hiverat | 0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c

Analysis

max time kernel
170s
max time network
59s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
Size

1.8MB
MD5

4e7eb50a75f8bf74751576cdd5381809
SHA1

7e0dfbdd505b9451513b828e4d392e164fe566e9
SHA256

0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c
SHA512

05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3

Score

10^/10

hiverat warzonerat infostealer rat stealer

Malware Config

Extracted

Family

warzonerat

hive01.duckdns.org:8584

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

HiveRAT Payload 22 IoCs

Processes:

resource	yara_rule
behavioral1/memory/836-111-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-113-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-117-0x000000000044C85E-mapping.dmp	family_hiverat
behavioral1/memory/836-121-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1372-124-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1372-125-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1372-133-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1372-131-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1372-128-0x000000000044CB3E-mapping.dmp	family_hiverat
behavioral1/memory/1372-127-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1372-126-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-123-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-114-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-112-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-145-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-147-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-146-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-142-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-138-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-137-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-136-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/836-135-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Warzone RAT Payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1052-99-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1052-102-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1052-103-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1052-104-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1052-101-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1052-98-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1052-156-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 7 IoCs

Processes:

0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe1.exe2.exe3.exe1.exe2.exe3.exe

pid process

784 0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1168 1.exe
2036 2.exe
1932 3.exe
1052 1.exe
836 2.exe
1372 3.exe

pid	process
784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1168	1.exe
2036	2.exe
1932	3.exe
1052	1.exe
836	2.exe
1372	3.exe

Drops startup file 8 IoCs

Processes:

3.exe2.exe0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe	2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe	2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	3.exe

Loads dropped DLL 9 IoCs

Processes:

0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exeWerFault.exe

pid	process
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe1.exe2.exe3.exe

description	pid	process	target process
PID 1672 set thread context of 784	1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
PID 1168 set thread context of 1052	1168	1.exe	1.exe
PID 2036 set thread context of 836	2036	2.exe	2.exe
PID 1932 set thread context of 1372	1932	3.exe	3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1892 1372 WerFault.exe 3.exe

pid	pid_target	process	target process
1892	1372	WerFault.exe	3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe1.exe3.exe2.exe

pid	process
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
1168	1.exe
1168	1.exe
1168	1.exe
1932	3.exe
2036	2.exe
1932	3.exe
1932	3.exe
2036	2.exe
2036	2.exe
1168	1.exe
1168	1.exe
1168	1.exe
1168	1.exe
1168	1.exe
1168	1.exe
1168	1.exe
1168	1.exe
1932	3.exe
1932	3.exe
1932	3.exe
1932	3.exe
1932	3.exe
1932	3.exe
1932	3.exe
1168	1.exe
1932	3.exe
1168	1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2.exe

pid process

836 2.exe

pid	process
836	2.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe1.exe3.exe2.exe2.exe

description	pid	process
Token: SeDebugPrivilege	1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
Token: SeDebugPrivilege	1168	1.exe
Token: SeDebugPrivilege	1932	3.exe
Token: SeDebugPrivilege	2036	2.exe
Token: SeDebugPrivilege	836	2.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe1.exe2.exe3.exe3.exe

description	pid	process	target process
PID 1672 wrote to memory of 784	1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
PID 1672 wrote to memory of 784	1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
PID 1672 wrote to memory of 784	1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
PID 1672 wrote to memory of 784	1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
PID 1672 wrote to memory of 784	1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
PID 1672 wrote to memory of 784	1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
PID 1672 wrote to memory of 784	1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
PID 1672 wrote to memory of 784	1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
PID 1672 wrote to memory of 784	1672	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
PID 784 wrote to memory of 1168	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	1.exe
PID 784 wrote to memory of 1168	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	1.exe
PID 784 wrote to memory of 1168	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	1.exe
PID 784 wrote to memory of 1168	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	1.exe
PID 784 wrote to memory of 2036	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	2.exe
PID 784 wrote to memory of 2036	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	2.exe
PID 784 wrote to memory of 2036	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	2.exe
PID 784 wrote to memory of 2036	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	2.exe
PID 784 wrote to memory of 1932	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	3.exe
PID 784 wrote to memory of 1932	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	3.exe
PID 784 wrote to memory of 1932	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	3.exe
PID 784 wrote to memory of 1932	784	0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe	3.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 1168 wrote to memory of 1052	1168	1.exe	1.exe
PID 2036 wrote to memory of 836	2036	2.exe	2.exe
PID 2036 wrote to memory of 836	2036	2.exe	2.exe
PID 2036 wrote to memory of 836	2036	2.exe	2.exe
PID 2036 wrote to memory of 836	2036	2.exe	2.exe
PID 2036 wrote to memory of 836	2036	2.exe	2.exe
PID 2036 wrote to memory of 836	2036	2.exe	2.exe
PID 2036 wrote to memory of 836	2036	2.exe	2.exe
PID 2036 wrote to memory of 836	2036	2.exe	2.exe
PID 2036 wrote to memory of 836	2036	2.exe	2.exe
PID 2036 wrote to memory of 836	2036	2.exe	2.exe
PID 1932 wrote to memory of 1372	1932	3.exe	3.exe
PID 1932 wrote to memory of 1372	1932	3.exe	3.exe
PID 1932 wrote to memory of 1372	1932	3.exe	3.exe
PID 1932 wrote to memory of 1372	1932	3.exe	3.exe
PID 1932 wrote to memory of 1372	1932	3.exe	3.exe
PID 1932 wrote to memory of 1372	1932	3.exe	3.exe
PID 1932 wrote to memory of 1372	1932	3.exe	3.exe
PID 1932 wrote to memory of 1372	1932	3.exe	3.exe
PID 1932 wrote to memory of 1372	1932	3.exe	3.exe
PID 1932 wrote to memory of 1372	1932	3.exe	3.exe
PID 1372 wrote to memory of 1892	1372	3.exe	WerFault.exe
PID 1372 wrote to memory of 1892	1372	3.exe	WerFault.exe
PID 1372 wrote to memory of 1892	1372	3.exe	WerFault.exe
PID 1372 wrote to memory of 1892	1372	3.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
"C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
  "C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Users\Admin\AppData\Roaming\1.exe
    "C:\Users\Admin\AppData\Roaming\1.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Users\Admin\AppData\Roaming\1.exe
      "C:\Users\Admin\AppData\Roaming\1.exe"
      4⤵
      Executes dropped EXE
      PID:1052
- - C:\Users\Admin\AppData\Roaming\3.exe
    "C:\Users\Admin\AppData\Roaming\3.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Users\Admin\AppData\Roaming\3.exe
      "C:\Users\Admin\AppData\Roaming\3.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 528
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1892
- - C:\Users\Admin\AppData\Roaming\2.exe
    "C:\Users\Admin\AppData\Roaming\2.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Roaming\2.exe
      "C:\Users\Admin\AppData\Roaming\2.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe

Filesize
1.8MB

MD5
4e7eb50a75f8bf74751576cdd5381809

SHA1
7e0dfbdd505b9451513b828e4d392e164fe566e9

SHA256
0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c

SHA512
05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe

Filesize
393KB

MD5
ea33ef88c0e9cf45dcd70dc971c46e02

SHA1
68bad4331a4f108a7ced1dfe0e87a63fc5ded774

SHA256
6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709

SHA512
37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe

Filesize
393KB

MD5
ea33ef88c0e9cf45dcd70dc971c46e02

SHA1
68bad4331a4f108a7ced1dfe0e87a63fc5ded774

SHA256
6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709

SHA512
37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe

Filesize
393KB

MD5
ea33ef88c0e9cf45dcd70dc971c46e02

SHA1
68bad4331a4f108a7ced1dfe0e87a63fc5ded774

SHA256
6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709

SHA512
37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Filesize
585KB

MD5
bf400de7c5e0fb5fe483cb09c0ccb745

SHA1
46199385eb5aeccd6638d77a980c780344ac8ace

SHA256
fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc

SHA512
255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Filesize
585KB

MD5
bf400de7c5e0fb5fe483cb09c0ccb745

SHA1
46199385eb5aeccd6638d77a980c780344ac8ace

SHA256
fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc

SHA512
255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Filesize
585KB

MD5
bf400de7c5e0fb5fe483cb09c0ccb745

SHA1
46199385eb5aeccd6638d77a980c780344ac8ace

SHA256
fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc

SHA512
255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe

Filesize
1.8MB

MD5
4e7eb50a75f8bf74751576cdd5381809

SHA1
7e0dfbdd505b9451513b828e4d392e164fe566e9

SHA256
0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c

SHA512
05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3

Download Submit
\Users\Admin\AppData\Roaming\1.exe

Filesize
393KB

MD5
ea33ef88c0e9cf45dcd70dc971c46e02

SHA1
68bad4331a4f108a7ced1dfe0e87a63fc5ded774

SHA256
6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709

SHA512
37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998

Download Submit
\Users\Admin\AppData\Roaming\2.exe

Filesize
585KB

MD5
bf400de7c5e0fb5fe483cb09c0ccb745

SHA1
46199385eb5aeccd6638d77a980c780344ac8ace

SHA256
fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc

SHA512
255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d

Download Submit
\Users\Admin\AppData\Roaming\3.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Roaming\3.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Roaming\3.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Roaming\3.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Roaming\3.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Roaming\3.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
memory/784-70-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/784-59-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/784-58-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/784-63-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/784-69-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/784-64-0x000000000058AF7E-mapping.dmp

Download
memory/784-61-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/784-67-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/784-62-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/836-113-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-138-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-114-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-136-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-112-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-145-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-147-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-146-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-142-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-121-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-135-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-137-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-117-0x000000000044C85E-mapping.dmp

Download
memory/836-123-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-108-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-109-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/836-111-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1052-104-0x0000000000405CE2-mapping.dmp

Download
memory/1052-94-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1052-98-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1052-156-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1052-101-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1052-93-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1052-103-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1052-102-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1052-99-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1052-96-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1168-78-0x0000000000AD0000-0x0000000000B38000-memory.dmp

Filesize
416KB

Download
memory/1168-83-0x0000000000300000-0x0000000000362000-memory.dmp

Filesize
392KB

Download
memory/1168-73-0x0000000000000000-mapping.dmp

Download
memory/1372-127-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1372-124-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1372-126-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1372-128-0x000000000044CB3E-mapping.dmp

Download
memory/1372-131-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1372-133-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1372-125-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1372-116-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1672-56-0x0000000005040000-0x0000000005210000-memory.dmp

Filesize
1.8MB

Download
memory/1672-54-0x0000000000E90000-0x0000000001066000-memory.dmp

Filesize
1.8MB

Download
memory/1672-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1892-153-0x0000000000000000-mapping.dmp

Download
memory/1932-89-0x0000000001270000-0x0000000001308000-memory.dmp

Filesize
608KB

Download
memory/1932-92-0x00000000011D0000-0x0000000001262000-memory.dmp

Filesize
584KB

Download
memory/1932-86-0x0000000000000000-mapping.dmp

Download
memory/2036-82-0x0000000000BA0000-0x0000000000C38000-memory.dmp

Filesize
608KB

Download
memory/2036-77-0x0000000000000000-mapping.dmp

Download
memory/2036-90-0x0000000000890000-0x0000000000922000-memory.dmp

Filesize
584KB

Download