xorist | 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901

Target

3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
Size

583KB
MD5

74d4e0e6dcf5cc7942c35e630036af0c
SHA1

c7c4bb3907344aed022d181eb73f8fd812e06f88
SHA256

3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901
SHA512

110bb901dacc153fb484673fd033d2c0f9a3f7cbfd73a46f54c44c1f699796844b68db5a860cbbb5be08c03f4ad9dfcd25feb71fc8a9b37445e137a002e6a8eb

Score

10^/10

xorist persistence ransomware upx

Malware Config

Signatures

Detected Xorist Ransomware 4 IoCs

resource	yara_rule
behavioral2/files/0x000200000001ab71-6.dat	family_xorist
behavioral2/files/0x000200000001ab72-11.dat	family_xorist
behavioral2/files/0x000200000001ab71-10.dat	family_xorist
behavioral2/files/0x000200000001ab72-8.dat	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

Executes dropped EXE 3 IoCs

pid	Process
3912	javas.exe
3856	javas2.exe
3596	asat2.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000000687-4.dat	upx
behavioral2/files/0x000200000001ab71-6.dat	upx
behavioral2/files/0x0008000000000687-9.dat	upx
behavioral2/files/0x000200000001ab72-11.dat	upx
behavioral2/files/0x000200000001ab71-10.dat	upx
behavioral2/files/0x000200000001ab72-8.dat	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe"	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe"	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	javas2.exe

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	javas2.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	javas2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	javas.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	asat2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	javas2.exe
File opened for modification	C:\Program Files\desktop.ini	asat2.exe
File opened for modification	C:\Program Files\desktop.ini	javas.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	asat2.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	javas.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\HOW TO DECRYPT FILES.txt	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\tr.pak	javas.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_font_t2k.dll	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jvm.lib.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms	javas2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms	javas2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.dll	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar	asat2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\chrome.exe.sig	javas2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogoDev.png	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar	javas.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\HOW TO DECRYPT FILES.txt	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-progress.jar	asat2.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\GRAY.pf	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms	javas2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\bn.pak	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\accessibility.properties	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar	javas2.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\prism_common.dll	javas.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms	javas2.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd.dll	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms	javas.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	asat2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll	asat2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\ = "CRYPTED!"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open\command	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\ = "CRYPTED!"	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "PJVOKWEVLGZLZWN"	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\DefaultIcon	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe"	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\ = "CRYPTED!"	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe,0"	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\DefaultIcon	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open\command	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe,0"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\DefaultIcon	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe"	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "YYCMXMJNMOUGWFB"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open\command	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "QTWVCXAHKDHGIML"	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe,0"	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe"	javas2.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3116	PING.EXE
4028	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 3912	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	74
PID 3324 wrote to memory of 3912	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	74
PID 3324 wrote to memory of 3912	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	74
PID 3324 wrote to memory of 3856	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	76
PID 3324 wrote to memory of 3856	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	76
PID 3324 wrote to memory of 3856	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	76
PID 3324 wrote to memory of 3596	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	77
PID 3324 wrote to memory of 3596	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	77
PID 3324 wrote to memory of 3596	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	77
PID 3324 wrote to memory of 3320	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	78
PID 3324 wrote to memory of 3320	3324	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	78
PID 3320 wrote to memory of 3116	3320	cmd.exe	80
PID 3320 wrote to memory of 3116	3320	cmd.exe	80
PID 3320 wrote to memory of 4028	3320	cmd.exe	81
PID 3320 wrote to memory of 4028	3320	cmd.exe	81

C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
"C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Users\Admin\AppData\Local\Temp\javas.exe
  "C:\Users\Admin\AppData\Local\Temp\javas.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Modifies registry class
  PID:3912
- C:\Users\Admin\AppData\Local\Temp\javas2.exe
  "C:\Users\Admin\AppData\Local\Temp\javas2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Modifies registry class
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\asat2.exe
  "C:\Users\Admin\AppData\Local\Temp\asat2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Modifies registry class
  PID:3596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - Runs ping.exe
    PID:3116
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - Runs ping.exe
    PID:4028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3324-1-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/3324-0-0x00007FFB8ADB0000-0x00007FFB8B79C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General