Analysis
-
max time kernel
126s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-06-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
Resource
win10v20210410
General
-
Target
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
-
Size
7.8MB
-
MD5
8d44ccac6b5512a416339984ad664d79
-
SHA1
6152e1a374fd572d25fab8baae9d1b12116a7c35
-
SHA256
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611
-
SHA512
c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7
Malware Config
Signatures
-
Klingon RAT Payload 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x0003000000013104-62.dat family_klingon behavioral1/files/0x0003000000013104-63.dat family_klingon behavioral1/files/0x0003000000013104-65.dat family_klingon -
Executes dropped EXE 2 IoCs
Processes:
updater10.exe008100038.exepid Process 1780 updater10.exe 860 008100038.exe -
Loads dropped DLL 3 IoCs
Processes:
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exeupdater10.exepid Process 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 1780 updater10.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
updater10.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -1 -0" updater10.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 4 api.ipify.org 7 api.ipify.org -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid Process 1676 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
updater10.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 updater10.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e updater10.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e updater10.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e updater10.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
008100038.exepid Process 860 008100038.exe 860 008100038.exe 860 008100038.exe 860 008100038.exe 860 008100038.exe 860 008100038.exe 860 008100038.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid Process Token: SeIncreaseQuotaPrivilege 740 wmic.exe Token: SeSecurityPrivilege 740 wmic.exe Token: SeTakeOwnershipPrivilege 740 wmic.exe Token: SeLoadDriverPrivilege 740 wmic.exe Token: SeSystemProfilePrivilege 740 wmic.exe Token: SeSystemtimePrivilege 740 wmic.exe Token: SeProfSingleProcessPrivilege 740 wmic.exe Token: SeIncBasePriorityPrivilege 740 wmic.exe Token: SeCreatePagefilePrivilege 740 wmic.exe Token: SeBackupPrivilege 740 wmic.exe Token: SeRestorePrivilege 740 wmic.exe Token: SeShutdownPrivilege 740 wmic.exe Token: SeDebugPrivilege 740 wmic.exe Token: SeSystemEnvironmentPrivilege 740 wmic.exe Token: SeRemoteShutdownPrivilege 740 wmic.exe Token: SeUndockPrivilege 740 wmic.exe Token: SeManageVolumePrivilege 740 wmic.exe Token: 33 740 wmic.exe Token: 34 740 wmic.exe Token: 35 740 wmic.exe Token: SeIncreaseQuotaPrivilege 740 wmic.exe Token: SeSecurityPrivilege 740 wmic.exe Token: SeTakeOwnershipPrivilege 740 wmic.exe Token: SeLoadDriverPrivilege 740 wmic.exe Token: SeSystemProfilePrivilege 740 wmic.exe Token: SeSystemtimePrivilege 740 wmic.exe Token: SeProfSingleProcessPrivilege 740 wmic.exe Token: SeIncBasePriorityPrivilege 740 wmic.exe Token: SeCreatePagefilePrivilege 740 wmic.exe Token: SeBackupPrivilege 740 wmic.exe Token: SeRestorePrivilege 740 wmic.exe Token: SeShutdownPrivilege 740 wmic.exe Token: SeDebugPrivilege 740 wmic.exe Token: SeSystemEnvironmentPrivilege 740 wmic.exe Token: SeRemoteShutdownPrivilege 740 wmic.exe Token: SeUndockPrivilege 740 wmic.exe Token: SeManageVolumePrivilege 740 wmic.exe Token: 33 740 wmic.exe Token: 34 740 wmic.exe Token: 35 740 wmic.exe Token: SeIncreaseQuotaPrivilege 936 wmic.exe Token: SeSecurityPrivilege 936 wmic.exe Token: SeTakeOwnershipPrivilege 936 wmic.exe Token: SeLoadDriverPrivilege 936 wmic.exe Token: SeSystemProfilePrivilege 936 wmic.exe Token: SeSystemtimePrivilege 936 wmic.exe Token: SeProfSingleProcessPrivilege 936 wmic.exe Token: SeIncBasePriorityPrivilege 936 wmic.exe Token: SeCreatePagefilePrivilege 936 wmic.exe Token: SeBackupPrivilege 936 wmic.exe Token: SeRestorePrivilege 936 wmic.exe Token: SeShutdownPrivilege 936 wmic.exe Token: SeDebugPrivilege 936 wmic.exe Token: SeSystemEnvironmentPrivilege 936 wmic.exe Token: SeRemoteShutdownPrivilege 936 wmic.exe Token: SeUndockPrivilege 936 wmic.exe Token: SeManageVolumePrivilege 936 wmic.exe Token: 33 936 wmic.exe Token: 34 936 wmic.exe Token: 35 936 wmic.exe Token: SeIncreaseQuotaPrivilege 936 wmic.exe Token: SeSecurityPrivilege 936 wmic.exe Token: SeTakeOwnershipPrivilege 936 wmic.exe Token: SeLoadDriverPrivilege 936 wmic.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exeupdater10.exenet.exedescription pid Process procid_target PID 2040 wrote to memory of 740 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 30 PID 2040 wrote to memory of 740 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 30 PID 2040 wrote to memory of 740 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 30 PID 2040 wrote to memory of 1808 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 32 PID 2040 wrote to memory of 1808 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 32 PID 2040 wrote to memory of 1808 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 32 PID 2040 wrote to memory of 936 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 33 PID 2040 wrote to memory of 936 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 33 PID 2040 wrote to memory of 936 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 33 PID 2040 wrote to memory of 1780 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 34 PID 2040 wrote to memory of 1780 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 34 PID 2040 wrote to memory of 1780 2040 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 34 PID 1780 wrote to memory of 1400 1780 updater10.exe 35 PID 1780 wrote to memory of 1400 1780 updater10.exe 35 PID 1780 wrote to memory of 1400 1780 updater10.exe 35 PID 1780 wrote to memory of 772 1780 updater10.exe 36 PID 1780 wrote to memory of 772 1780 updater10.exe 36 PID 1780 wrote to memory of 772 1780 updater10.exe 36 PID 1780 wrote to memory of 1052 1780 updater10.exe 37 PID 1780 wrote to memory of 1052 1780 updater10.exe 37 PID 1780 wrote to memory of 1052 1780 updater10.exe 37 PID 1780 wrote to memory of 860 1780 updater10.exe 38 PID 1780 wrote to memory of 860 1780 updater10.exe 38 PID 1780 wrote to memory of 860 1780 updater10.exe 38 PID 1780 wrote to memory of 1660 1780 updater10.exe 39 PID 1780 wrote to memory of 1660 1780 updater10.exe 39 PID 1780 wrote to memory of 1660 1780 updater10.exe 39 PID 1780 wrote to memory of 1676 1780 updater10.exe 41 PID 1780 wrote to memory of 1676 1780 updater10.exe 41 PID 1780 wrote to memory of 1676 1780 updater10.exe 41 PID 1780 wrote to memory of 440 1780 updater10.exe 42 PID 1780 wrote to memory of 440 1780 updater10.exe 42 PID 1780 wrote to memory of 440 1780 updater10.exe 42 PID 1780 wrote to memory of 280 1780 updater10.exe 43 PID 1780 wrote to memory of 280 1780 updater10.exe 43 PID 1780 wrote to memory of 280 1780 updater10.exe 43 PID 1780 wrote to memory of 1764 1780 updater10.exe 44 PID 1780 wrote to memory of 1764 1780 updater10.exe 44 PID 1780 wrote to memory of 1764 1780 updater10.exe 44 PID 1764 wrote to memory of 1156 1764 net.exe 45 PID 1764 wrote to memory of 1156 1764 net.exe 45 PID 1764 wrote to memory of 1156 1764 net.exe 45 PID 1780 wrote to memory of 1400 1780 updater10.exe 46 PID 1780 wrote to memory of 1400 1780 updater10.exe 46 PID 1780 wrote to memory of 1400 1780 updater10.exe 46 PID 1780 wrote to memory of 1016 1780 updater10.exe 47 PID 1780 wrote to memory of 1016 1780 updater10.exe 47 PID 1780 wrote to memory of 1016 1780 updater10.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe"C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver2⤵PID:1808
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId3⤵PID:1400
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver3⤵PID:772
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId3⤵PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\008100038.exeC:\Users\Admin\AppData\Local\Temp\008100038.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:860
-
-
C:\Windows\system32\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:1660
-
-
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:1676
-
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:440
-
-
C:\Windows\system32\net.exenet view /all domain3⤵
- Discovers systems in the same network
PID:280
-
-
C:\Windows\system32\net.exenet users /domain3⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 users /domain4⤵PID:1156
-
-
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:1400
-
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:1016
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
39f71c609daddb77e4e6b747154b7381
SHA14e0e7bd351597c9f363486ee233bedf9dac1bb64
SHA256ebca8c4d11a3e0c6977d9e47c8777436859888010ef40195470bf450441dd1f6
SHA512f628cb8cbe031ea2a7d11c99aab2da5bd1b382a75d633005cd1a7b945e64fc45c3280db23f1567256b4c2eb1b7f2bd2f4513fe8bbec6806296d1189edcd54b64
-
MD5
69ae798d6829b87b3549b629e262a369
SHA11c8912cecfa21cc5f2908067913408808f2c2bd0
SHA256a21059a2921c1ee24ebd43ec5a54589121e0a666ef9ff42e0d193fc045ffcdad
SHA51244abaa01ce5b4c16676a7d7b48666804ecd35ea9bbe76aa251dd561a41acebac7a91a38652e351cfe910e92180352103304c885ab3f6600a69e449a337ea7f2b
-
MD5
8d44ccac6b5512a416339984ad664d79
SHA16152e1a374fd572d25fab8baae9d1b12116a7c35
SHA25644237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611
SHA512c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
39f71c609daddb77e4e6b747154b7381
SHA14e0e7bd351597c9f363486ee233bedf9dac1bb64
SHA256ebca8c4d11a3e0c6977d9e47c8777436859888010ef40195470bf450441dd1f6
SHA512f628cb8cbe031ea2a7d11c99aab2da5bd1b382a75d633005cd1a7b945e64fc45c3280db23f1567256b4c2eb1b7f2bd2f4513fe8bbec6806296d1189edcd54b64
-
MD5
8d44ccac6b5512a416339984ad664d79
SHA16152e1a374fd572d25fab8baae9d1b12116a7c35
SHA25644237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611
SHA512c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7
-
MD5
8d44ccac6b5512a416339984ad664d79
SHA16152e1a374fd572d25fab8baae9d1b12116a7c35
SHA25644237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611
SHA512c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7