15b6694cf28dadb2bfd04438010f8a6823626860385dc6b44b90a5a560ea0480

Analysis

max time kernel
117s
max time network
130s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e24ae035290c443e0de41727659ca7.exe
Size

1.2MB
MD5

05e24ae035290c443e0de41727659ca7
SHA1

e3b9824f3794844197b7ed4e0691ff6cc5b4e741
SHA256

15b6694cf28dadb2bfd04438010f8a6823626860385dc6b44b90a5a560ea0480
SHA512

5d500b48d44cb8c01ed28d5f1941a29625cb4f60ea7d5974376c9385d2ac80a37043b260d06f8e7c4e006de5c69a2f2c2e27b664a3afb8954ba20644bde4249b
SSDEEP

24576:3bSaE4mvt/p638OBuwruqzEkFJOzugReSNkFc1:3bSv4mvz6huVqzoazT0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1628	File.exe
2760	1432220532.exe

Loads dropped DLL 11 IoCs

pid	Process
1628	File.exe
1628	File.exe
1628	File.exe
1628	File.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2300	2760	WerFault.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	05e24ae035290c443e0de41727659ca7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	05e24ae035290c443e0de41727659ca7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	05e24ae035290c443e0de41727659ca7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	05e24ae035290c443e0de41727659ca7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2940	05e24ae035290c443e0de41727659ca7.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	05e24ae035290c443e0de41727659ca7.exe
Token: SeIncreaseQuotaPrivilege	2680	wmic.exe
Token: SeSecurityPrivilege	2680	wmic.exe
Token: SeTakeOwnershipPrivilege	2680	wmic.exe
Token: SeLoadDriverPrivilege	2680	wmic.exe
Token: SeSystemProfilePrivilege	2680	wmic.exe
Token: SeSystemtimePrivilege	2680	wmic.exe
Token: SeProfSingleProcessPrivilege	2680	wmic.exe
Token: SeIncBasePriorityPrivilege	2680	wmic.exe
Token: SeCreatePagefilePrivilege	2680	wmic.exe
Token: SeBackupPrivilege	2680	wmic.exe
Token: SeRestorePrivilege	2680	wmic.exe
Token: SeShutdownPrivilege	2680	wmic.exe
Token: SeDebugPrivilege	2680	wmic.exe
Token: SeSystemEnvironmentPrivilege	2680	wmic.exe
Token: SeRemoteShutdownPrivilege	2680	wmic.exe
Token: SeUndockPrivilege	2680	wmic.exe
Token: SeManageVolumePrivilege	2680	wmic.exe
Token: 33	2680	wmic.exe
Token: 34	2680	wmic.exe
Token: 35	2680	wmic.exe
Token: SeIncreaseQuotaPrivilege	2680	wmic.exe
Token: SeSecurityPrivilege	2680	wmic.exe
Token: SeTakeOwnershipPrivilege	2680	wmic.exe
Token: SeLoadDriverPrivilege	2680	wmic.exe
Token: SeSystemProfilePrivilege	2680	wmic.exe
Token: SeSystemtimePrivilege	2680	wmic.exe
Token: SeProfSingleProcessPrivilege	2680	wmic.exe
Token: SeIncBasePriorityPrivilege	2680	wmic.exe
Token: SeCreatePagefilePrivilege	2680	wmic.exe
Token: SeBackupPrivilege	2680	wmic.exe
Token: SeRestorePrivilege	2680	wmic.exe
Token: SeShutdownPrivilege	2680	wmic.exe
Token: SeDebugPrivilege	2680	wmic.exe
Token: SeSystemEnvironmentPrivilege	2680	wmic.exe
Token: SeRemoteShutdownPrivilege	2680	wmic.exe
Token: SeUndockPrivilege	2680	wmic.exe
Token: SeManageVolumePrivilege	2680	wmic.exe
Token: 33	2680	wmic.exe
Token: 34	2680	wmic.exe
Token: 35	2680	wmic.exe
Token: SeIncreaseQuotaPrivilege	1588	wmic.exe
Token: SeSecurityPrivilege	1588	wmic.exe
Token: SeTakeOwnershipPrivilege	1588	wmic.exe
Token: SeLoadDriverPrivilege	1588	wmic.exe
Token: SeSystemProfilePrivilege	1588	wmic.exe
Token: SeSystemtimePrivilege	1588	wmic.exe
Token: SeProfSingleProcessPrivilege	1588	wmic.exe
Token: SeIncBasePriorityPrivilege	1588	wmic.exe
Token: SeCreatePagefilePrivilege	1588	wmic.exe
Token: SeBackupPrivilege	1588	wmic.exe
Token: SeRestorePrivilege	1588	wmic.exe
Token: SeShutdownPrivilege	1588	wmic.exe
Token: SeDebugPrivilege	1588	wmic.exe
Token: SeSystemEnvironmentPrivilege	1588	wmic.exe
Token: SeRemoteShutdownPrivilege	1588	wmic.exe
Token: SeUndockPrivilege	1588	wmic.exe
Token: SeManageVolumePrivilege	1588	wmic.exe
Token: 33	1588	wmic.exe
Token: 34	1588	wmic.exe
Token: 35	1588	wmic.exe
Token: SeIncreaseQuotaPrivilege	1564	wmic.exe
Token: SeSecurityPrivilege	1564	wmic.exe
Token: SeTakeOwnershipPrivilege	1564	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1628	2940	05e24ae035290c443e0de41727659ca7.exe	42
PID 2940 wrote to memory of 1628	2940	05e24ae035290c443e0de41727659ca7.exe	42
PID 2940 wrote to memory of 1628	2940	05e24ae035290c443e0de41727659ca7.exe	42
PID 2940 wrote to memory of 1628	2940	05e24ae035290c443e0de41727659ca7.exe	42
PID 1628 wrote to memory of 2760	1628	File.exe	41
PID 1628 wrote to memory of 2760	1628	File.exe	41
PID 1628 wrote to memory of 2760	1628	File.exe	41
PID 1628 wrote to memory of 2760	1628	File.exe	41
PID 2760 wrote to memory of 2680	2760	1432220532.exe	29
PID 2760 wrote to memory of 2680	2760	1432220532.exe	29
PID 2760 wrote to memory of 2680	2760	1432220532.exe	29
PID 2760 wrote to memory of 2680	2760	1432220532.exe	29
PID 2760 wrote to memory of 1588	2760	1432220532.exe	39
PID 2760 wrote to memory of 1588	2760	1432220532.exe	39
PID 2760 wrote to memory of 1588	2760	1432220532.exe	39
PID 2760 wrote to memory of 1588	2760	1432220532.exe	39
PID 2760 wrote to memory of 1564	2760	1432220532.exe	38
PID 2760 wrote to memory of 1564	2760	1432220532.exe	38
PID 2760 wrote to memory of 1564	2760	1432220532.exe	38
PID 2760 wrote to memory of 1564	2760	1432220532.exe	38
PID 2760 wrote to memory of 2264	2760	1432220532.exe	37
PID 2760 wrote to memory of 2264	2760	1432220532.exe	37
PID 2760 wrote to memory of 2264	2760	1432220532.exe	37
PID 2760 wrote to memory of 2264	2760	1432220532.exe	37
PID 2760 wrote to memory of 2276	2760	1432220532.exe	34
PID 2760 wrote to memory of 2276	2760	1432220532.exe	34
PID 2760 wrote to memory of 2276	2760	1432220532.exe	34
PID 2760 wrote to memory of 2276	2760	1432220532.exe	34
PID 2760 wrote to memory of 2300	2760	1432220532.exe	35
PID 2760 wrote to memory of 2300	2760	1432220532.exe	35
PID 2760 wrote to memory of 2300	2760	1432220532.exe	35
PID 2760 wrote to memory of 2300	2760	1432220532.exe	35

C:\Users\Admin\AppData\Local\Temp\05e24ae035290c443e0de41727659ca7.exe
"C:\Users\Admin\AppData\Local\Temp\05e24ae035290c443e0de41727659ca7.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1628

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703912518.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703912518.txt bios get version
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:2300

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703912518.txt bios get version
1⤵
PID:2264

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703912518.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703912518.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\1432220532.exe
C:\Users\Admin\AppData\Local\Temp\1432220532.exe 1/7/9/6/7/9/9/5/0/9/3 LklAPjYqJy0yFyxSTjlKQjs0KyAmS0RNTklLQkA/PScdLj1ATU1AOzgyJy84MBcpPEA7ODAXLE9LRj5OOktaSTs6MC8wLhkmSkBSTUJRWExMRTRfb3RnNy4oamxvJTtAU0IqU0hHJzpHRylJRUNOGSY9RUA6Rkk7OnZCKlBFLC5DUEI2VEZMPUQ+LE85JzYxLRcpPSg0NDAnMB8oOyw2JCgbLzswPCYoGig7KzgtKB0uPSw3JigXKlBJTENOOk5YR0lEVjhAWDYXKUlJRj9VOlFePkxGOjQXKlBJTENOOk5YRThIRTQdLj5PP1hMSUc9FyxEUTxZPEQ7R0lFQjwZJkJISktaQklMVkw8TDYpFypUPz5NRFBJTlZMTUw0HS5PRDcrFyY/Uyg6HyhJT0dLQEhFVlRERTpJRjxASEE+QlRLQzcZJkBOX0lSTU1ARz40a211XB0uSzxOTklFRE4+XFRMPExYOzhUUzQvHyg/Qz08TzgxFyxITFY+UkU4SEk6XERHOkxSR0tARDRjYGVqXxkmO0pXRUlOOjtZQkc0LDctKzAuJSsrKSUtMjAdLk1ARz40KC8zKS8xKy8uLRcmP09OS0tIOD5YS0BIRTQyLisoKSsnKDAqKjczKTEuLSFHSCAmUkA2RGlzYGNnYRwvZS4lKiQfTmRuW2x2bCJITSItKTEgKEBpZ2ZeTlxdS2BxJCtdLywuJS42IiVKQUtHRRwpXitjZmpeIkFeWmJqKSJAZ2tmZ14cKWE0KCsvJyksMCklLDEvKFhaOWxobmpgchwvZSosKC0lKS03KSsyLSkzJEpYYWFpZiQrXS8sLiUuNhcsVEtDN2Fra2slKl4kK10fK11eYHQlLTArK1snYGVhbxwvZUtsaE1gZGBEZnRtZWZbXURYaWFeYnFYW19pY2Z0JSljMC0qLCspKTM0LCIxXyguLCkpLTIvMTQeKWAqKyotMikvNy0sHyxdKy44LTA3MS4uKShQLUpqSkM+Kls9UG1IRDxySCpuLUVwXmxNYUpsWnFlbkNhSHg/algrQz1TYUNPb29IaClpQmUnbEtTbnFIKm5uSGBMa0gpPi9JOmVuP2MveUVQVGpAZ1NmWEJKZFQxaVtIUG9fX0hJcEgqa2dTY2tlWWQ+OF1iT3BLYlR5Qy1BQ0l0ZUxKUUkuT1RKa049QGpKVDx0SCs9Xls+UCxLcEc1Wj5xL0Je
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
memory/2940-1-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2940-0-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-65-0x000000001B040000-0x000000001B0B8000-memory.dmp

Filesize
480KB

Download
memory/2940-100-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download