fdbca31cd38fb195293b5ddbbc06f106e6e76472cfede0c3a672c8c2b4f20f02

Analysis

max time kernel
139s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-01-2024 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

456d452fc3f5dd6c74f2c6a850637927.exe
Size

28KB
MD5

456d452fc3f5dd6c74f2c6a850637927
SHA1

8e1beef634758398567d488742b43e0954e3bc7f
SHA256

fdbca31cd38fb195293b5ddbbc06f106e6e76472cfede0c3a672c8c2b4f20f02
SHA512

6780209b0d52c0ab596f59ca0063df0dddbefbb26c3e5df1e9a6ef81e8ee5af5b68ad762977454a7eef6f85c596ae914fd21e6e6af8cb5dcea2daeca854a9978
SSDEEP

768:s5budtdIjwCdx70xKWB5mB0wE8trgzdHV:7dIj45a0qWL

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 35 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
820	attrib.exe
664	attrib.exe
2764	attrib.exe
2584	attrib.exe
1512	attrib.exe
1864	attrib.exe
2680	attrib.exe
528	attrib.exe
1528	attrib.exe
1344	attrib.exe
568	attrib.exe
2856	attrib.exe
2116	attrib.exe
1664	attrib.exe
2508	attrib.exe
2020	attrib.exe
1384	attrib.exe
1040	attrib.exe
1748	attrib.exe
2168	attrib.exe
1640	attrib.exe
2480	attrib.exe
1612	attrib.exe
1008	attrib.exe
2948	attrib.exe
2908	attrib.exe
2436	attrib.exe
1908	attrib.exe
364	attrib.exe
2516	attrib.exe
1892	attrib.exe
2088	attrib.exe
2588	attrib.exe
3024	attrib.exe
904	attrib.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\connnet.bat	456d452fc3f5dd6c74f2c6a850637927.exe

Gathers network information 2 TTPs 7 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2256	ipconfig.exe
2076	ipconfig.exe
2212	ipconfig.exe
1940	ipconfig.exe
2616	ipconfig.exe
2572	ipconfig.exe
1356	ipconfig.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
3028	PING.EXE
2472	PING.EXE
2528	PING.EXE
2164	PING.EXE
1868	PING.EXE
1368	PING.EXE
2124	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 3000	2436	456d452fc3f5dd6c74f2c6a850637927.exe	41
PID 2436 wrote to memory of 3000	2436	456d452fc3f5dd6c74f2c6a850637927.exe	41
PID 2436 wrote to memory of 3000	2436	456d452fc3f5dd6c74f2c6a850637927.exe	41
PID 2436 wrote to memory of 3000	2436	456d452fc3f5dd6c74f2c6a850637927.exe	41
PID 3000 wrote to memory of 2348	3000	cmd.exe	43
PID 3000 wrote to memory of 2348	3000	cmd.exe	43
PID 3000 wrote to memory of 2348	3000	cmd.exe	43
PID 3000 wrote to memory of 2348	3000	cmd.exe	43
PID 3000 wrote to memory of 1988	3000	cmd.exe	44
PID 3000 wrote to memory of 1988	3000	cmd.exe	44
PID 3000 wrote to memory of 1988	3000	cmd.exe	44
PID 3000 wrote to memory of 1988	3000	cmd.exe	44
PID 3000 wrote to memory of 2204	3000	cmd.exe	45
PID 3000 wrote to memory of 2204	3000	cmd.exe	45
PID 3000 wrote to memory of 2204	3000	cmd.exe	45
PID 3000 wrote to memory of 2204	3000	cmd.exe	45
PID 3000 wrote to memory of 2124	3000	cmd.exe	46
PID 3000 wrote to memory of 2124	3000	cmd.exe	46
PID 3000 wrote to memory of 2124	3000	cmd.exe	46
PID 3000 wrote to memory of 2124	3000	cmd.exe	46
PID 3000 wrote to memory of 1908	3000	cmd.exe	47
PID 3000 wrote to memory of 1908	3000	cmd.exe	47
PID 3000 wrote to memory of 1908	3000	cmd.exe	47
PID 3000 wrote to memory of 1908	3000	cmd.exe	47
PID 3000 wrote to memory of 1164	3000	cmd.exe	48
PID 3000 wrote to memory of 1164	3000	cmd.exe	48
PID 3000 wrote to memory of 1164	3000	cmd.exe	48
PID 3000 wrote to memory of 1164	3000	cmd.exe	48
PID 3000 wrote to memory of 1152	3000	cmd.exe	49
PID 3000 wrote to memory of 1152	3000	cmd.exe	49
PID 3000 wrote to memory of 1152	3000	cmd.exe	49
PID 3000 wrote to memory of 1152	3000	cmd.exe	49
PID 3000 wrote to memory of 528	3000	cmd.exe	50
PID 3000 wrote to memory of 528	3000	cmd.exe	50
PID 3000 wrote to memory of 528	3000	cmd.exe	50
PID 3000 wrote to memory of 528	3000	cmd.exe	50
PID 3000 wrote to memory of 1648	3000	cmd.exe	51
PID 3000 wrote to memory of 1648	3000	cmd.exe	51
PID 3000 wrote to memory of 1648	3000	cmd.exe	51
PID 3000 wrote to memory of 1648	3000	cmd.exe	51
PID 3000 wrote to memory of 1108	3000	cmd.exe	52
PID 3000 wrote to memory of 1108	3000	cmd.exe	52
PID 3000 wrote to memory of 1108	3000	cmd.exe	52
PID 3000 wrote to memory of 1108	3000	cmd.exe	52
PID 3000 wrote to memory of 568	3000	cmd.exe	53
PID 3000 wrote to memory of 568	3000	cmd.exe	53
PID 3000 wrote to memory of 568	3000	cmd.exe	53
PID 3000 wrote to memory of 568	3000	cmd.exe	53
PID 3000 wrote to memory of 556	3000	cmd.exe	54
PID 3000 wrote to memory of 556	3000	cmd.exe	54
PID 3000 wrote to memory of 556	3000	cmd.exe	54
PID 3000 wrote to memory of 556	3000	cmd.exe	54
PID 3000 wrote to memory of 2464	3000	cmd.exe	55
PID 3000 wrote to memory of 2464	3000	cmd.exe	55
PID 3000 wrote to memory of 2464	3000	cmd.exe	55
PID 3000 wrote to memory of 2464	3000	cmd.exe	55
PID 3000 wrote to memory of 1528	3000	cmd.exe	56
PID 3000 wrote to memory of 1528	3000	cmd.exe	56
PID 3000 wrote to memory of 1528	3000	cmd.exe	56
PID 3000 wrote to memory of 1528	3000	cmd.exe	56
PID 3000 wrote to memory of 820	3000	cmd.exe	57
PID 3000 wrote to memory of 820	3000	cmd.exe	57
PID 3000 wrote to memory of 820	3000	cmd.exe	57
PID 3000 wrote to memory of 820	3000	cmd.exe	57

Views/modifies file attributes 1 TTPs 49 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1512	attrib.exe
1664	attrib.exe
1008	attrib.exe
2436	attrib.exe
2948	attrib.exe
364	attrib.exe
568	attrib.exe
1040	attrib.exe
3032	attrib.exe
1864	attrib.exe
1572	attrib.exe
2480	attrib.exe
2272	attrib.exe
1908	attrib.exe
1384	attrib.exe
2516	attrib.exe
2132	attrib.exe
1060	attrib.exe
2932	attrib.exe
2908	attrib.exe
2020	attrib.exe
2116	attrib.exe
1988	attrib.exe
664	attrib.exe
2168	attrib.exe
1344	attrib.exe
2088	attrib.exe
1732	attrib.exe
1660	attrib.exe
1748	attrib.exe
2348	attrib.exe
820	attrib.exe
2724	attrib.exe
1640	attrib.exe
2680	attrib.exe
1528	attrib.exe
3024	attrib.exe
2508	attrib.exe
2856	attrib.exe
2764	attrib.exe
2588	attrib.exe
528	attrib.exe
1892	attrib.exe
2492	attrib.exe
1612	attrib.exe
2584	attrib.exe
1544	attrib.exe
372	attrib.exe
904	attrib.exe

C:\Users\Admin\AppData\Local\Temp\456d452fc3f5dd6c74f2c6a850637927.exe
"C:\Users\Admin\AppData\Local\Temp\456d452fc3f5dd6c74f2c6a850637927.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\connnet.bat
  2⤵
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.exe
    3⤵
    - Views/modifies file attributes
    PID:2348
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1988
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i d
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h d:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1908
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i e
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h e:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:528
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i f
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h f:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:568
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:556
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i g
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1528
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:820
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2076
- - C:\Windows\SysWOW64\find.exe
    find /i "ip address"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 10
    3⤵
    - Runs ping.exe
    PID:3028
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.exe
    3⤵
    - Views/modifies file attributes
    PID:1660
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1060
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i d
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h d:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1040
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i e
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h e:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:904
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:916
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i f
    3⤵
    PID:944
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h f:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3024
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i g
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2508
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2020
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2212
- - C:\Windows\SysWOW64\find.exe
    find /i "ip address"
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 10
    3⤵
    - Runs ping.exe
    PID:2472
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1732
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.exe
    3⤵
    - Views/modifies file attributes
    PID:2492
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h d:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1664
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h e:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1612
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i f
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h f:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2856
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:664
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1748
- - C:\Windows\SysWOW64\find.exe
    find /i "ip address"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1940
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 10
    3⤵
    - Runs ping.exe
    PID:2528
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i g
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i e
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i d
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.exe
    3⤵
    - Views/modifies file attributes
    PID:1572
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2724
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i d
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h d:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2764
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i e
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h e:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2168
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i f
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h f:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1008
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i g
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2584
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2588
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2616
- - C:\Windows\SysWOW64\find.exe
    find /i "ip address"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 10
    3⤵
    - Runs ping.exe
    PID:2164
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.exe
    3⤵
    - Views/modifies file attributes
    PID:3032
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2932
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i d
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h d:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2948
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i e
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h e:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1640
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i f
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h f:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1384
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i g
    3⤵
    PID:320
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:364
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1512
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2572
- - C:\Windows\SysWOW64\find.exe
    find /i "ip address"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 10
    3⤵
    - Runs ping.exe
    PID:1868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.exe
    3⤵
    - Views/modifies file attributes
    PID:1544
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:372
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i d
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h d:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2908
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i e
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h e:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2480
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i f
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h f:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1344
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i g
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2516
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1892
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1356
- - C:\Windows\SysWOW64\find.exe
    find /i "ip address"
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 10
    3⤵
    - Runs ping.exe
    PID:1368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2272
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:324
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\find.exe
    find /i "ip address"
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 10
    3⤵
    - Runs ping.exe
    PID:2124
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2256
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2436
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Windows\system32\autorun.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1864
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i g
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h f:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2680
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i f
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h e:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2088
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i e
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h d:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2116
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i d
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h C:\Windows\system32\autorun.exe
    3⤵
    - Views/modifies file attributes
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\connnet.bat

Filesize
1KB

MD5
b98815376e84088cf0a7806b7d8a29d4

SHA1
78e39ecdb77bc39e32a061984d58dede852a9e28

SHA256
c4284b4a2dea1d0cf28b307cc6d632b53988e15a0cce24b94c9430587d2dfd2e

SHA512
139fd77860a3090b3d24e1dccdc4388de1856917a4fbbdac9b7b7afba843672181facd683f631e24cb4349ebff52b04fee8b047e0064d1c0f15686725a09cd4c

Download Submit
memory/2436-0-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/2436-14-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads