netwire | ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815

General

Target

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
Size

99KB
MD5

205819e715877fa9f0c28f80f313b360
SHA1

b2172b04ff7cf85dee45218106f354d10e100cc9
SHA256

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815
SHA512

87be48b3f252333c81768071eb5ed833606acd7b23dc730c810e41ad44fef8a0f00c5784acda6958c66bd6bd16a9acb355f1d15ae1400c835b68a288e3169a4c
SSDEEP

3072:ulwT11JOsyobBuL7OdhR5rgGuXMQ8oWfz16xO:UwxdbBuLSdlwWoWh6xO

Score

10^/10

netwire botnet evasion persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/636-87-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/636-88-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/636-85-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/636-92-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/636-94-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/636-98-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

pid process

636 ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

956 attrib.exe
Loads dropped DLL 1 IoCs

Processes:

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

pid process

960 ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

pid	process
636	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

pid	process
956	attrib.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

description	pid	process	target process
PID 960 set thread context of 636	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
1540	ping.exe
1976	ping.exe
1068	ping.exe
1792	ping.exe
876	ping.exe
1812	ping.exe
904	ping.exe
940	ping.exe
1888	ping.exe
1140	ping.exe
432	ping.exe
848	ping.exe
1368	ping.exe
1848	ping.exe
2020	ping.exe
1324	ping.exe
1828	ping.exe
1472	ping.exe
1992	ping.exe
1688	ping.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

pid	process
960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

description pid process

Token: SeDebugPrivilege 960 ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

description	pid	process
Token: SeDebugPrivilege	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

description	pid	process	target process
PID 960 wrote to memory of 1992	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1992	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1992	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1992	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 432	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 432	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 432	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 432	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 848	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 848	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 848	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 848	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 876	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 876	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 876	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 876	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1368	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1368	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1368	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1368	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1792	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1792	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1792	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1792	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1812	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1812	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1812	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1812	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1848	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1848	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1848	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1848	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1976	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1976	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1976	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1976	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1068	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1068	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1068	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1068	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 956	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	attrib.exe
PID 960 wrote to memory of 956	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	attrib.exe
PID 960 wrote to memory of 956	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	attrib.exe
PID 960 wrote to memory of 956	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	attrib.exe
PID 960 wrote to memory of 1684	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	REG.exe
PID 960 wrote to memory of 1684	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	REG.exe
PID 960 wrote to memory of 1684	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	REG.exe
PID 960 wrote to memory of 1684	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	REG.exe
PID 960 wrote to memory of 904	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 904	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 904	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 904	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 2020	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 2020	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 2020	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 2020	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 940	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 940	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 940	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 940	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1540	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1540	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1540	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 960 wrote to memory of 1540	960	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

956 attrib.exe

pid	process
956	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
"C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1992

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:432

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:848

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:876

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1368

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1792

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1812

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1848

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1976

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1068

C:\Windows\SysWOW64\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:956

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:1684

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:904

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:2020

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:940

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1540

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1324

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1828

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1888

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1472

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1140

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1688

C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
"C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe"
2⤵
- Executes dropped EXE
PID:636

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:832

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:360

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:1780

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:1544

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:1956

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
Filesize
99KB

MD5
205819e715877fa9f0c28f80f313b360

SHA1
b2172b04ff7cf85dee45218106f354d10e100cc9

SHA256
ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815

SHA512
87be48b3f252333c81768071eb5ed833606acd7b23dc730c810e41ad44fef8a0f00c5784acda6958c66bd6bd16a9acb355f1d15ae1400c835b68a288e3169a4c

Download Submit
\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
Filesize
99KB

MD5
205819e715877fa9f0c28f80f313b360

SHA1
b2172b04ff7cf85dee45218106f354d10e100cc9

SHA256
ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815

SHA512
87be48b3f252333c81768071eb5ed833606acd7b23dc730c810e41ad44fef8a0f00c5784acda6958c66bd6bd16a9acb355f1d15ae1400c835b68a288e3169a4c

Download Submit
memory/360-95-0x0000000000000000-mapping.dmp

Download
memory/432-57-0x0000000000000000-mapping.dmp

Download
memory/636-94-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/636-81-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/636-83-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/636-85-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/636-92-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/636-98-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/636-88-0x00000000004021DA-mapping.dmp

Download
memory/636-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/636-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/832-93-0x0000000000000000-mapping.dmp

Download
memory/848-58-0x0000000000000000-mapping.dmp

Download
memory/876-59-0x0000000000000000-mapping.dmp

Download
memory/904-69-0x0000000000000000-mapping.dmp

Download
memory/940-71-0x0000000000000000-mapping.dmp

Download
memory/956-67-0x0000000000000000-mapping.dmp

Download
memory/960-60-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/960-56-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/1068-66-0x0000000000000000-mapping.dmp

Download
memory/1140-77-0x0000000000000000-mapping.dmp

Download
memory/1324-73-0x0000000000000000-mapping.dmp

Download
memory/1368-61-0x0000000000000000-mapping.dmp

Download
memory/1468-100-0x0000000000000000-mapping.dmp

Download
memory/1472-76-0x0000000000000000-mapping.dmp

Download
memory/1540-72-0x0000000000000000-mapping.dmp

Download
memory/1544-97-0x0000000000000000-mapping.dmp

Download
memory/1684-68-0x0000000000000000-mapping.dmp

Download
memory/1688-78-0x0000000000000000-mapping.dmp

Download
memory/1780-96-0x0000000000000000-mapping.dmp

Download
memory/1792-62-0x0000000000000000-mapping.dmp

Download
memory/1812-63-0x0000000000000000-mapping.dmp

Download
memory/1828-74-0x0000000000000000-mapping.dmp

Download
memory/1848-64-0x0000000000000000-mapping.dmp

Download
memory/1888-75-0x0000000000000000-mapping.dmp

Download
memory/1956-99-0x0000000000000000-mapping.dmp

Download
memory/1976-65-0x0000000000000000-mapping.dmp

Download
memory/1992-55-0x0000000000000000-mapping.dmp

Download
memory/2020-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads