netwire | 0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e

General

Target

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Size

2.6MB
MD5

c61b4229f2a9e1d05569736a4faf29d1
SHA1

2e1207d54b55dd7aad206b2722696b1b07953e64
SHA256

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e
SHA512

9bffa6b6afefa1f9c40c19b5e89803ce0be56ea92dd8c6f585f9275a998e6c71a9f08b8604f6885ce02aea2c471dd10ff0c6eb6a8ddb49188aec9e99b99f7a0c

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Extracted

Family

netwire

C2

haija.mine.nu:1338

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Data Encoder
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
qays1122
registry_autorun
false
use_mutex
false

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe\""	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1032-76-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral1/memory/1032-77-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral1/memory/1032-78-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral1/memory/1032-80-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral1/memory/1032-81-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral1/memory/1032-82-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral1/memory/1032-83-0x0000000000402453-mapping.dmp	netwire
behavioral1/memory/1032-86-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral1/memory/1032-103-0x0000000000400000-0x0000000000437000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Drops startup file 2 IoCs

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	pid	process	target process
PID 1156 set thread context of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1920 powershell.exe
1992 powershell.exe
2020 powershell.exe
1960 powershell.exe

pid	process
1920	powershell.exe
1992	powershell.exe
2020	powershell.exe
1960	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	pid	process	target process
PID 1156 wrote to memory of 2020	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 2020	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 2020	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 2020	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1992	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1992	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1992	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1992	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1960	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1960	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1960	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1960	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1920	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1920	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1920	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1920	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 1156 wrote to memory of 1032	1156	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
"C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
"C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe"
2⤵
PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

3

T1089

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
741486b4eefa208f71a86095fa8be107

SHA1
3d553ee27b52a52c95d177f12e94cec28d6da20a

SHA256
9e9caf07c5691885142f6f4c110540d7dfb3e7f432f60db3b7f295b7d429ca45

SHA512
768a6224e30df658530ed12b6da72bf81d0540fd0c75132b4e94cdccd9e9e3049aed04259c4db4d31945c5e404e571a6a1da6a53f7ed56edca761b236ad892ec

Download Submit
memory/1032-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-91-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1032-87-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1032-86-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-83-0x0000000000402453-mapping.dmp

Download
memory/1032-72-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-81-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-78-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-77-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-76-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-74-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-82-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1156-54-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/1156-55-0x0000000004130000-0x0000000004176000-memory.dmp

Filesize
280KB

Download
memory/1920-66-0x000000006EE60000-0x000000006F40B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-61-0x0000000000000000-mapping.dmp

Download
memory/1960-58-0x0000000000000000-mapping.dmp

Download
memory/1960-68-0x000000006EEC0000-0x000000006F46B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-70-0x000000006EEC0000-0x000000006F46B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-65-0x000000006EE60000-0x000000006F40B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-57-0x0000000000000000-mapping.dmp

Download
memory/1992-59-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/2020-67-0x000000006EEC0000-0x000000006F46B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-56-0x0000000000000000-mapping.dmp

Download
memory/2020-69-0x000000006EEC0000-0x000000006F46B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads