netwire | 55df2b52826c7b968935c3e9f08904657ba746bd531055e70e3a5828dbb25d61

General

Target

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Size

1.3MB
MD5

5c9ad0440fefa31403bd944a1a10a3b8
SHA1

2707299e9ec7fb2173f6afb2e23a4d74865cf5a3
SHA256

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8
SHA512

9b5b620be47d31f652d0100d891808f9b6baff7177c17604be6b0eb9cc731737e610ff47f83ffe8b9f50da48107087be06e74b75347f8d460b35a83d366c1078
SSDEEP

24576:AemBdOxLFDApSPKk48wxpb4YLDrvomDMzqZB:0BiLFssPH48ApZDrYzq

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

banqueislamik.ddrive.online:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
SALUT
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4596-141-0x0000000001300000-0x0000000002300000-memory.dmp	netwire
behavioral2/memory/4596-142-0x000000000131AE7B-mapping.dmp	netwire
behavioral2/memory/4596-144-0x0000000001300000-0x0000000002300000-memory.dmp	netwire
behavioral2/memory/4596-145-0x0000000001300000-0x0000000002300000-memory.dmp	netwire
behavioral2/memory/4596-146-0x0000000001300000-0x0000000002300000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

othnl.exeothnl.exe

pid process

1468 othnl.exe
4596 othnl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

othnl.exe

description pid process target process

PID 1468 set thread context of 4596 1468 othnl.exe othnl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4892 schtasks.exe

description	pid	process	target process
PID 1468 set thread context of 4596	1468	othnl.exe	othnl.exe

pid	process
4892	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

4812 vlc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

othnl.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
1468	othnl.exe
1468	othnl.exe
1468	othnl.exe
1468	othnl.exe
2836	chrome.exe
2836	chrome.exe
4832	chrome.exe
4832	chrome.exe
1928	chrome.exe
1928	chrome.exe
1064	chrome.exe
1064	chrome.exe
4464	chrome.exe
4464	chrome.exe
2804	chrome.exe
2804	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

4812 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4832 chrome.exe
4832 chrome.exe
4832 chrome.exe
4832 chrome.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

othnl.exe

description pid process

Token: 33 1468 othnl.exe
Token: SeIncBasePriorityPrivilege 1468 othnl.exe

pid	process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe

description	pid	process
Token: 33	1468	othnl.exe
Token: SeIncBasePriorityPrivilege	1468	othnl.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

vlc.exechrome.exe

pid	process
4812	vlc.exe
4812	vlc.exe
4812	vlc.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

vlc.exechrome.exe

pid	process
4812	vlc.exe
4812	vlc.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

4812 vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exeothnl.execmd.exechrome.exe

description	pid	process	target process
PID 1076 wrote to memory of 1468	1076	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe	othnl.exe
PID 1076 wrote to memory of 1468	1076	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe	othnl.exe
PID 1076 wrote to memory of 1468	1076	2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe	othnl.exe
PID 1468 wrote to memory of 3576	1468	othnl.exe	cmd.exe
PID 1468 wrote to memory of 3576	1468	othnl.exe	cmd.exe
PID 1468 wrote to memory of 3576	1468	othnl.exe	cmd.exe
PID 1468 wrote to memory of 4596	1468	othnl.exe	othnl.exe
PID 1468 wrote to memory of 4596	1468	othnl.exe	othnl.exe
PID 1468 wrote to memory of 4596	1468	othnl.exe	othnl.exe
PID 3576 wrote to memory of 4892	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 4892	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 4892	3576	cmd.exe	schtasks.exe
PID 1468 wrote to memory of 4596	1468	othnl.exe	othnl.exe
PID 1468 wrote to memory of 4596	1468	othnl.exe	othnl.exe
PID 4832 wrote to memory of 3444	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 3444	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1616	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 2836	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 2836	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1268	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1268	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1268	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1268	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1268	4832	chrome.exe	chrome.exe
PID 4832 wrote to memory of 1268	4832	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
"C:\Users\Admin\AppData\Local\Temp\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe zwkrwa.hep
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"
3⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"
4⤵
- Creates scheduled task(s)
PID:4892

C:\Users\Admin\othnl.exe
0
3⤵
- Executes dropped EXE
PID:4596

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RequestSet.wma"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1b7d4f50,0x7ffe1b7d4f60,0x7ffe1b7d4f70
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
2⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
2⤵
PID:1268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:8
2⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4636 /prefetch:8
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
2⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:8
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4924 /prefetch:8
2⤵
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
2⤵
PID:3004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2788 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2884 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5004 /prefetch:8
2⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2664 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,12386504755739695484,16084192605694657016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:8
2⤵
PID:3736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lyzbolct.osn
Filesize
273KB

MD5
b87b1eebcce45db72f46c45d7627c854

SHA1
dc8e7030defc35a9d1ad6cfb5a354ecd372506a2

SHA256
cd591bbfcb167fa8a7c960812967f90440a350458fe4422c6257cc0558f34953

SHA512
fa514a1e7f56689cfdbda78a0c3ea9e73668121e94ab8057fe9a0dc77a4ddd0b8b2aa833109c5f41c182c625392e073a9c4d4a13fdfb8b57aeae9e5733cb3467

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
Filesize
918KB

MD5
ad5e6eb33f8b6b48fab6d9ab3e1212c1

SHA1
712f5e781df0e1cf0a52cc1312f097c290770909

SHA256
dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

SHA512
11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
Filesize
918KB

MD5
ad5e6eb33f8b6b48fab6d9ab3e1212c1

SHA1
712f5e781df0e1cf0a52cc1312f097c290770909

SHA256
dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

SHA512
11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zwkrwa.hep
Filesize
113.7MB

MD5
7c0a58bf2315abf9612d58fbfaaeb0eb

SHA1
3e8d2de112be00950fd776bba6883449804f5b39

SHA256
be8f159ef84167d6a542d7201cf09340b8dd222fec36e5430dc148062a96fb47

SHA512
24866cd04234e6cd83d6b3125ec68ec0f2c2f601ac566379a5c820a97e3d503cc7ffeac220921b8aa8c6d0e53530c96d9b3cd38c90d02b433b691d81ec9c3a91

Download Submit
C:\Users\Admin\othnl.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
\??\pipe\crashpad_4832_HGHMTSCLAHCBKYCN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1468-140-0x0000000001183000-0x0000000001185000-memory.dmp

Filesize
8KB

Download
memory/1468-132-0x0000000000000000-mapping.dmp

Download
memory/1468-138-0x0000000001183000-0x0000000001188000-memory.dmp

Filesize
20KB

Download
memory/3576-137-0x0000000000000000-mapping.dmp

Download
memory/4596-141-0x0000000001300000-0x0000000002300000-memory.dmp

Filesize
16.0MB

Download
memory/4596-142-0x000000000131AE7B-mapping.dmp

Download
memory/4596-144-0x0000000001300000-0x0000000002300000-memory.dmp

Filesize
16.0MB

Download
memory/4596-145-0x0000000001300000-0x0000000002300000-memory.dmp

Filesize
16.0MB

Download
memory/4596-146-0x0000000001300000-0x0000000002300000-memory.dmp

Filesize
16.0MB

Download
memory/4892-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads