178b3630d7198d7a3e0e7b651b4dbd55870bf1d0a2df7df660047cb595817461

Analysis

max time kernel
176s
max time network
127s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01-11-2023 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ed5604aa3bba7af780a3869163773c00.exe
Size

375KB
MD5

ed5604aa3bba7af780a3869163773c00
SHA1

2e05b358a3cb5d1a7ef89903cc5d0ed4452ec875
SHA256

178b3630d7198d7a3e0e7b651b4dbd55870bf1d0a2df7df660047cb595817461
SHA512

51d33fbcb1dba22d2e58d48fb8a07f51049910dd1c6af10c02f9b3fc2c0bbdc30b561aa2571d99f5cef4cef30ec89c08e34bfc4019fc0640d49888c99fb7e169
SSDEEP

6144:TL+rqKbSFy5P5K3E5+yOqkXWCnlboVrDo1bS2OcbSxbSxbSxbSPx5OnkP+6bfbSF:TLy95DK0kXWCnlboVrDMleeew1+Aeelq

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000015cb7-8.dat	acprotect
behavioral1/memory/2528-10-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect
behavioral1/files/0x0008000000015caf-13.dat	acprotect
behavioral1/memory/2528-22-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2528-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2204-1-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/files/0x0008000000015cb7-8.dat	upx
behavioral1/memory/2528-10-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral1/memory/2528-11-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/files/0x0008000000015caf-13.dat	upx
behavioral1/memory/2440-16-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2204-18-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2828-21-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2528-22-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral1/memory/2528-23-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2440-24-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2204-25-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2828-26-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2528-27-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\E:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\R:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\T:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\K:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\V:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\M:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\J:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\L:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\N:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\S:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\G:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\O:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\X:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\V:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\L:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\T:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\P:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\J:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\R:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\K:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\U:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\H:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\E:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\J:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\P:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\P:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\O:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\Q:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\I:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\S:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\L:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\M:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\P:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\X:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\N:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\O:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\Q:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\W:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\T:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\I:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\U:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\V:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\Q:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\O:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\Q:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\G:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\W:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\X:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\U:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\G:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\N:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\X:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\R:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\U:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\H:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\G:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\H:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\K:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\J:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\L:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\N:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\E:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\I:	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ftp33.dll	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2828	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2204	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2440	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	27
PID 2528 wrote to memory of 2440	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	27
PID 2528 wrote to memory of 2440	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	27
PID 2528 wrote to memory of 2440	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	27
PID 2440 wrote to memory of 2204	2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe	28
PID 2440 wrote to memory of 2204	2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe	28
PID 2440 wrote to memory of 2204	2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe	28
PID 2440 wrote to memory of 2204	2440	NEAS.ed5604aa3bba7af780a3869163773c00.exe	28
PID 2528 wrote to memory of 2828	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	29
PID 2528 wrote to memory of 2828	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	29
PID 2528 wrote to memory of 2828	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	29
PID 2528 wrote to memory of 2828	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	29
PID 2528 wrote to memory of 2852	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	30
PID 2528 wrote to memory of 2852	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	30
PID 2528 wrote to memory of 2852	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	30
PID 2528 wrote to memory of 2852	2528	NEAS.ed5604aa3bba7af780a3869163773c00.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
    3⤵
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:2204
- C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\~31324.tmp

Filesize
5KB

MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll

Filesize
5KB

MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
memory/2204-18-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2204-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2204-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2440-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2440-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-10-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/2528-22-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/2528-23-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2828-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2828-26-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download