daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e

General

Target

daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Size

215KB
MD5

0e8ebf92f35a6280e28d5e7caab40e9f
SHA1

a0b59471faa1ae3cd6e7d41edc431e03e7847871
SHA256

daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e
SHA512

b674d57c2563b3c116ec6650825d35e464cefd2fd8f3a7d5eef6167adbf3758503071044aa1e62858f30e1a0e7294652685de037012b336fa03749374e212dd9
SSDEEP

6144:Pbt3SvYMk3SvYMk3SvYMtbnDYr1igkMBjlSNTZ3FAHte:PR3SvYMk3SvYMk3SvYM1YAKNe

Score

9^/10

cryptone packer persistence

Malware Config

Signatures

CryptOne packer 12 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
behavioral1/memory/960-59-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/960-61-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/960-62-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/960-65-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/960-64-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/960-69-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/960-70-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/432-84-0x0000000000080000-0x00000000000A9000-memory.dmp	cryptone
behavioral1/memory/432-85-0x0000000000080000-0x00000000000A9000-memory.dmp	cryptone
behavioral1/memory/432-86-0x0000000000080000-0x00000000000A9000-memory.dmp	cryptone
behavioral1/memory/1160-99-0x0000000000080000-0x00000000000A9000-memory.dmp	cryptone
behavioral1/memory/960-102-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mspaint.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Abacac = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Abacac.exe"	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe System Incorporated = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\Reader_sl.exe"	svchost.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exemspaint.exe

description	ioc	process
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\D:	mspaint.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exedaef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe

description	pid	process	target process
PID 976 set thread context of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 960 set thread context of 556	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exesvchost.exedaef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe

pid	process
976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
1160	svchost.exe
556	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe

pid process

960 daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe

pid	process
960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe

description	pid	process
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: 33	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
Token: SeIncBasePriorityPrivilege	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exedaef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exesvchost.exedaef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe

description	pid	process	target process
PID 976 wrote to memory of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 976 wrote to memory of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 976 wrote to memory of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 976 wrote to memory of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 976 wrote to memory of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 976 wrote to memory of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 976 wrote to memory of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 976 wrote to memory of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 976 wrote to memory of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 976 wrote to memory of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 976 wrote to memory of 960	976	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 960 wrote to memory of 1160	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	svchost.exe
PID 960 wrote to memory of 1160	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	svchost.exe
PID 960 wrote to memory of 1160	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	svchost.exe
PID 960 wrote to memory of 1160	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	svchost.exe
PID 960 wrote to memory of 1576	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	calc.exe
PID 960 wrote to memory of 1576	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	calc.exe
PID 960 wrote to memory of 1576	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	calc.exe
PID 960 wrote to memory of 1576	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	calc.exe
PID 960 wrote to memory of 1576	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	calc.exe
PID 960 wrote to memory of 1160	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	svchost.exe
PID 960 wrote to memory of 1576	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	calc.exe
PID 1160 wrote to memory of 432	1160	svchost.exe	mspaint.exe
PID 1160 wrote to memory of 432	1160	svchost.exe	mspaint.exe
PID 1160 wrote to memory of 432	1160	svchost.exe	mspaint.exe
PID 1160 wrote to memory of 432	1160	svchost.exe	mspaint.exe
PID 1160 wrote to memory of 432	1160	svchost.exe	mspaint.exe
PID 960 wrote to memory of 556	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 960 wrote to memory of 556	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 960 wrote to memory of 556	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 960 wrote to memory of 556	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 960 wrote to memory of 556	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 960 wrote to memory of 556	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 960 wrote to memory of 556	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 960 wrote to memory of 556	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 960 wrote to memory of 556	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 960 wrote to memory of 556	960	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
PID 556 wrote to memory of 1160	556	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	svchost.exe
PID 556 wrote to memory of 1160	556	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	svchost.exe
PID 556 wrote to memory of 1576	556	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	calc.exe
PID 556 wrote to memory of 1576	556	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	calc.exe
PID 556 wrote to memory of 432	556	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	mspaint.exe
PID 556 wrote to memory of 432	556	daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe	mspaint.exe

C:\Users\Admin\AppData\Local\Temp\daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
"C:\Users\Admin\AppData\Local\Temp\daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
"C:\Users\Admin\AppData\Local\Temp\daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\SysWOW64\mspaint.exe"
4⤵
- Adds Run key to start application
- Enumerates connected drives
PID:432

C:\Windows\SysWOW64\calc.exe
"C:\Windows\SysWOW64\calc.exe"
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe
"C:\Users\Admin\AppData\Local\Temp\daef86f110724a4501572846cf93bbc736240e08de901fba5e22852e37ef933e.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/432-340-0x00000000001C0000-0x000000000020E000-memory.dmp

Filesize
312KB

Download
memory/432-104-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/432-124-0x00000000001C0000-0x000000000020E000-memory.dmp

Filesize
312KB

Download
memory/432-87-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/432-86-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/432-85-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/432-84-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/432-83-0x00000000003F1000-0x00000000003F3000-memory.dmp

Filesize
8KB

Download
memory/432-81-0x0000000000000000-mapping.dmp

Download
memory/432-131-0x00000000001C0000-0x000000000020E000-memory.dmp

Filesize
312KB

Download
memory/432-191-0x00000000001C0000-0x000000000020E000-memory.dmp

Filesize
312KB

Download
memory/556-93-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/556-98-0x0000000000410910-mapping.dmp

Download
memory/556-107-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/556-106-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/556-105-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/556-130-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/556-97-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/556-95-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/556-91-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/556-89-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/556-88-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/960-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/960-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/960-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/960-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/960-70-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/960-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/960-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/960-102-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/960-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/960-66-0x0000000000404BF0-mapping.dmp

Download
memory/960-69-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/976-54-0x0000000075E61000-0x0000000075E63000-memory.dmp

Filesize
8KB

Download
memory/976-55-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1160-115-0x00000000002A0000-0x00000000002EE000-memory.dmp

Filesize
312KB

Download
memory/1160-121-0x00000000002A0000-0x00000000002EE000-memory.dmp

Filesize
312KB

Download
memory/1160-112-0x00000000002A0000-0x00000000002EE000-memory.dmp

Filesize
312KB

Download
memory/1160-338-0x00000000002A0000-0x00000000002EE000-memory.dmp

Filesize
312KB

Download
memory/1160-99-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1160-129-0x00000000002A0000-0x00000000002EE000-memory.dmp

Filesize
312KB

Download
memory/1160-75-0x0000000000000000-mapping.dmp

Download
memory/1576-101-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1576-117-0x0000000000210000-0x000000000025E000-memory.dmp

Filesize
312KB

Download
memory/1576-128-0x0000000000210000-0x000000000025E000-memory.dmp

Filesize
312KB

Download
memory/1576-76-0x0000000000000000-mapping.dmp

Download
memory/1576-122-0x0000000000210000-0x000000000025E000-memory.dmp

Filesize
312KB

Download
memory/1576-339-0x0000000000210000-0x000000000025E000-memory.dmp

Filesize
312KB

Download
memory/1576-73-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1576-341-0x0000000000248000-0x000000000024A000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads