netwire | 46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107

General

Target

46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
Size

99KB
MD5

68bb2bc04c3e1e1c2d88aa6f73285bb0
SHA1

dc00c4fb8e14e11395935b215c86c88e3e72e0eb
SHA256

46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107
SHA512

f610028ac9d39912d62e8dc8e26f9bbe13f061066561999cb40e0b61362bfc249f35829dacb8d4cb12b1622ed729a4afbc7f73f2595d76da65f4e65807c5a276
SSDEEP

3072:elwT11JOsyobBuL7OdhR5rgGuXMQ8oWfz16xK:EwxdbBuLSdlwWoWh6xK

Score

10^/10

netwire botnet evasion persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1032-157-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1032-160-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1032-162-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

pid process

1032 46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4380 attrib.exe

pid	process
1032	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

pid	process
4380	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

description	pid	process	target process
PID 876 set thread context of 1032	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
2056	ping.exe
3076	ping.exe
4276	ping.exe
1552	ping.exe
2292	ping.exe
1220	ping.exe
3404	ping.exe
4788	ping.exe
2804	ping.exe
3332	ping.exe
2680	ping.exe
4436	ping.exe
1860	ping.exe
4252	ping.exe
4408	ping.exe
1764	ping.exe
4980	ping.exe
4716	ping.exe
4396	ping.exe
4840	ping.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

pid	process
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

description pid process

Token: SeDebugPrivilege 876 46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

description	pid	process
Token: SeDebugPrivilege	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe

description	pid	process	target process
PID 876 wrote to memory of 4788	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4788	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4788	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1860	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1860	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1860	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4408	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4408	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4408	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 2056	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 2056	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 2056	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1764	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1764	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1764	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4252	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4252	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4252	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 3076	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 3076	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 3076	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 2804	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 2804	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 2804	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4980	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4980	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4980	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 3332	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 3332	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 3332	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4380	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	attrib.exe
PID 876 wrote to memory of 4380	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	attrib.exe
PID 876 wrote to memory of 4380	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	attrib.exe
PID 876 wrote to memory of 2132	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	REG.exe
PID 876 wrote to memory of 2132	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	REG.exe
PID 876 wrote to memory of 2132	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	REG.exe
PID 876 wrote to memory of 2680	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 2680	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 2680	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4276	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4276	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4276	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1552	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1552	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1552	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4716	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4716	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4716	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4396	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4396	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4396	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 2292	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 2292	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 2292	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1220	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1220	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 1220	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4840	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4840	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4840	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 3404	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 3404	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 3404	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe
PID 876 wrote to memory of 4436	876	46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe	ping.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4380 attrib.exe

pid	process
4380	attrib.exe

C:\Users\Admin\AppData\Local\Temp\46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
"C:\Users\Admin\AppData\Local\Temp\46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4788

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1860

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4408

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:2056

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1764

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4252

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3076

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:2804

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4980

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3332

C:\Windows\SysWOW64\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4380

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:2132

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:2680

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4276

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1552

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4716

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4396

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:2292

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1220

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4840

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3404

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4436

C:\Users\Admin\AppData\Local\Temp\46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
"C:\Users\Admin\AppData\Local\Temp\46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe"
2⤵
- Executes dropped EXE
PID:1032

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:2080

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:1644

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:2100

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:2976

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:3988

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:60

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:4996

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:4156

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:1364

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:4108

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:4280

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:728

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:3856

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:2980

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:420

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:3816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107.exe
Filesize
99KB

MD5
68bb2bc04c3e1e1c2d88aa6f73285bb0

SHA1
dc00c4fb8e14e11395935b215c86c88e3e72e0eb

SHA256
46f5b5e478dfd2fc33d4afd1d0deea9a641a6baf7880bf2fab9a333647b18107

SHA512
f610028ac9d39912d62e8dc8e26f9bbe13f061066561999cb40e0b61362bfc249f35829dacb8d4cb12b1622ed729a4afbc7f73f2595d76da65f4e65807c5a276

Download Submit
memory/60-167-0x0000000000000000-mapping.dmp

Download
memory/420-176-0x0000000000000000-mapping.dmp

Download
memory/728-173-0x0000000000000000-mapping.dmp

Download
memory/876-132-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/876-136-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1032-157-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-156-0x0000000000000000-mapping.dmp

Download
memory/1032-162-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-160-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1220-152-0x0000000000000000-mapping.dmp

Download
memory/1364-170-0x0000000000000000-mapping.dmp

Download
memory/1552-148-0x0000000000000000-mapping.dmp

Download
memory/1644-163-0x0000000000000000-mapping.dmp

Download
memory/1764-138-0x0000000000000000-mapping.dmp

Download
memory/1860-134-0x0000000000000000-mapping.dmp

Download
memory/2056-137-0x0000000000000000-mapping.dmp

Download
memory/2080-161-0x0000000000000000-mapping.dmp

Download
memory/2100-164-0x0000000000000000-mapping.dmp

Download
memory/2132-145-0x0000000000000000-mapping.dmp

Download
memory/2292-151-0x0000000000000000-mapping.dmp

Download
memory/2680-146-0x0000000000000000-mapping.dmp

Download
memory/2804-141-0x0000000000000000-mapping.dmp

Download
memory/2976-165-0x0000000000000000-mapping.dmp

Download
memory/2980-175-0x0000000000000000-mapping.dmp

Download
memory/3076-140-0x0000000000000000-mapping.dmp

Download
memory/3332-143-0x0000000000000000-mapping.dmp

Download
memory/3404-154-0x0000000000000000-mapping.dmp

Download
memory/3816-177-0x0000000000000000-mapping.dmp

Download
memory/3856-174-0x0000000000000000-mapping.dmp

Download
memory/3988-166-0x0000000000000000-mapping.dmp

Download
memory/4108-171-0x0000000000000000-mapping.dmp

Download
memory/4156-169-0x0000000000000000-mapping.dmp

Download
memory/4252-139-0x0000000000000000-mapping.dmp

Download
memory/4276-147-0x0000000000000000-mapping.dmp

Download
memory/4280-172-0x0000000000000000-mapping.dmp

Download
memory/4380-144-0x0000000000000000-mapping.dmp

Download
memory/4396-150-0x0000000000000000-mapping.dmp

Download
memory/4408-135-0x0000000000000000-mapping.dmp

Download
memory/4436-155-0x0000000000000000-mapping.dmp

Download
memory/4716-149-0x0000000000000000-mapping.dmp

Download
memory/4788-133-0x0000000000000000-mapping.dmp

Download
memory/4840-153-0x0000000000000000-mapping.dmp

Download
memory/4980-142-0x0000000000000000-mapping.dmp

Download
memory/4996-168-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads