netwire | 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8

Analysis

max time kernel
211s
max time network
220s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-10-2022 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Size

1.3MB
MD5

5c9ad0440fefa31403bd944a1a10a3b8
SHA1

2707299e9ec7fb2173f6afb2e23a4d74865cf5a3
SHA256

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8
SHA512

9b5b620be47d31f652d0100d891808f9b6baff7177c17604be6b0eb9cc731737e610ff47f83ffe8b9f50da48107087be06e74b75347f8d460b35a83d366c1078
SSDEEP

24576:AemBdOxLFDApSPKk48wxpb4YLDrvomDMzqZB:0BiLFssPH48ApZDrYzq

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

banqueislamik.ddrive.online:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
SALUT
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2000-66-0x0000000001160000-0x0000000002160000-memory.dmp	netwire
behavioral1/memory/2000-67-0x000000000117AE7B-mapping.dmp	netwire
behavioral1/memory/2000-71-0x0000000001160000-0x0000000002160000-memory.dmp	netwire
behavioral1/memory/2000-72-0x0000000001160000-0x0000000002160000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

othnl.exeothnl.exe

pid process

1436 othnl.exe
2000 othnl.exe
Loads dropped DLL 2 IoCs

Processes:

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exeothnl.exe

pid process

1604 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
1436 othnl.exe

pid	process
1436	othnl.exe
2000	othnl.exe

pid	process
1604	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
1436	othnl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

othnl.exe

description pid process target process

PID 1436 set thread context of 2000 1436 othnl.exe othnl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2044 schtasks.exe

description	pid	process	target process
PID 1436 set thread context of 2000	1436	othnl.exe	othnl.exe

pid	process
2044	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1DD7C361-5309-11ED-99B1-EA25B6F29539} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3152A401-5309-11ED-99B1-EA25B6F29539} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000dda098d19bee51f06d16c2a491087acca043b7ed860ca423919e1fb74f7cbfd4000000000e80000000020000200000009358a965d4bdf563ea46fbeeb76298357bb146a9e4c37ccac296e6312bea7ab2200000005fa7a707332c67ef8b0128474f8e29311a75598d90800c94a9af88b27252259f40000000e094c9ac00dc956eb2666e38001d28a82ba0f2caf7eecccaab91603fc1604c83abb5d6c3d52a678162d952392479212010e7d6c144e2651f98f024da28a1cb6d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1DD7C363-5309-11ED-99B1-EA25B6F29539}.dat = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "C:\\Users\\Admin\\Desktop\\GroupJoin.vsd"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = c0193afb15e7d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

othnl.exechrome.exechrome.exe

pid process

1436 othnl.exe
1436 othnl.exe
1800 chrome.exe
1604 chrome.exe
1604 chrome.exe

pid	process
1436	othnl.exe
1436	othnl.exe
1800	chrome.exe
1604	chrome.exe
1604	chrome.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

othnl.exeAUDIODG.EXEIEXPLORE.EXE

description	pid	process
Token: 33	1436	othnl.exe
Token: SeIncBasePriorityPrivilege	1436	othnl.exe
Token: 33	1056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1056	AUDIODG.EXE
Token: 33	1056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1056	AUDIODG.EXE
Token: SeShutdownPrivilege	1512	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

IEXPLORE.EXEiexplore.exechrome.exe

pid	process
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1720	iexplore.exe
1720	iexplore.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1796	IEXPLORE.EXE
1720	iexplore.exe
1720	iexplore.exe
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
1720	iexplore.exe
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
1720	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exeothnl.execmd.exeiexplore.exeIEXPLORE.EXEiexplore.exechrome.exe

description	pid	process	target process
PID 1604 wrote to memory of 1436	1604	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe	othnl.exe
PID 1604 wrote to memory of 1436	1604	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe	othnl.exe
PID 1604 wrote to memory of 1436	1604	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe	othnl.exe
PID 1604 wrote to memory of 1436	1604	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe	othnl.exe
PID 1436 wrote to memory of 1240	1436	othnl.exe	cmd.exe
PID 1436 wrote to memory of 1240	1436	othnl.exe	cmd.exe
PID 1436 wrote to memory of 1240	1436	othnl.exe	cmd.exe
PID 1436 wrote to memory of 1240	1436	othnl.exe	cmd.exe
PID 1436 wrote to memory of 2000	1436	othnl.exe	othnl.exe
PID 1436 wrote to memory of 2000	1436	othnl.exe	othnl.exe
PID 1436 wrote to memory of 2000	1436	othnl.exe	othnl.exe
PID 1436 wrote to memory of 2000	1436	othnl.exe	othnl.exe
PID 1436 wrote to memory of 2000	1436	othnl.exe	othnl.exe
PID 1436 wrote to memory of 2000	1436	othnl.exe	othnl.exe
PID 1436 wrote to memory of 2000	1436	othnl.exe	othnl.exe
PID 1240 wrote to memory of 2044	1240	cmd.exe	schtasks.exe
PID 1240 wrote to memory of 2044	1240	cmd.exe	schtasks.exe
PID 1240 wrote to memory of 2044	1240	cmd.exe	schtasks.exe
PID 1240 wrote to memory of 2044	1240	cmd.exe	schtasks.exe
PID 1436 wrote to memory of 2000	1436	othnl.exe	othnl.exe
PID 1436 wrote to memory of 2000	1436	othnl.exe	othnl.exe
PID 1716 wrote to memory of 1796	1716	iexplore.exe	IEXPLORE.EXE
PID 1716 wrote to memory of 1796	1716	iexplore.exe	IEXPLORE.EXE
PID 1716 wrote to memory of 1796	1716	iexplore.exe	IEXPLORE.EXE
PID 1716 wrote to memory of 1796	1716	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1888	1796	IEXPLORE.EXE	IEXPLORE.EXE
PID 1796 wrote to memory of 1888	1796	IEXPLORE.EXE	IEXPLORE.EXE
PID 1796 wrote to memory of 1888	1796	IEXPLORE.EXE	IEXPLORE.EXE
PID 1796 wrote to memory of 1888	1796	IEXPLORE.EXE	IEXPLORE.EXE
PID 1720 wrote to memory of 1512	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1512	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1512	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1512	1720	iexplore.exe	IEXPLORE.EXE
PID 1604 wrote to memory of 1096	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1096	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1096	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 1644	1604	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
"C:\Users\Admin\AppData\Local\Temp\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe zwkrwa.hep
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"
3⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"
4⤵
- Creates scheduled task(s)
PID:2044

C:\Users\Admin\othnl.exe
0
3⤵
- Executes dropped EXE
PID:2000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1368

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
1⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5254f50,0x7fef5254f60,0x7fef5254f70
2⤵
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,3446610365623099250,15426070920038726401,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1108 /prefetch:2
2⤵
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1092,3446610365623099250,15426070920038726401,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1256 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1092,3446610365623099250,15426070920038726401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 /prefetch:8
2⤵
PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,3446610365623099250,15426070920038726401,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
2⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,3446610365623099250,15426070920038726401,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,3446610365623099250,15426070920038726401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,3446610365623099250,15426070920038726401,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3252 /prefetch:2
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,3446610365623099250,15426070920038726401,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,3446610365623099250,15426070920038726401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:8
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,3446610365623099250,15426070920038726401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1DD7C361-5309-11ED-99B1-EA25B6F29539}.dat
Filesize
4KB

MD5
f64c21f2cc6ac3c0a90ba30215113142

SHA1
f888cbec4b4d9e9bdf9a92604c80e26681ba7398

SHA256
965f1ea80e464de8380e2ce91f23fdc70b0d198f3099d94788fafcba75e984e7

SHA512
5b8b70722a0b59153a6688e672caee16eed2f715b5a777c67beddc0ff13538b097b0fa3eff643d62faecbe81beb78223c1388fe2b800e7f7155eae6180522fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1DD7C363-5309-11ED-99B1-EA25B6F29539}.dat
Filesize
3KB

MD5
f34c4f8dffea1b053069fdd086d200ef

SHA1
6ed098e329dcc8c01ce16c3f23cbd47b91e02d23

SHA256
fe2eba58cec2f6d872d4c258d86021394b7b492f369a79cd496fe8dabde13be7

SHA512
d880efe1bc6110b8f164a7ddbfc37860f7c3fdefa57fb8af1c2b64b1fe4b1851902bacdfe8c832cec37ea10d1252314294df456aee5402a1ce469d3227008491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{34757B50-1A4A-11ED-BB97-EA8F93F2F821}.dat
Filesize
5KB

MD5
fb508e8fee5c4e39097d0c1fdfede34c

SHA1
2de1fae66de2950f0e2e9eb42be1d3bac32ab4ae

SHA256
e70a7b2aedb49921c2b63cd36a8579e06fb39772b2542e53d5af79449b9e2d59

SHA512
44f539d83935272a41ac3651af0a9d490c21b0cb19cabf60cef49ce3daf4323b78bac8d20342e68b7995f9a2615af2e1debbb3bb3070006fda0f8e429671d072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{3085EDC0-5309-11ED-99B1-EA25B6F29539}.dat
Filesize
4KB

MD5
dc3fe3235793b57460b44e957ed2ee64

SHA1
9a61172370ae84da16dfd962c19c139087655374

SHA256
25ffcf86a7d1ef028bdad5c76c724e34bb03d8a1e13f784cfb5492fcfdcf3b50

SHA512
4d50d4d9094a4f2522f30465d8db34d82d8fe98515fa94e98f5642892bf69d72fc9b0ab6d35bbfb0e0222dbf68a67a737d6c181cdd0624747f7da04cc9500944

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lyzbolct.osn
Filesize
273KB

MD5
b87b1eebcce45db72f46c45d7627c854

SHA1
dc8e7030defc35a9d1ad6cfb5a354ecd372506a2

SHA256
cd591bbfcb167fa8a7c960812967f90440a350458fe4422c6257cc0558f34953

SHA512
fa514a1e7f56689cfdbda78a0c3ea9e73668121e94ab8057fe9a0dc77a4ddd0b8b2aa833109c5f41c182c625392e073a9c4d4a13fdfb8b57aeae9e5733cb3467

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
Filesize
918KB

MD5
ad5e6eb33f8b6b48fab6d9ab3e1212c1

SHA1
712f5e781df0e1cf0a52cc1312f097c290770909

SHA256
dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

SHA512
11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
Filesize
918KB

MD5
ad5e6eb33f8b6b48fab6d9ab3e1212c1

SHA1
712f5e781df0e1cf0a52cc1312f097c290770909

SHA256
dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

SHA512
11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zwkrwa.hep
Filesize
113.7MB

MD5
7c0a58bf2315abf9612d58fbfaaeb0eb

SHA1
3e8d2de112be00950fd776bba6883449804f5b39

SHA256
be8f159ef84167d6a542d7201cf09340b8dd222fec36e5430dc148062a96fb47

SHA512
24866cd04234e6cd83d6b3125ec68ec0f2c2f601ac566379a5c820a97e3d503cc7ffeac220921b8aa8c6d0e53530c96d9b3cd38c90d02b433b691d81ec9c3a91

Download Submit
C:\Users\Admin\othnl.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\??\pipe\crashpad_1604_BEVRQIPNQNCHVXIJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
Filesize
918KB

MD5
ad5e6eb33f8b6b48fab6d9ab3e1212c1

SHA1
712f5e781df0e1cf0a52cc1312f097c290770909

SHA256
dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

SHA512
11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

Download Submit
\Users\Admin\othnl.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1240-61-0x0000000000000000-mapping.dmp

Download
memory/1368-73-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1436-57-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1436-55-0x0000000000000000-mapping.dmp

Download
memory/2000-64-0x0000000001160000-0x0000000002160000-memory.dmp

Filesize
16.0MB

Download
memory/2000-72-0x0000000001160000-0x0000000002160000-memory.dmp

Filesize
16.0MB

Download
memory/2000-71-0x0000000001160000-0x0000000002160000-memory.dmp

Filesize
16.0MB

Download
memory/2000-67-0x000000000117AE7B-mapping.dmp

Download
memory/2000-66-0x0000000001160000-0x0000000002160000-memory.dmp

Filesize
16.0MB

Download
memory/2044-63-0x0000000000000000-mapping.dmp

Download