Analysis
-
max time kernel
152s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 00:45
Static task
static1
Behavioral task
behavioral1
Sample
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
Resource
win7-20220812-en
General
-
Target
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
-
Size
1.0MB
-
MD5
788b37226d3f0a126a24396a0d4c90e4
-
SHA1
e6cf3e41c10e7dbbf9aba2a9c661124b794c0068
-
SHA256
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7
-
SHA512
4eef2460a5c21c1b7452dfeb5dfeb1a96fb2e48e69d01d0d8697b24884581d77f63eb7e2cd5ff743bbd6abef8ccd7adef20eda199c5dbb91448973f490dbfad5
-
SSDEEP
24576:9BxT7o15hf9CMU07DKiWMNT8e7EloFmGzHaI49CpV:9LTslUMF7DsCEljGv4wL
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
natsv.exednsmon.exenatsv.exepid process 1084 natsv.exe 1104 dnsmon.exe 3604 natsv.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exenatsv.exednsmon.exenatsv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation natsv.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation dnsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation natsv.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
Processes:
vbc.exevbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 whatismyipaddress.com 19 whatismyipaddress.com 28 whatismyipaddress.com -
Suspicious use of SetThreadContext 6 IoCs
Processes:
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exednsmon.exeRegAsm.exeRegAsm.exedescription pid process target process PID 2036 set thread context of 4172 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1104 set thread context of 680 1104 dnsmon.exe RegAsm.exe PID 4172 set thread context of 2620 4172 RegAsm.exe vbc.exe PID 680 set thread context of 4820 680 RegAsm.exe vbc.exe PID 680 set thread context of 3292 680 RegAsm.exe vbc.exe PID 4172 set thread context of 4788 4172 RegAsm.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exenatsv.exednsmon.exepid process 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1084 natsv.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1084 natsv.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1084 natsv.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1084 natsv.exe 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1084 natsv.exe 1104 dnsmon.exe 1104 dnsmon.exe 1104 dnsmon.exe 1104 dnsmon.exe 1104 dnsmon.exe 1104 dnsmon.exe 1104 dnsmon.exe 1104 dnsmon.exe 1104 dnsmon.exe 1104 dnsmon.exe 1104 dnsmon.exe 1104 dnsmon.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
RegAsm.exepid process 4172 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exenatsv.exednsmon.exeRegAsm.exenatsv.exeRegAsm.exevbc.exevbc.exevbc.exevbc.exedescription pid process Token: SeDebugPrivilege 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe Token: SeDebugPrivilege 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe Token: SeDebugPrivilege 1084 natsv.exe Token: SeDebugPrivilege 1104 dnsmon.exe Token: SeDebugPrivilege 1104 dnsmon.exe Token: SeDebugPrivilege 4172 RegAsm.exe Token: SeDebugPrivilege 3604 natsv.exe Token: SeDebugPrivilege 680 RegAsm.exe Token: SeDebugPrivilege 2620 vbc.exe Token: SeDebugPrivilege 4820 vbc.exe Token: SeDebugPrivilege 3292 vbc.exe Token: SeDebugPrivilege 4788 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exeRegAsm.exepid process 680 RegAsm.exe 4172 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.execmd.exenatsv.exednsmon.execmd.exenatsv.exeRegAsm.exeRegAsm.exedescription pid process target process PID 2036 wrote to memory of 3824 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 2036 wrote to memory of 3824 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 2036 wrote to memory of 3824 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 2036 wrote to memory of 4172 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 2036 wrote to memory of 4172 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 2036 wrote to memory of 4172 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 2036 wrote to memory of 4172 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 2036 wrote to memory of 4172 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 2036 wrote to memory of 4172 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 2036 wrote to memory of 4172 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 2036 wrote to memory of 4172 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 2036 wrote to memory of 4172 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 2036 wrote to memory of 204 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 2036 wrote to memory of 204 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 2036 wrote to memory of 204 2036 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 204 wrote to memory of 1084 204 cmd.exe natsv.exe PID 204 wrote to memory of 1084 204 cmd.exe natsv.exe PID 204 wrote to memory of 1084 204 cmd.exe natsv.exe PID 1084 wrote to memory of 3884 1084 natsv.exe cmd.exe PID 1084 wrote to memory of 3884 1084 natsv.exe cmd.exe PID 1084 wrote to memory of 3884 1084 natsv.exe cmd.exe PID 1084 wrote to memory of 1104 1084 natsv.exe dnsmon.exe PID 1084 wrote to memory of 1104 1084 natsv.exe dnsmon.exe PID 1084 wrote to memory of 1104 1084 natsv.exe dnsmon.exe PID 1104 wrote to memory of 680 1104 dnsmon.exe RegAsm.exe PID 1104 wrote to memory of 680 1104 dnsmon.exe RegAsm.exe PID 1104 wrote to memory of 680 1104 dnsmon.exe RegAsm.exe PID 1104 wrote to memory of 680 1104 dnsmon.exe RegAsm.exe PID 1104 wrote to memory of 680 1104 dnsmon.exe RegAsm.exe PID 1104 wrote to memory of 680 1104 dnsmon.exe RegAsm.exe PID 1104 wrote to memory of 680 1104 dnsmon.exe RegAsm.exe PID 1104 wrote to memory of 680 1104 dnsmon.exe RegAsm.exe PID 1104 wrote to memory of 680 1104 dnsmon.exe RegAsm.exe PID 1104 wrote to memory of 2332 1104 dnsmon.exe cmd.exe PID 1104 wrote to memory of 2332 1104 dnsmon.exe cmd.exe PID 1104 wrote to memory of 2332 1104 dnsmon.exe cmd.exe PID 2332 wrote to memory of 3604 2332 cmd.exe natsv.exe PID 2332 wrote to memory of 3604 2332 cmd.exe natsv.exe PID 2332 wrote to memory of 3604 2332 cmd.exe natsv.exe PID 3604 wrote to memory of 5004 3604 natsv.exe cmd.exe PID 3604 wrote to memory of 5004 3604 natsv.exe cmd.exe PID 3604 wrote to memory of 5004 3604 natsv.exe cmd.exe PID 4172 wrote to memory of 2620 4172 RegAsm.exe vbc.exe PID 4172 wrote to memory of 2620 4172 RegAsm.exe vbc.exe PID 4172 wrote to memory of 2620 4172 RegAsm.exe vbc.exe PID 680 wrote to memory of 4820 680 RegAsm.exe vbc.exe PID 680 wrote to memory of 4820 680 RegAsm.exe vbc.exe PID 680 wrote to memory of 4820 680 RegAsm.exe vbc.exe PID 4172 wrote to memory of 2620 4172 RegAsm.exe vbc.exe PID 4172 wrote to memory of 2620 4172 RegAsm.exe vbc.exe PID 4172 wrote to memory of 2620 4172 RegAsm.exe vbc.exe PID 4172 wrote to memory of 2620 4172 RegAsm.exe vbc.exe PID 4172 wrote to memory of 2620 4172 RegAsm.exe vbc.exe PID 680 wrote to memory of 4820 680 RegAsm.exe vbc.exe PID 680 wrote to memory of 4820 680 RegAsm.exe vbc.exe PID 680 wrote to memory of 4820 680 RegAsm.exe vbc.exe PID 680 wrote to memory of 4820 680 RegAsm.exe vbc.exe PID 680 wrote to memory of 4820 680 RegAsm.exe vbc.exe PID 4172 wrote to memory of 2620 4172 RegAsm.exe vbc.exe PID 680 wrote to memory of 4820 680 RegAsm.exe vbc.exe PID 680 wrote to memory of 3292 680 RegAsm.exe vbc.exe PID 680 wrote to memory of 3292 680 RegAsm.exe vbc.exe PID 680 wrote to memory of 3292 680 RegAsm.exe vbc.exe PID 680 wrote to memory of 3292 680 RegAsm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe"C:\Users\Admin\AppData\Local\Temp\bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"6⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"7⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\natsv.exe.logFilesize
128B
MD5a5dcc7c9c08af7dddd82be5b036a4416
SHA14f998ca1526d199e355ffb435bae111a2779b994
SHA256e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA51256035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
321B
MD5e62221a3bb549a72fcc4afa60d34e620
SHA1d60b16b540e0e3ed459a30cce0678d1fc8a1989a
SHA256587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95
SHA5125b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
321B
MD5e62221a3bb549a72fcc4afa60d34e620
SHA1d60b16b540e0e3ed459a30cce0678d1fc8a1989a
SHA256587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95
SHA5125b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
321B
MD5c3609e29395ccd5fd8407fed36414e75
SHA104c0c5dc3fcced0c5581c44af17fa60260fb591a
SHA256a32df1c247d5738af4241edc4aa520dbb21013d05d47cac5db96ccfb48de7857
SHA5128bbd7b458f2be6e91c46cad8f682e109c7a7317f9ae89e5ce889ae7d4db5775b83d03016f47b56aa75bd5646a50c06ae7adbf2fc8af6b9f8a976f2ce30de3533
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exeFilesize
1.0MB
MD5788b37226d3f0a126a24396a0d4c90e4
SHA1e6cf3e41c10e7dbbf9aba2a9c661124b794c0068
SHA256bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7
SHA5124eef2460a5c21c1b7452dfeb5dfeb1a96fb2e48e69d01d0d8697b24884581d77f63eb7e2cd5ff743bbd6abef8ccd7adef20eda199c5dbb91448973f490dbfad5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exeFilesize
1.0MB
MD5788b37226d3f0a126a24396a0d4c90e4
SHA1e6cf3e41c10e7dbbf9aba2a9c661124b794c0068
SHA256bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7
SHA5124eef2460a5c21c1b7452dfeb5dfeb1a96fb2e48e69d01d0d8697b24884581d77f63eb7e2cd5ff743bbd6abef8ccd7adef20eda199c5dbb91448973f490dbfad5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
C:\Users\Admin\AppData\Roaming\pid.txtFilesize
4B
MD58ce1a43fb75e779c6b794ba4d255cf6d
SHA18ef8af707daaa2b70a0e76e61aaf9537b1fb4d7e
SHA256b03fe167cb5990717dfb19877150d4a4c5f6e4805b4ad99098a6cc0cbfe83f8a
SHA512c3944171615ac3e878480d9643a7e4f47197c0e2abc9fa7c58c66ccbf2a0b490618e76459609e94a6a547b4f1e5153ef95990525c08e750d63f1b7710701b762
-
C:\Users\Admin\AppData\Roaming\pidloc.txtFilesize
56B
MD5efd1636cfc3cc38fd7babae5cac9ede0
SHA14d7d378abeb682eefbd039930c0ea996fbf54178
SHA256f827d5b11c1eb3902d601c3e0b59ba32fe11c0b573fbf22fb2af86bfd4651bba
SHA51269b2b0ab1a6e13395ef52dcb903b8e17d842e6d0d44f801ff2659cfd5ec343c8cc57928b02961fc7099ad43ff05633baf5ac39042a00c8676d4fa8f6f8c2a5d7
-
memory/204-137-0x0000000000000000-mapping.dmp
-
memory/680-164-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/680-152-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/680-150-0x0000000000000000-mapping.dmp
-
memory/1084-138-0x0000000000000000-mapping.dmp
-
memory/1084-155-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/1084-143-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/1084-149-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/1104-145-0x0000000000000000-mapping.dmp
-
memory/1104-154-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/1104-147-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2036-163-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2036-132-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2036-133-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2332-157-0x0000000000000000-mapping.dmp
-
memory/2620-165-0x0000000000000000-mapping.dmp
-
memory/2620-174-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2620-167-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2620-169-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2620-170-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3292-183-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/3292-179-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/3292-178-0x0000000000000000-mapping.dmp
-
memory/3292-184-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/3292-187-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/3292-189-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/3604-177-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/3604-158-0x0000000000000000-mapping.dmp
-
memory/3604-161-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/3824-134-0x0000000000000000-mapping.dmp
-
memory/3884-141-0x0000000000000000-mapping.dmp
-
memory/4172-136-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/4172-135-0x0000000000000000-mapping.dmp
-
memory/4172-148-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/4172-142-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/4788-180-0x0000000000000000-mapping.dmp
-
memory/4788-182-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4788-185-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4788-186-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4820-172-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/4820-176-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/4820-171-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/4820-166-0x0000000000000000-mapping.dmp
-
memory/5004-162-0x0000000000000000-mapping.dmp