memory of 2024	2932	cmd.exe	vssadmin.exe
PID 2932 wrote to memory of 2024	2932	cmd.exe	vssadmin.exe
PID 2932 wrote to memory of 2100	2932	cmd.exe	WMIC.exe
PID 2932 wrote to memory of 2100	2932	cmd.exe	WMIC.exe
PID 2932 wrote to memory of 2100	2932	cmd.exe	WMIC.exe
PID 2932 wrote to memory of 2100	2932	cmd.exe	WMIC.exe
PID 1940 wrote to memory of 2308	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 2308	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 2308	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 2308	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 2564	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 2564	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 2564	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 2564	1940	rundll32.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
"C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HWMonitor\HWMonitor.exe"' -PropertyType 'String'
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
"C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\rundll32.exe
"C:\Users\Admin\AppData\Local\rundll32.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HWMonitor\HWMonitor.exe"' -PropertyType 'String'
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Users\Admin\AppData\Local\rundll32.exe
"C:\Users\Admin\AppData\Local\rundll32.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
5⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
6⤵
- Interacts with shadow copies
PID:2024

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
5⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
5⤵
PID:2564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1683c8d22e25d55d9a02ed59a795105c

SHA1
3b167e2df262d02b09a18495c28c5d77346f23f4

SHA256
9af44f3b0c0ce1ed2ffbe672c299337e61f72bed511740a722dcc86da4e36de8

SHA512
233162200cc8bc52deb8a4e81de0aaec20cd7de250793586a5fbf482359bf9e7f24bb381f36be05fa0268b358ca777c2c0412c32e843ad7a0a45f54b85f4d24c

Download Submit
C:\Users\Admin\Desktop\README.hta
Filesize
1KB

MD5
72c1db68d8b6d084a4649a8e645b4b9b

SHA1
b2412983edbb2f85abcf091d2df8d01cb52a6116

SHA256
c3c694124e9ae89e652cd8294ff0d0c452c7185db91fc8758198ce15d83ab1ed

SHA512
77ef54064c7ed8bab1903b2d8d22942943fc0ac1757b5404e53deb3374edd97e14069741730170198e8bd7a24dba79942f6eebd26b2651c71d640b834dd41ff7

Download Submit
\Users\Admin\AppData\Local\rundll32.exe
Filesize
49KB

MD5
c2734e516454c7af7354a7a4d25cdfa1

SHA1
ad062ffc6cc642ed47549f172e085c15e4902466

SHA256
275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97

SHA512
dc32973cbe1b12f27c9d78702f8efb307f48f521529d0ad4cd70426bfcacb697a3dd761246cc7bd40235c51d7b1bced2eeee78bd7ac82ad297c314a80d753367

Download Submit
memory/1700-1-0x00000000013B0000-0x00000000013C2000-memory.dmp

Filesize
72KB

Download
memory/1700-2-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-3-0x000000007407E000-0x000000007407F000-memory.dmp

Filesize
4KB

Download
memory/1700-4-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-5-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1700-19-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-0-0x000000007407E000-0x000000007407F000-memory.dmp

Filesize
4KB

Download
memory/1940-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2288-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2288-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-8-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-20-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-10-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-31-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2612-30-0x00000000001A0000-0x00000000001B2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads