Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 22:22
Behavioral task
behavioral1
Sample
a77f9f8096b832ba68658b03c5410b22.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a77f9f8096b832ba68658b03c5410b22.exe
Resource
win10v2004-20240226-en
General
-
Target
a77f9f8096b832ba68658b03c5410b22.exe
-
Size
3.8MB
-
MD5
a77f9f8096b832ba68658b03c5410b22
-
SHA1
8b7465cefc92c07bff66d5df85321f3a97579110
-
SHA256
3684ae4716bf63da137d84df3b52dc186bd234087432fb19a4c62410a894a667
-
SHA512
abc5be37885881e862005518c6bfd924d10ea797bf1e0a6757acade539aafc5240c21902b5179730c446e017188561a26d226461cf138c008efd5c02aeb4a451
-
SSDEEP
98304:WxM5bQFedwc1W+V50StngH32LFw1T0ndB5bLeYlmv4L/BXfJMx3rKmf8h1vy:mMZaLkXtUxQdB5bLeYlEyBXfJMx7KmEe
Malware Config
Extracted
warzonerat
111.90.146.200:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 17 IoCs
resource yara_rule behavioral1/memory/2656-12-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2656-18-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2656-25-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2656-39-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2504-56-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2504-71-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2716-79-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2504-85-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/1524-102-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/1524-113-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2716-117-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2932-133-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2932-139-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/3032-155-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/3032-158-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2844-173-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2844-176-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat test.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start test.exe -
Executes dropped EXE 63 IoCs
pid Process 2864 test.exe 2656 test.exe 2704 test.exe 2616 images.exe 2456 test.exe 2504 images.exe 2904 images.exe 2716 test.exe 2752 test.exe 1384 images.exe 1524 images.exe 1084 images.exe 1460 images.exe 2932 images.exe 1200 images.exe 2232 images.exe 3032 images.exe 2120 images.exe 1920 images.exe 2844 images.exe 2848 images.exe 1928 images.exe 944 images.exe 2988 images.exe 2000 images.exe 3008 images.exe 1540 images.exe 2212 images.exe 2128 images.exe 1712 images.exe 2532 images.exe 3004 images.exe 2740 images.exe 1556 images.exe 2696 images.exe 2540 images.exe 2708 images.exe 2516 images.exe 1904 images.exe 2224 images.exe 2936 images.exe 2208 images.exe 1484 images.exe 1664 images.exe 2348 images.exe 616 images.exe 576 images.exe 1764 images.exe 3040 images.exe 1096 images.exe 760 images.exe 2724 images.exe 2992 images.exe 3044 images.exe 1168 images.exe 2196 images.exe 2856 images.exe 636 images.exe 2020 images.exe 1812 images.exe 2028 images.exe 892 images.exe 2360 images.exe -
Loads dropped DLL 9 IoCs
pid Process 1628 cmd.exe 1628 cmd.exe 2864 test.exe 2864 test.exe 2656 test.exe 2656 test.exe 2704 test.exe 2456 test.exe 2456 test.exe -
resource yara_rule behavioral1/memory/2524-1-0x0000000000400000-0x0000000000C00000-memory.dmp upx behavioral1/memory/2524-21-0x0000000000400000-0x0000000000C00000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" test.exe -
Suspicious use of SetThreadContext 21 IoCs
description pid Process procid_target PID 2864 set thread context of 2656 2864 test.exe 32 PID 2616 set thread context of 2504 2616 images.exe 39 PID 2456 set thread context of 2716 2456 test.exe 43 PID 1384 set thread context of 1524 1384 images.exe 46 PID 1460 set thread context of 2932 1460 images.exe 52 PID 2232 set thread context of 3032 2232 images.exe 56 PID 1920 set thread context of 2844 1920 images.exe 60 PID 1928 set thread context of 944 1928 images.exe 64 PID 2000 set thread context of 3008 2000 images.exe 68 PID 2212 set thread context of 2128 2212 images.exe 72 PID 2532 set thread context of 3004 2532 images.exe 76 PID 1556 set thread context of 2696 1556 images.exe 80 PID 2708 set thread context of 2516 2708 images.exe 84 PID 2224 set thread context of 2936 2224 images.exe 88 PID 1484 set thread context of 1664 1484 images.exe 92 PID 616 set thread context of 576 616 images.exe 96 PID 3040 set thread context of 1096 3040 images.exe 100 PID 2724 set thread context of 2992 2724 images.exe 104 PID 1168 set thread context of 2196 1168 images.exe 108 PID 636 set thread context of 2020 636 images.exe 112 PID 2028 set thread context of 892 2028 images.exe 116 -
NTFS ADS 1 IoCs
description ioc Process File created C:\ProgramData:ApplicationData test.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2864 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2704 test.exe 2616 images.exe 2704 test.exe 2456 test.exe 2904 images.exe 2904 images.exe 2904 images.exe 2752 test.exe 2752 test.exe 2904 images.exe 2752 test.exe 2752 test.exe 2752 test.exe 2904 images.exe 2752 test.exe 2904 images.exe 2752 test.exe 2904 images.exe 2752 test.exe 2904 images.exe 2752 test.exe 2904 images.exe 2752 test.exe 2904 images.exe 2752 test.exe 2904 images.exe 2752 test.exe 2904 images.exe 2752 test.exe 2904 images.exe 2752 test.exe 2752 test.exe 2904 images.exe 2752 test.exe 2904 images.exe 1384 images.exe 2752 test.exe 2752 test.exe 2752 test.exe 2792 powershell.exe 1084 images.exe -
Suspicious behavior: MapViewOfSection 21 IoCs
pid Process 2864 test.exe 2616 images.exe 2456 test.exe 1384 images.exe 1460 images.exe 2232 images.exe 1920 images.exe 1928 images.exe 2000 images.exe 2212 images.exe 2532 images.exe 1556 images.exe 2708 images.exe 2224 images.exe 1484 images.exe 616 images.exe 3040 images.exe 2724 images.exe 1168 images.exe 636 images.exe 2028 images.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 1628 2524 a77f9f8096b832ba68658b03c5410b22.exe 29 PID 2524 wrote to memory of 1628 2524 a77f9f8096b832ba68658b03c5410b22.exe 29 PID 2524 wrote to memory of 1628 2524 a77f9f8096b832ba68658b03c5410b22.exe 29 PID 2524 wrote to memory of 1628 2524 a77f9f8096b832ba68658b03c5410b22.exe 29 PID 1628 wrote to memory of 2864 1628 cmd.exe 30 PID 1628 wrote to memory of 2864 1628 cmd.exe 30 PID 1628 wrote to memory of 2864 1628 cmd.exe 30 PID 1628 wrote to memory of 2864 1628 cmd.exe 30 PID 2864 wrote to memory of 2584 2864 test.exe 31 PID 2864 wrote to memory of 2584 2864 test.exe 31 PID 2864 wrote to memory of 2584 2864 test.exe 31 PID 2864 wrote to memory of 2584 2864 test.exe 31 PID 2864 wrote to memory of 2584 2864 test.exe 31 PID 2864 wrote to memory of 2584 2864 test.exe 31 PID 2864 wrote to memory of 2656 2864 test.exe 32 PID 2864 wrote to memory of 2656 2864 test.exe 32 PID 2864 wrote to memory of 2656 2864 test.exe 32 PID 2864 wrote to memory of 2656 2864 test.exe 32 PID 2864 wrote to memory of 2704 2864 test.exe 33 PID 2864 wrote to memory of 2704 2864 test.exe 33 PID 2864 wrote to memory of 2704 2864 test.exe 33 PID 2864 wrote to memory of 2704 2864 test.exe 33 PID 2656 wrote to memory of 2792 2656 test.exe 34 PID 2656 wrote to memory of 2792 2656 test.exe 34 PID 2656 wrote to memory of 2792 2656 test.exe 34 PID 2656 wrote to memory of 2792 2656 test.exe 34 PID 2656 wrote to memory of 2616 2656 test.exe 36 PID 2656 wrote to memory of 2616 2656 test.exe 36 PID 2656 wrote to memory of 2616 2656 test.exe 36 PID 2656 wrote to memory of 2616 2656 test.exe 36 PID 2616 wrote to memory of 2436 2616 images.exe 37 PID 2616 wrote to memory of 2436 2616 images.exe 37 PID 2616 wrote to memory of 2436 2616 images.exe 37 PID 2616 wrote to memory of 2436 2616 images.exe 37 PID 2616 wrote to memory of 2436 2616 images.exe 37 PID 2616 wrote to memory of 2436 2616 images.exe 37 PID 2616 wrote to memory of 2504 2616 images.exe 39 PID 2616 wrote to memory of 2504 2616 images.exe 39 PID 2616 wrote to memory of 2504 2616 images.exe 39 PID 2616 wrote to memory of 2504 2616 images.exe 39 PID 2704 wrote to memory of 2456 2704 test.exe 40 PID 2704 wrote to memory of 2456 2704 test.exe 40 PID 2704 wrote to memory of 2456 2704 test.exe 40 PID 2704 wrote to memory of 2456 2704 test.exe 40 PID 2616 wrote to memory of 2904 2616 images.exe 38 PID 2616 wrote to memory of 2904 2616 images.exe 38 PID 2616 wrote to memory of 2904 2616 images.exe 38 PID 2616 wrote to memory of 2904 2616 images.exe 38 PID 2456 wrote to memory of 2968 2456 test.exe 41 PID 2456 wrote to memory of 2968 2456 test.exe 41 PID 2456 wrote to memory of 2968 2456 test.exe 41 PID 2456 wrote to memory of 2968 2456 test.exe 41 PID 2456 wrote to memory of 2968 2456 test.exe 41 PID 2456 wrote to memory of 2968 2456 test.exe 41 PID 2456 wrote to memory of 2716 2456 test.exe 43 PID 2456 wrote to memory of 2716 2456 test.exe 43 PID 2456 wrote to memory of 2716 2456 test.exe 43 PID 2456 wrote to memory of 2716 2456 test.exe 43 PID 2456 wrote to memory of 2752 2456 test.exe 42 PID 2456 wrote to memory of 2752 2456 test.exe 42 PID 2456 wrote to memory of 2752 2456 test.exe 42 PID 2456 wrote to memory of 2752 2456 test.exe 42 PID 2904 wrote to memory of 1384 2904 images.exe 44 PID 2904 wrote to memory of 1384 2904 images.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe"C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"4⤵
- Drops startup file
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"6⤵PID:2436
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 2504 2594101466⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1384 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"8⤵PID:1972
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"8⤵
- Executes dropped EXE
PID:1524
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 1524 2594133918⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1084 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1460 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"10⤵PID:596
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"10⤵
- Executes dropped EXE
PID:2932
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 2932 25941526310⤵
- Executes dropped EXE
PID:1200 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2232 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"12⤵PID:2824
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"12⤵
- Executes dropped EXE
PID:3032
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 3032 25941783712⤵
- Executes dropped EXE
PID:2120 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1920 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"14⤵PID:888
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"14⤵
- Executes dropped EXE
PID:2844
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 2844 25941930414⤵
- Executes dropped EXE
PID:2848 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1928 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"16⤵PID:1684
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"16⤵
- Executes dropped EXE
PID:944
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 944 25942069216⤵
- Executes dropped EXE
PID:2988 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2000 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"18⤵PID:3056
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"18⤵
- Executes dropped EXE
PID:3008
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 3008 25942234618⤵
- Executes dropped EXE
PID:1540 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2212 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"20⤵PID:2408
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"20⤵
- Executes dropped EXE
PID:2128
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 2128 25942396820⤵
- Executes dropped EXE
PID:1712 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2532 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"22⤵PID:2580
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"22⤵
- Executes dropped EXE
PID:3004
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 3004 25942535722⤵
- Executes dropped EXE
PID:2740 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1556 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"24⤵PID:2548
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"24⤵
- Executes dropped EXE
PID:2696
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 2696 25942683924⤵
- Executes dropped EXE
PID:2540 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2708 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"26⤵PID:2560
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"26⤵
- Executes dropped EXE
PID:2516
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 2516 25942850826⤵
- Executes dropped EXE
PID:1904 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2224 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"28⤵PID:2688
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"28⤵
- Executes dropped EXE
PID:2936
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 2936 25943047328⤵
- Executes dropped EXE
PID:2208 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1484 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"30⤵PID:1992
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"30⤵
- Executes dropped EXE
PID:1664
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 1664 25943223630⤵
- Executes dropped EXE
PID:2348 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:616 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"32⤵PID:1656
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"32⤵
- Executes dropped EXE
PID:576
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 576 25943396832⤵
- Executes dropped EXE
PID:1764 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3040 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"34⤵PID:2872
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"34⤵
- Executes dropped EXE
PID:1096
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 1096 25943590234⤵
- Executes dropped EXE
PID:760 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2724 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"36⤵PID:2296
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"36⤵
- Executes dropped EXE
PID:2992
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 2992 25943774336⤵
- Executes dropped EXE
PID:3044 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1168 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"38⤵PID:2536
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"38⤵
- Executes dropped EXE
PID:2196
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 2196 25943941238⤵
- Executes dropped EXE
PID:2856 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:636 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"40⤵PID:1144
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"40⤵
- Executes dropped EXE
PID:2020
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 2020 25944114440⤵
- Executes dropped EXE
PID:1812 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2028 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"42⤵PID:676
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"42⤵
- Executes dropped EXE
PID:892
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 892 25944286042⤵
- Executes dropped EXE
PID:2360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"6⤵
- Executes dropped EXE
PID:2504
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2656 2594069174⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"6⤵PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2716 2594110986⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"6⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
896KB
MD51bb85dabf28324af9128aaa56b6ed285
SHA1d6fe601514624be5c671415e3fb9378a0de37a63
SHA25601fa5de76942c797e7b581036f985cbda1f7b70faeafaaaf7c8f84a472ffb79d
SHA512fc2c924b45c260084d2fc4bdf64628d1906258fd68ae59001401c739029f6e4fd570af946f911a177f2a20ef3f5e284248a0a1cb4dd11d9e503ea81bcb8d1ebb
-
Filesize
704KB
MD552627a572b33f868fefeefb94b9190d4
SHA19f41f71b092696defe4cf068389828b2632b9f7b
SHA25667185fd41b66c02887794303c6d84ddf562ef870bca2da1d3731b8a93c4a2a71
SHA512e18329b1f6af57da86fa19a607b8760ea97881e52740e68471d5b6a2ff0c5c5f36ebb670f7c80f9367d38016abeeed1aff66d3886937b6d4c6941d51c7b7269b
-
Filesize
832KB
MD5eb98b0b09972cac8ba1d085be1ed860a
SHA1387139baa019568b698e1b5020a48f1b66bdf87f
SHA25602c96d2669ab605259cfba92b8be216b77fca988da0ccadb18824552bbe68005
SHA51240a589645d1b510a06b2605025e46db47e6688c1190b9bfd06acab61615bbe5660eb38a3de289be554e8bf97c2dee9e58768c84331cd768dccd1557a41c4efbf
-
Filesize
448KB
MD5e08b44966543acbdb5444bbef1f6920e
SHA179d213780443d577968e8d583198ba27c8401d38
SHA256774f828165e7254f8e762044f940cb56e923e73b3b20a158997867bcb30b5cb7
SHA512d641c7004c766187845e90e915ab22938ce178f1683df2778a1c80f24d36da80780eef54c294c51b0c8879e1970cfae168498c48535e8ff54a5bca6fd3e3e86b
-
Filesize
576KB
MD591b28ca3de12a917cd682a16ff4c8fb1
SHA1b8e1085711806046034dbedef31f1c8f81fcc80d
SHA2563b452794db6bafcad6b1678343caa31305249be92e3c0e3e0acc583b00a78bb4
SHA512613571338b07da13b35db21be39017980dc33a61d7b4e4b315239e5d62d65f62cc97a94665bb609a024743882332517e77f74d0c79e9214d8eefa57514e9ba31
-
Filesize
512KB
MD5d983fd0b78b5f0f5db285ee2b1b5c0a2
SHA180921be149a2b4997e90462465af5819283ecf72
SHA256a0932c824bd008775cba6a164c14519641197a9d7c5f7a1630226805985f1591
SHA512e4ad1787f10f2d1a336dad3b16bf6ac84ae6a92d09719a96ea0f030567d7399e7fe9300939ae68422190d15cd058378c1a33fc20b4f6ba9d74da399ebe18b1d2
-
Filesize
981KB
MD5927f2eb4beb38d925b3f29888f4faa9e
SHA10de7008a074337d9437a145319681f608ac1baee
SHA256042f3b72dd1f50e1d42935e31c8d8fd1dadd1c623f85440a47aafc29673e09e8
SHA512d71132e1e7d238a57b3557596ab955639f82647388cd32ee40ab98a593242a6eef50b3b699d8374ddfc69774f5c4a3c47fce1c26e1065f0aa90a9818da859411
-
Filesize
768KB
MD5636b8f2c82559d9a4702c3f50af41db2
SHA1cb4d8436a38d5049a91df14aa5646ae158be4ccb
SHA256d278992af9409018161845115c196b7d7faf1843a8138bae5d1e7b2136d8ed65
SHA51229abf16150295310a97fcdd0614e2629b9e850479aa113e708b438bc6e3d3f0237cd24c94badd47a8599adea2575251ddd2963175819572eca90d4d95b5e8299
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5ef9528202cfc667b9d921d32fb20bd73
SHA11b59cbbc31c226b82bed7602dbaa95058d58dbaa
SHA256a1574c2c5b9ff3e8da9d16148b9a11518544ac331d5ca827fbe2e247b6482267
SHA5122bb1ddbb49b64aa7a85cbd6e6626e4cc95295fefb663203cce7b9bb53e3cc6fc5c171b51d9bd1377d9be07b2cdb2f6d92f9b9567fb9c26a3ea0c076e214e2842
-
Filesize
944KB
MD5e045acd7da053280720f4404d1b19590
SHA1cc7793f62f016e03bee235b2a2ad003525d3d89c
SHA25607bdd44042e474dda49baeda2c97f053366c87e126ebd0c9f904b8096fbd3823
SHA5127dfe155250ec0824ff16cb538d7cf6360bdee683958ba864682889003d9c00e5f7c3cf13bae831cc7695b274e9e25b69b64aaeee68974b6d58402d3f666838cf