ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815

General

Target

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
Size

99KB
MD5

205819e715877fa9f0c28f80f313b360
SHA1

b2172b04ff7cf85dee45218106f354d10e100cc9
SHA256

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815
SHA512

87be48b3f252333c81768071eb5ed833606acd7b23dc730c810e41ad44fef8a0f00c5784acda6958c66bd6bd16a9acb355f1d15ae1400c835b68a288e3169a4c
SSDEEP

3072:ulwT11JOsyobBuL7OdhR5rgGuXMQ8oWfz16xO:UwxdbBuLSdlwWoWh6xO

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

pid process

316 ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3808 attrib.exe

pid	process
316	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

pid	process
3808	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
3104	ping.exe
4388	ping.exe
3172	ping.exe
1276	ping.exe
1880	ping.exe
4580	ping.exe
4052	ping.exe
3316	ping.exe
3092	ping.exe
5000	ping.exe
3280	ping.exe
5020	ping.exe
3708	ping.exe
2508	ping.exe
2016	ping.exe
3588	ping.exe
1504	ping.exe
2972	ping.exe
4952	ping.exe
1820	ping.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

pid	process
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

description pid process

Token: SeDebugPrivilege 3644 ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

description	pid	process
Token: SeDebugPrivilege	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

description	pid	process	target process
PID 3644 wrote to memory of 4952	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 4952	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 4952	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 4388	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 4388	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 4388	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 2016	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 2016	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 2016	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3588	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3588	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3588	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3316	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3316	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3316	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3092	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3092	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3092	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 5000	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 5000	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 5000	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3172	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3172	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3172	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3280	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3280	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3280	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 4580	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 4580	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 4580	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3808	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	attrib.exe
PID 3644 wrote to memory of 3808	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	attrib.exe
PID 3644 wrote to memory of 3808	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	attrib.exe
PID 3644 wrote to memory of 1560	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	REG.exe
PID 3644 wrote to memory of 1560	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	REG.exe
PID 3644 wrote to memory of 1560	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	REG.exe
PID 3644 wrote to memory of 1504	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 1504	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 1504	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 2972	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 2972	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 2972	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 1276	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 1276	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 1276	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 1880	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 1880	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 1880	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 5020	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 5020	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 5020	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 4052	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 4052	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 4052	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3708	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3708	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3708	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3104	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3104	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 3104	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 1820	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 1820	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 1820	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe
PID 3644 wrote to memory of 2508	3644	ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe	ping.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3808 attrib.exe

pid	process
3808	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
"C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4952

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4388

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:2016

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3588

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3316

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3092

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:5000

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3172

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3280

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4580

C:\Windows\SysWOW64\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3808

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:1560

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1504

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:2972

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1276

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1880

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:5020

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:4052

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3708

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:3104

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:1820

C:\Windows\SysWOW64\ping.exe
C:\Windows\System32\ping.exe google.com
2⤵
- Runs ping.exe
PID:2508

C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe
"C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe"
2⤵
- Executes dropped EXE
PID:316

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:2356

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:3900

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:3540

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:1724

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:4632

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:4180

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:1704

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:2800

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:5108

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:3804

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
2⤵
- Adds Run key to start application
PID:3448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

Filesize
99KB

MD5
205819e715877fa9f0c28f80f313b360

SHA1
b2172b04ff7cf85dee45218106f354d10e100cc9

SHA256
ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815

SHA512
87be48b3f252333c81768071eb5ed833606acd7b23dc730c810e41ad44fef8a0f00c5784acda6958c66bd6bd16a9acb355f1d15ae1400c835b68a288e3169a4c

Download Submit
memory/316-156-0x0000000000000000-mapping.dmp

Download
memory/1276-148-0x0000000000000000-mapping.dmp

Download
memory/1504-146-0x0000000000000000-mapping.dmp

Download
memory/1560-145-0x0000000000000000-mapping.dmp

Download
memory/1704-164-0x0000000000000000-mapping.dmp

Download
memory/1724-161-0x0000000000000000-mapping.dmp

Download
memory/1820-154-0x0000000000000000-mapping.dmp

Download
memory/1880-149-0x0000000000000000-mapping.dmp

Download
memory/2016-136-0x0000000000000000-mapping.dmp

Download
memory/2356-158-0x0000000000000000-mapping.dmp

Download
memory/2508-155-0x0000000000000000-mapping.dmp

Download
memory/2800-165-0x0000000000000000-mapping.dmp

Download
memory/2972-147-0x0000000000000000-mapping.dmp

Download
memory/3092-139-0x0000000000000000-mapping.dmp

Download
memory/3104-153-0x0000000000000000-mapping.dmp

Download
memory/3172-141-0x0000000000000000-mapping.dmp

Download
memory/3280-142-0x0000000000000000-mapping.dmp

Download
memory/3316-138-0x0000000000000000-mapping.dmp

Download
memory/3448-168-0x0000000000000000-mapping.dmp

Download
memory/3540-160-0x0000000000000000-mapping.dmp

Download
memory/3588-137-0x0000000000000000-mapping.dmp

Download
memory/3644-132-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3644-133-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3708-152-0x0000000000000000-mapping.dmp

Download
memory/3804-167-0x0000000000000000-mapping.dmp

Download
memory/3808-144-0x0000000000000000-mapping.dmp

Download
memory/3900-159-0x0000000000000000-mapping.dmp

Download
memory/4052-151-0x0000000000000000-mapping.dmp

Download
memory/4180-163-0x0000000000000000-mapping.dmp

Download
memory/4388-135-0x0000000000000000-mapping.dmp

Download
memory/4580-143-0x0000000000000000-mapping.dmp

Download
memory/4632-162-0x0000000000000000-mapping.dmp

Download
memory/4952-134-0x0000000000000000-mapping.dmp

Download
memory/5000-140-0x0000000000000000-mapping.dmp

Download
memory/5020-150-0x0000000000000000-mapping.dmp

Download
memory/5108-166-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads