netwire | 52f9d316545f41cf9c29abdeedf5deceee33a36dc38716351a05da6a26a13866

Analysis

max time kernel
261s
max time network
281s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-10-2022 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.zip
Size

1.1MB
MD5

4ea1869e9fa0e523bf0df8cf13d4c6c1
SHA1

75b82d430f4424e146125286edb0d730e358b283
SHA256

52f9d316545f41cf9c29abdeedf5deceee33a36dc38716351a05da6a26a13866
SHA512

fd299aae53f44e065c28e4cdb29665ad0a02ff4ccea3d6c0d98a9f4e8890594c560f8ae3f56bc611d974076929d2af0d64ddd68c1d58f6b093466d76e2fd521c
SSDEEP

24576:vptIP369oQVAbP0u9tSkrmLJc87LvDA9s4bRVGsaRRqTKOwyLKMCFO:vpG3F6u0llLrA9zdVGs0RqvwOKMuO

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

banqueislamik.ddrive.online:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
SALUT
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2112-74-0x000000000124AE7B-mapping.dmp	netwire
behavioral1/memory/2112-73-0x0000000001230000-0x0000000002230000-memory.dmp	netwire
behavioral1/memory/2112-78-0x0000000001230000-0x0000000002230000-memory.dmp	netwire
behavioral1/memory/2112-79-0x0000000001230000-0x0000000002230000-memory.dmp	netwire
behavioral1/memory/2112-86-0x0000000001230000-0x0000000002230000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 5 IoCs

Processes:

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exeothnl.exeothnl.exe2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exeothnl.exe

pid	process
1172	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
2000	othnl.exe
2112	othnl.exe
2128	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
2148	othnl.exe

Loads dropped DLL 3 IoCs

Processes:

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exeothnl.exe2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe

pid	process
1172	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
2000	othnl.exe
2128	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

othnl.exe

description pid process target process

PID 2000 set thread context of 2112 2000 othnl.exe othnl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2092 schtasks.exe

description	pid	process	target process
PID 2000 set thread context of 2112	2000	othnl.exe	othnl.exe

pid	process
2092	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exeothnl.exeothnl.exe

pid	process
1784	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
2304	chrome.exe
2336	chrome.exe
1144	chrome.exe
2000	othnl.exe
2000	othnl.exe
2148	othnl.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

7zG.exe7zFM.exeAUDIODG.EXEothnl.exe

description	pid	process
Token: SeRestorePrivilege	2404	7zG.exe
Token: 35	2404	7zG.exe
Token: SeSecurityPrivilege	2404	7zG.exe
Token: SeSecurityPrivilege	2404	7zG.exe
Token: SeRestorePrivilege	1060	7zFM.exe
Token: 35	1060	7zFM.exe
Token: SeSecurityPrivilege	1060	7zFM.exe
Token: 33	1776	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1776	AUDIODG.EXE
Token: 33	1776	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1776	AUDIODG.EXE
Token: 33	2000	othnl.exe
Token: SeIncBasePriorityPrivilege	2000	othnl.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

chrome.exe7zG.exe7zFM.exe

pid	process
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
2404	7zG.exe
1284	chrome.exe
1284	chrome.exe
1060	7zFM.exe
1060	7zFM.exe
1284	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1284 wrote to memory of 280	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 280	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 280	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1168	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1784	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1784	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1784	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe
PID 1284 wrote to memory of 1000	1284	chrome.exe	chrome.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.zip
1⤵
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefac84f50,0x7fefac84f60,0x7fefac84f70
2⤵
PID:280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1092 /prefetch:2
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1312 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1832 /prefetch:8
2⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
2⤵
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3316 /prefetch:2
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
2⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3384 /prefetch:8
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 /prefetch:8
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3832 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3980 /prefetch:8
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3948 /prefetch:8
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3936 /prefetch:8
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3912 /prefetch:8
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3840 /prefetch:8
2⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 /prefetch:8
2⤵
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:8
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4076 /prefetch:8
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3924 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:8
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:8
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4284 /prefetch:8
2⤵
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4032 /prefetch:8
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4304 /prefetch:8
2⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=540 /prefetch:8
2⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1772 /prefetch:1
2⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3264 /prefetch:8
2⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
2⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
2⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1012 /prefetch:1
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 /prefetch:8
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4004 /prefetch:8
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3988 /prefetch:8
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4536 /prefetch:8
2⤵
PID:2716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4200 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,2095368767169916346,2505963460993205070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 /prefetch:8
2⤵
PID:2848

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:828

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Unconfirmed 400584\" -spe -an -ai#7zMap3459:112:7zEvent3095
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2404

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1060

C:\Users\Admin\Downloads\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
"C:\Users\Admin\Downloads\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1172

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe zwkrwa.hep
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"
3⤵
PID:3008

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"
4⤵
- Creates scheduled task(s)
PID:2092

C:\Users\Admin\othnl.exe
0
3⤵
- Executes dropped EXE
PID:2112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\Downloads\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
"C:\Users\Admin\Downloads\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2128

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe zwkrwa.hep
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lyzbolct.osn
Filesize
273KB

MD5
b87b1eebcce45db72f46c45d7627c854

SHA1
dc8e7030defc35a9d1ad6cfb5a354ecd372506a2

SHA256
cd591bbfcb167fa8a7c960812967f90440a350458fe4422c6257cc0558f34953

SHA512
fa514a1e7f56689cfdbda78a0c3ea9e73668121e94ab8057fe9a0dc77a4ddd0b8b2aa833109c5f41c182c625392e073a9c4d4a13fdfb8b57aeae9e5733cb3467

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
Filesize
918KB

MD5
ad5e6eb33f8b6b48fab6d9ab3e1212c1

SHA1
712f5e781df0e1cf0a52cc1312f097c290770909

SHA256
dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

SHA512
11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
Filesize
918KB

MD5
ad5e6eb33f8b6b48fab6d9ab3e1212c1

SHA1
712f5e781df0e1cf0a52cc1312f097c290770909

SHA256
dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

SHA512
11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
Filesize
918KB

MD5
ad5e6eb33f8b6b48fab6d9ab3e1212c1

SHA1
712f5e781df0e1cf0a52cc1312f097c290770909

SHA256
dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

SHA512
11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zwkrwa.hep
Filesize
113.7MB

MD5
7c0a58bf2315abf9612d58fbfaaeb0eb

SHA1
3e8d2de112be00950fd776bba6883449804f5b39

SHA256
be8f159ef84167d6a542d7201cf09340b8dd222fec36e5430dc148062a96fb47

SHA512
24866cd04234e6cd83d6b3125ec68ec0f2c2f601ac566379a5c820a97e3d503cc7ffeac220921b8aa8c6d0e53530c96d9b3cd38c90d02b433b691d81ec9c3a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zwkrwa.hep
Filesize
113.7MB

MD5
7c0a58bf2315abf9612d58fbfaaeb0eb

SHA1
3e8d2de112be00950fd776bba6883449804f5b39

SHA256
be8f159ef84167d6a542d7201cf09340b8dd222fec36e5430dc148062a96fb47

SHA512
24866cd04234e6cd83d6b3125ec68ec0f2c2f601ac566379a5c820a97e3d503cc7ffeac220921b8aa8c6d0e53530c96d9b3cd38c90d02b433b691d81ec9c3a91

Download Submit
C:\Users\Admin\Downloads\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Filesize
1.3MB

MD5
5c9ad0440fefa31403bd944a1a10a3b8

SHA1
2707299e9ec7fb2173f6afb2e23a4d74865cf5a3

SHA256
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8

SHA512
9b5b620be47d31f652d0100d891808f9b6baff7177c17604be6b0eb9cc731737e610ff47f83ffe8b9f50da48107087be06e74b75347f8d460b35a83d366c1078

Download Submit
C:\Users\Admin\Downloads\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Filesize
1.3MB

MD5
5c9ad0440fefa31403bd944a1a10a3b8

SHA1
2707299e9ec7fb2173f6afb2e23a4d74865cf5a3

SHA256
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8

SHA512
9b5b620be47d31f652d0100d891808f9b6baff7177c17604be6b0eb9cc731737e610ff47f83ffe8b9f50da48107087be06e74b75347f8d460b35a83d366c1078

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 400584.crdownload
Filesize
1.1MB

MD5
4c56f87ec4f31ae5adcbf47519905f26

SHA1
5671e9a22ff0db59c9e1c5d84c03883f6c307f7e

SHA256
222ada8c17eaf4d26bdec670e0a14c6f1fcdcc86f2a3d2fae5cd047846dee0ec

SHA512
ffc644d3b866bd0fdea51bf8921d4dd04352a13497e969a6fee24a8d244ca61a1494c2873f4f7c70adc23a524defd3f2502f2567d8b7b39afc419618fbc36a14

Download Submit
C:\Users\Admin\othnl.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\??\pipe\crashpad_1284_JAINGFNAZHOFDOIN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
Filesize
918KB

MD5
ad5e6eb33f8b6b48fab6d9ab3e1212c1

SHA1
712f5e781df0e1cf0a52cc1312f097c290770909

SHA256
dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

SHA512
11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
Filesize
918KB

MD5
ad5e6eb33f8b6b48fab6d9ab3e1212c1

SHA1
712f5e781df0e1cf0a52cc1312f097c290770909

SHA256
dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

SHA512
11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

Download Submit
\Users\Admin\othnl.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/828-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/828-56-0x0000000072271000-0x0000000072273000-memory.dmp

Filesize
8KB

Download
memory/2000-62-0x0000000000000000-mapping.dmp

Download
memory/2092-69-0x0000000000000000-mapping.dmp

Download
memory/2112-73-0x0000000001230000-0x0000000002230000-memory.dmp

Filesize
16.0MB

Download
memory/2112-78-0x0000000001230000-0x0000000002230000-memory.dmp

Filesize
16.0MB

Download
memory/2112-79-0x0000000001230000-0x0000000002230000-memory.dmp

Filesize
16.0MB

Download
memory/2112-74-0x000000000124AE7B-mapping.dmp

Download
memory/2112-71-0x0000000001230000-0x0000000002230000-memory.dmp

Filesize
16.0MB

Download
memory/2112-86-0x0000000001230000-0x0000000002230000-memory.dmp

Filesize
16.0MB

Download
memory/2148-82-0x0000000000000000-mapping.dmp

Download
memory/2404-57-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/3008-68-0x0000000000000000-mapping.dmp

Download