93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05

General

Target

93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
Size

297KB
MD5

75da8598ae1a3efb9b3034ed81a3bd90
SHA1

01f58af975e8b80930f8bb34ad5ff584400be083
SHA256

93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05
SHA512

c6ad1ddd292810aa8a033396dc6daba6adbdce0f61975a95ae12e8a5561cf3c6d26bb61a2d6a96eec0fe294d22687a560d89e2767a8100ce604e122491da6e96
SSDEEP

6144:sD+nLXGfNWs0F0gYkWgrf2F334WwymP1bdMj1VoE:sD6XwWs0F0gYkWgSF334NP1bdMXX

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

urocr.exeurocr.exe

pid process

228 urocr.exe
3928 urocr.exe

pid	process
228	urocr.exe
3928	urocr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

urocr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\Currentversion\Run	urocr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Azcuqaysu = "C:\\Users\\Admin\\AppData\\Roaming\\Siep\\urocr.exe"	urocr.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

urocr.exe93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe

description	ioc	process
File opened (read-only)	\??\X:	urocr.exe
File opened (read-only)	\??\F:	urocr.exe
File opened (read-only)	\??\I:	urocr.exe
File opened (read-only)	\??\N:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\S:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\U:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\E:	urocr.exe
File opened (read-only)	\??\J:	urocr.exe
File opened (read-only)	\??\W:	urocr.exe
File opened (read-only)	\??\E:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\G:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\W:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\X:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\S:	urocr.exe
File opened (read-only)	\??\T:	urocr.exe
File opened (read-only)	\??\U:	urocr.exe
File opened (read-only)	\??\I:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\Q:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\O:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\A:	urocr.exe
File opened (read-only)	\??\P:	urocr.exe
File opened (read-only)	\??\R:	urocr.exe
File opened (read-only)	\??\J:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\L:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\L:	urocr.exe
File opened (read-only)	\??\M:	urocr.exe
File opened (read-only)	\??\Z:	urocr.exe
File opened (read-only)	\??\Z:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\G:	urocr.exe
File opened (read-only)	\??\V:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\K:	urocr.exe
File opened (read-only)	\??\V:	urocr.exe
File opened (read-only)	\??\Y:	urocr.exe
File opened (read-only)	\??\A:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\K:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\M:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\R:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\B:	urocr.exe
File opened (read-only)	\??\N:	urocr.exe
File opened (read-only)	\??\B:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\H:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\T:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\Y:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\H:	urocr.exe
File opened (read-only)	\??\O:	urocr.exe
File opened (read-only)	\??\Q:	urocr.exe
File opened (read-only)	\??\F:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
File opened (read-only)	\??\P:	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exeurocr.exe

description	pid	process	target process
PID 1740 set thread context of 4216	1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
PID 228 set thread context of 3928	228	urocr.exe	urocr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exeurocr.exeurocr.exe

pid	process
1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
228	urocr.exe
228	urocr.exe
228	urocr.exe
228	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe
3928	urocr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exeurocr.exe

description	pid	process
Token: SeShutdownPrivilege	1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
Token: SeCreatePagefilePrivilege	1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
Token: SeSecurityPrivilege	4216	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
Token: SeSecurityPrivilege	4216	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
Token: SeShutdownPrivilege	228	urocr.exe
Token: SeCreatePagefilePrivilege	228	urocr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exeurocr.exe

pid	process
1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
228	urocr.exe
228	urocr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exeurocr.exeurocr.exe

description	pid	process	target process
PID 1740 wrote to memory of 4216	1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
PID 1740 wrote to memory of 4216	1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
PID 1740 wrote to memory of 4216	1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
PID 1740 wrote to memory of 4216	1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
PID 1740 wrote to memory of 4216	1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
PID 1740 wrote to memory of 4216	1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
PID 1740 wrote to memory of 4216	1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
PID 1740 wrote to memory of 4216	1740	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
PID 4216 wrote to memory of 228	4216	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	urocr.exe
PID 4216 wrote to memory of 228	4216	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	urocr.exe
PID 4216 wrote to memory of 228	4216	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	urocr.exe
PID 228 wrote to memory of 3928	228	urocr.exe	urocr.exe
PID 228 wrote to memory of 3928	228	urocr.exe	urocr.exe
PID 228 wrote to memory of 3928	228	urocr.exe	urocr.exe
PID 228 wrote to memory of 3928	228	urocr.exe	urocr.exe
PID 228 wrote to memory of 3928	228	urocr.exe	urocr.exe
PID 228 wrote to memory of 3928	228	urocr.exe	urocr.exe
PID 228 wrote to memory of 3928	228	urocr.exe	urocr.exe
PID 228 wrote to memory of 3928	228	urocr.exe	urocr.exe
PID 3928 wrote to memory of 2536	3928	urocr.exe	sihost.exe
PID 3928 wrote to memory of 2536	3928	urocr.exe	sihost.exe
PID 3928 wrote to memory of 2536	3928	urocr.exe	sihost.exe
PID 3928 wrote to memory of 2536	3928	urocr.exe	sihost.exe
PID 3928 wrote to memory of 2536	3928	urocr.exe	sihost.exe
PID 3928 wrote to memory of 2548	3928	urocr.exe	svchost.exe
PID 3928 wrote to memory of 2548	3928	urocr.exe	svchost.exe
PID 3928 wrote to memory of 2548	3928	urocr.exe	svchost.exe
PID 3928 wrote to memory of 2548	3928	urocr.exe	svchost.exe
PID 3928 wrote to memory of 2548	3928	urocr.exe	svchost.exe
PID 3928 wrote to memory of 2808	3928	urocr.exe	taskhostw.exe
PID 3928 wrote to memory of 2808	3928	urocr.exe	taskhostw.exe
PID 3928 wrote to memory of 2808	3928	urocr.exe	taskhostw.exe
PID 3928 wrote to memory of 2808	3928	urocr.exe	taskhostw.exe
PID 3928 wrote to memory of 2808	3928	urocr.exe	taskhostw.exe
PID 3928 wrote to memory of 1032	3928	urocr.exe	Explorer.EXE
PID 3928 wrote to memory of 1032	3928	urocr.exe	Explorer.EXE
PID 3928 wrote to memory of 1032	3928	urocr.exe	Explorer.EXE
PID 3928 wrote to memory of 1032	3928	urocr.exe	Explorer.EXE
PID 3928 wrote to memory of 1032	3928	urocr.exe	Explorer.EXE
PID 3928 wrote to memory of 3228	3928	urocr.exe	svchost.exe
PID 4216 wrote to memory of 3504	4216	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	cmd.exe
PID 4216 wrote to memory of 3504	4216	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	cmd.exe
PID 4216 wrote to memory of 3504	4216	93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe	cmd.exe
PID 3928 wrote to memory of 3228	3928	urocr.exe	svchost.exe
PID 3928 wrote to memory of 3228	3928	urocr.exe	svchost.exe
PID 3928 wrote to memory of 3228	3928	urocr.exe	svchost.exe
PID 3928 wrote to memory of 3228	3928	urocr.exe	svchost.exe
PID 3928 wrote to memory of 3400	3928	urocr.exe	DllHost.exe
PID 3928 wrote to memory of 3400	3928	urocr.exe	DllHost.exe
PID 3928 wrote to memory of 3400	3928	urocr.exe	DllHost.exe
PID 3928 wrote to memory of 3400	3928	urocr.exe	DllHost.exe
PID 3928 wrote to memory of 3400	3928	urocr.exe	DllHost.exe
PID 3928 wrote to memory of 3492	3928	urocr.exe	StartMenuExperienceHost.exe
PID 3928 wrote to memory of 3492	3928	urocr.exe	StartMenuExperienceHost.exe
PID 3928 wrote to memory of 3492	3928	urocr.exe	StartMenuExperienceHost.exe
PID 3928 wrote to memory of 3492	3928	urocr.exe	StartMenuExperienceHost.exe
PID 3928 wrote to memory of 3492	3928	urocr.exe	StartMenuExperienceHost.exe
PID 3928 wrote to memory of 3564	3928	urocr.exe	RuntimeBroker.exe
PID 3928 wrote to memory of 3564	3928	urocr.exe	RuntimeBroker.exe
PID 3928 wrote to memory of 3564	3928	urocr.exe	RuntimeBroker.exe
PID 3928 wrote to memory of 3564	3928	urocr.exe	RuntimeBroker.exe
PID 3928 wrote to memory of 3564	3928	urocr.exe	RuntimeBroker.exe
PID 3928 wrote to memory of 3652	3928	urocr.exe	SearchApp.exe
PID 3928 wrote to memory of 3652	3928	urocr.exe	SearchApp.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3564

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4536

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4952

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3488

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3492

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3228

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
"C:\Users\Admin\AppData\Local\Temp\93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe"
2⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
C:\Users\Admin\AppData\Local\Temp\93b3fabbc4071e8ca2d781d02acee81670982038dbc0922aba1aa56d7eb13d05.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Roaming\Siep\urocr.exe
"C:\Users\Admin\AppData\Roaming\Siep\urocr.exe"
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Roaming\Siep\urocr.exe
C:\Users\Admin\AppData\Roaming\Siep\urocr.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6e1e6c71.bat"
4⤵
PID:3504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3276

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2548

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2536

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4924

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6e1e6c71.bat
Filesize
307B

MD5
c0fe1f136e22c5a2ddeef9a0b2d84347

SHA1
2c481b963f1380006979dacacfce1facf22fb3d0

SHA256
c6c9d4959f6afc968bc19a7296f3a0ca7bdadb112b091e929b42e353125585ce

SHA512
394b3d163649b2776a682d018f46020dd68a2fe81f5afeb845c1533d6410a1afa7b833269915ea05600feac08cb1b2c2da4ad1ad55067b42eddc379c08ac39dc

Download Submit
C:\Users\Admin\AppData\Roaming\Siep\urocr.exe
Filesize
297KB

MD5
716a8a59b35cf1eff2bd5a821e8c73a0

SHA1
e04b23fa40a38361238dd08f58b106e3273d246b

SHA256
79c2ea79287c66592b8c33c305f1118fbae2a88066b3f07a742f7503d0bdb7a0

SHA512
023598f3597883f9941f2fe7b2f9bb504fec79f1ff98bb6105b63c16a9f77d134cc1870620240a52977700fcb401f0d568329268206caeb8b5ec177f95a6fee1

Download Submit
C:\Users\Admin\AppData\Roaming\Siep\urocr.exe
Filesize
297KB

MD5
716a8a59b35cf1eff2bd5a821e8c73a0

SHA1
e04b23fa40a38361238dd08f58b106e3273d246b

SHA256
79c2ea79287c66592b8c33c305f1118fbae2a88066b3f07a742f7503d0bdb7a0

SHA512
023598f3597883f9941f2fe7b2f9bb504fec79f1ff98bb6105b63c16a9f77d134cc1870620240a52977700fcb401f0d568329268206caeb8b5ec177f95a6fee1

Download Submit
C:\Users\Admin\AppData\Roaming\Siep\urocr.exe
Filesize
297KB

MD5
716a8a59b35cf1eff2bd5a821e8c73a0

SHA1
e04b23fa40a38361238dd08f58b106e3273d246b

SHA256
79c2ea79287c66592b8c33c305f1118fbae2a88066b3f07a742f7503d0bdb7a0

SHA512
023598f3597883f9941f2fe7b2f9bb504fec79f1ff98bb6105b63c16a9f77d134cc1870620240a52977700fcb401f0d568329268206caeb8b5ec177f95a6fee1

Download Submit
memory/228-137-0x0000000000000000-mapping.dmp

Download
memory/1740-135-0x0000000005EA0000-0x0000000005EA4000-memory.dmp

Filesize
16KB

Download
memory/3504-146-0x0000000000000000-mapping.dmp

Download
memory/3504-148-0x0000000000990000-0x00000000009CB000-memory.dmp

Filesize
236KB

Download
memory/3504-150-0x0000000000990000-0x00000000009CB000-memory.dmp

Filesize
236KB

Download
memory/3928-140-0x0000000000000000-mapping.dmp

Download
memory/3928-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3928-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4216-132-0x0000000000000000-mapping.dmp

Download
memory/4216-136-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4216-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4216-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4216-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads