hiverat | 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712

Analysis

max time kernel
151s
max time network
43s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-05-2022 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
Size

1.8MB
MD5

31431004556597a633f858c122c85b60
SHA1

fea5847bb6a5daae2688e349c827e30c51b4485f
SHA256

08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712
SHA512

7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd

Score

10^/10

hiverat warzonerat infostealer rat stealer

Malware Config

Extracted

Family

warzonerat

hive01.duckdns.org:8584

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

HiveRAT Payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1264-98-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-99-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-101-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-100-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-102-0x000000000044C85E-mapping.dmp	family_hiverat
behavioral1/memory/1264-105-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-107-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-110-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-109-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-111-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-112-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-123-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-129-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-131-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1264-133-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/852-155-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/852-159-0x000000000044CB3E-mapping.dmp	family_hiverat
behavioral1/memory/852-165-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Warzone RAT Payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/112-130-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/112-132-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/112-136-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/112-138-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/112-140-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/112-142-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/112-147-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/112-172-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 10 IoCs

Processes:

08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe1.exe2.exe3.exe2.exe1.exe1.exe1.exe3.exe3.exe

pid	process
1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
940	1.exe
888	2.exe
428	3.exe
1264	2.exe
1708	1.exe
1944	1.exe
112	1.exe
364	3.exe
852	3.exe

Drops startup file 7 IoCs

Processes:

2.exe1.exe3.exe08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe	1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe	1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

Loads dropped DLL 15 IoCs

Processes:

08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe2.exe1.exe3.exeWerFault.exe

pid	process
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
888	2.exe
940	1.exe
940	1.exe
940	1.exe
428	3.exe
428	3.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe2.exe1.exe3.exe

description	pid	process	target process
PID 1472 set thread context of 1712	1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 888 set thread context of 1264	888	2.exe	2.exe
PID 940 set thread context of 112	940	1.exe	1.exe
PID 428 set thread context of 852	428	3.exe	3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1296 852 WerFault.exe 3.exe

pid	pid_target	process	target process
1296	852	WerFault.exe	3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe1.exe2.exe3.exe

pid	process
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
940	1.exe
940	1.exe
940	1.exe
888	2.exe
888	2.exe
888	2.exe
428	3.exe
428	3.exe
428	3.exe
940	1.exe
940	1.exe
940	1.exe
940	1.exe
940	1.exe
940	1.exe
940	1.exe
940	1.exe
888	2.exe
888	2.exe
888	2.exe
888	2.exe
888	2.exe
888	2.exe
888	2.exe
888	2.exe
428	3.exe
428	3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2.exe

pid process

1264 2.exe

pid	process
1264	2.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe1.exe2.exe3.exe2.exe

description	pid	process
Token: SeDebugPrivilege	1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
Token: SeDebugPrivilege	940	1.exe
Token: SeDebugPrivilege	888	2.exe
Token: SeDebugPrivilege	428	3.exe
Token: SeDebugPrivilege	1264	2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe2.exe1.exe3.exe

description	pid	process	target process
PID 1472 wrote to memory of 1712	1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712	1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712	1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712	1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712	1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712	1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712	1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712	1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712	1472	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1712 wrote to memory of 940	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	1.exe
PID 1712 wrote to memory of 940	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	1.exe
PID 1712 wrote to memory of 940	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	1.exe
PID 1712 wrote to memory of 940	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	1.exe
PID 1712 wrote to memory of 888	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	2.exe
PID 1712 wrote to memory of 888	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	2.exe
PID 1712 wrote to memory of 888	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	2.exe
PID 1712 wrote to memory of 888	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	2.exe
PID 1712 wrote to memory of 428	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	3.exe
PID 1712 wrote to memory of 428	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	3.exe
PID 1712 wrote to memory of 428	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	3.exe
PID 1712 wrote to memory of 428	1712	08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	3.exe
PID 888 wrote to memory of 1264	888	2.exe	2.exe
PID 888 wrote to memory of 1264	888	2.exe	2.exe
PID 888 wrote to memory of 1264	888	2.exe	2.exe
PID 888 wrote to memory of 1264	888	2.exe	2.exe
PID 888 wrote to memory of 1264	888	2.exe	2.exe
PID 888 wrote to memory of 1264	888	2.exe	2.exe
PID 888 wrote to memory of 1264	888	2.exe	2.exe
PID 888 wrote to memory of 1264	888	2.exe	2.exe
PID 888 wrote to memory of 1264	888	2.exe	2.exe
PID 888 wrote to memory of 1264	888	2.exe	2.exe
PID 940 wrote to memory of 1708	940	1.exe	1.exe
PID 940 wrote to memory of 1708	940	1.exe	1.exe
PID 940 wrote to memory of 1708	940	1.exe	1.exe
PID 940 wrote to memory of 1708	940	1.exe	1.exe
PID 940 wrote to memory of 1944	940	1.exe	1.exe
PID 940 wrote to memory of 1944	940	1.exe	1.exe
PID 940 wrote to memory of 1944	940	1.exe	1.exe
PID 940 wrote to memory of 1944	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 940 wrote to memory of 112	940	1.exe	1.exe
PID 428 wrote to memory of 364	428	3.exe	3.exe
PID 428 wrote to memory of 364	428	3.exe	3.exe
PID 428 wrote to memory of 364	428	3.exe	3.exe
PID 428 wrote to memory of 364	428	3.exe	3.exe
PID 428 wrote to memory of 852	428	3.exe	3.exe
PID 428 wrote to memory of 852	428	3.exe	3.exe
PID 428 wrote to memory of 852	428	3.exe	3.exe
PID 428 wrote to memory of 852	428	3.exe	3.exe
PID 428 wrote to memory of 852	428	3.exe	3.exe
PID 428 wrote to memory of 852	428	3.exe	3.exe
PID 428 wrote to memory of 852	428	3.exe	3.exe
PID 428 wrote to memory of 852	428	3.exe	3.exe
PID 428 wrote to memory of 852	428	3.exe	3.exe

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
  "C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      4⤵
      Executes dropped EXE
      PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      4⤵
      Executes dropped EXE
      PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      4⤵
      Executes dropped EXE
      PID:112
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Users\Admin\AppData\Local\Temp\3.exe
      "C:\Users\Admin\AppData\Local\Temp\3.exe"
      4⤵
      Executes dropped EXE
      PID:364
  - - C:\Users\Admin\AppData\Local\Temp\3.exe
      "C:\Users\Admin\AppData\Local\Temp\3.exe"
      4⤵
      Executes dropped EXE
      PID:852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 532
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

Filesize
1.8MB

MD5
31431004556597a633f858c122c85b60

SHA1
fea5847bb6a5daae2688e349c827e30c51b4485f

SHA256
08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712

SHA512
7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
395KB

MD5
36c32cd064db3a4769d8b8bd99c8500e

SHA1
09d5ddbfa1b429db36dc0321b0767f783bc0cd3e

SHA256
fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f

SHA512
1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
395KB

MD5
36c32cd064db3a4769d8b8bd99c8500e

SHA1
09d5ddbfa1b429db36dc0321b0767f783bc0cd3e

SHA256
fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f

SHA512
1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
395KB

MD5
36c32cd064db3a4769d8b8bd99c8500e

SHA1
09d5ddbfa1b429db36dc0321b0767f783bc0cd3e

SHA256
fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f

SHA512
1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
395KB

MD5
36c32cd064db3a4769d8b8bd99c8500e

SHA1
09d5ddbfa1b429db36dc0321b0767f783bc0cd3e

SHA256
fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f

SHA512
1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
395KB

MD5
36c32cd064db3a4769d8b8bd99c8500e

SHA1
09d5ddbfa1b429db36dc0321b0767f783bc0cd3e

SHA256
fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f

SHA512
1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
585KB

MD5
e1dd367f1baa8889afca69a79dd43abd

SHA1
786dc0378d1008490c9110cc30bcc6a11f6c3c3e

SHA256
56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9

SHA512
b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
585KB

MD5
e1dd367f1baa8889afca69a79dd43abd

SHA1
786dc0378d1008490c9110cc30bcc6a11f6c3c3e

SHA256
56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9

SHA512
b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
585KB

MD5
e1dd367f1baa8889afca69a79dd43abd

SHA1
786dc0378d1008490c9110cc30bcc6a11f6c3c3e

SHA256
56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9

SHA512
b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

Filesize
1.8MB

MD5
31431004556597a633f858c122c85b60

SHA1
fea5847bb6a5daae2688e349c827e30c51b4485f

SHA256
08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712

SHA512
7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
395KB

MD5
36c32cd064db3a4769d8b8bd99c8500e

SHA1
09d5ddbfa1b429db36dc0321b0767f783bc0cd3e

SHA256
fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f

SHA512
1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
395KB

MD5
36c32cd064db3a4769d8b8bd99c8500e

SHA1
09d5ddbfa1b429db36dc0321b0767f783bc0cd3e

SHA256
fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f

SHA512
1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
395KB

MD5
36c32cd064db3a4769d8b8bd99c8500e

SHA1
09d5ddbfa1b429db36dc0321b0767f783bc0cd3e

SHA256
fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f

SHA512
1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
395KB

MD5
36c32cd064db3a4769d8b8bd99c8500e

SHA1
09d5ddbfa1b429db36dc0321b0767f783bc0cd3e

SHA256
fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f

SHA512
1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
585KB

MD5
e1dd367f1baa8889afca69a79dd43abd

SHA1
786dc0378d1008490c9110cc30bcc6a11f6c3c3e

SHA256
56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9

SHA512
b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
585KB

MD5
e1dd367f1baa8889afca69a79dd43abd

SHA1
786dc0378d1008490c9110cc30bcc6a11f6c3c3e

SHA256
56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9

SHA512
b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe

Filesize
583KB

MD5
d03c9c3cef97ff26426d84a056fbd5f6

SHA1
37bb280fd041626ff9b6ecdda4f323b91fa8445a

SHA256
d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816

SHA512
37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

Download Submit
memory/112-142-0x0000000000405CE2-mapping.dmp

Download
memory/112-130-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/112-119-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/112-172-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/112-126-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/112-132-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/112-136-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/112-138-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/112-147-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/112-122-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/112-140-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/428-86-0x0000000000000000-mapping.dmp

Download
memory/428-92-0x0000000004710000-0x00000000047A2000-memory.dmp

Filesize
584KB

Download
memory/428-89-0x0000000000BD0000-0x0000000000C68000-memory.dmp

Filesize
608KB

Download
memory/852-159-0x000000000044CB3E-mapping.dmp

Download
memory/852-153-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/852-155-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/852-165-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/888-83-0x0000000000080000-0x0000000000118000-memory.dmp

Filesize
608KB

Download
memory/888-91-0x0000000000830000-0x00000000008C2000-memory.dmp

Filesize
584KB

Download
memory/888-78-0x0000000000000000-mapping.dmp

Download
memory/940-81-0x0000000000CD0000-0x0000000000D32000-memory.dmp

Filesize
392KB

Download
memory/940-76-0x0000000000F10000-0x0000000000F7A000-memory.dmp

Filesize
424KB

Download
memory/940-73-0x0000000000000000-mapping.dmp

Download
memory/1264-100-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-98-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-112-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-111-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-129-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-109-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-131-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-133-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-110-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-107-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-105-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-102-0x000000000044C85E-mapping.dmp

Download
memory/1264-95-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-101-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-99-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-123-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1264-96-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1296-166-0x0000000000000000-mapping.dmp

Download
memory/1472-55-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1472-56-0x0000000004DC0000-0x0000000004F90000-memory.dmp

Filesize
1.8MB

Download
memory/1472-54-0x0000000000060000-0x0000000000236000-memory.dmp

Filesize
1.8MB

Download
memory/1712-67-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1712-63-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1712-64-0x000000000058B57E-mapping.dmp

Download
memory/1712-62-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1712-61-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1712-59-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1712-58-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1712-69-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1712-70-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download