Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 03:36
Static task
static1
Behavioral task
behavioral1
Sample
a81de519432b6d76d9b881cff0cf9cef.exe
Resource
win7-20240221-en
General
-
Target
a81de519432b6d76d9b881cff0cf9cef.exe
-
Size
304KB
-
MD5
a81de519432b6d76d9b881cff0cf9cef
-
SHA1
e35a6446307b3e55db9097cee2cdeec87e6145b6
-
SHA256
bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce
-
SHA512
eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730
-
SSDEEP
6144:qR1VpFoIbQFCgMWt14yRjfT/OlaazY660vT+YZj+0Ccdak:qR1VpWIUw/k14ojfifd60rbZQcck
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 24 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-8-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/2208-12-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/2208-14-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/2208-16-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/2208-150-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/1972-167-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/1972-277-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/292-306-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/292-415-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/1276-445-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/1276-553-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/1776-582-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/1776-707-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/2580-721-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/2580-846-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/1340-860-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/1340-987-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/2556-993-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/2556-1123-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/1588-1138-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/2372-1271-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/1588-1270-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/2372-1400-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral1/memory/2108-1416-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 -
Modifies security service 2 TTPs 22 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe -
Executes dropped EXE 20 IoCs
Processes:
netX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exepid process 1880 netX.exe 1972 netX.exe 1452 netX.exe 292 netX.exe 736 netX.exe 1276 netX.exe 1036 netX.exe 1776 netX.exe 2500 netX.exe 2580 netX.exe 2272 netX.exe 1340 netX.exe 2600 netX.exe 2556 netX.exe 2712 netX.exe 1588 netX.exe 2336 netX.exe 2372 netX.exe 2820 netX.exe 2108 netX.exe -
Loads dropped DLL 21 IoCs
Processes:
a81de519432b6d76d9b881cff0cf9cef.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exepid process 2208 a81de519432b6d76d9b881cff0cf9cef.exe 2208 a81de519432b6d76d9b881cff0cf9cef.exe 1880 netX.exe 1972 netX.exe 1972 netX.exe 292 netX.exe 292 netX.exe 1276 netX.exe 1276 netX.exe 1776 netX.exe 1776 netX.exe 2580 netX.exe 2580 netX.exe 1340 netX.exe 1340 netX.exe 2556 netX.exe 2556 netX.exe 1588 netX.exe 1588 netX.exe 2372 netX.exe 2372 netX.exe -
Drops file in System32 directory 22 IoCs
Processes:
netX.exea81de519432b6d76d9b881cff0cf9cef.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exedescription ioc process File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe a81de519432b6d76d9b881cff0cf9cef.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe a81de519432b6d76d9b881cff0cf9cef.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
a81de519432b6d76d9b881cff0cf9cef.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exedescription pid process target process PID 3036 set thread context of 2208 3036 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 1880 set thread context of 1972 1880 netX.exe netX.exe PID 1452 set thread context of 292 1452 netX.exe netX.exe PID 736 set thread context of 1276 736 netX.exe netX.exe PID 1036 set thread context of 1776 1036 netX.exe netX.exe PID 2500 set thread context of 2580 2500 netX.exe netX.exe PID 2272 set thread context of 1340 2272 netX.exe netX.exe PID 2600 set thread context of 2556 2600 netX.exe netX.exe PID 2712 set thread context of 1588 2712 netX.exe netX.exe PID 2336 set thread context of 2372 2336 netX.exe netX.exe PID 2820 set thread context of 2108 2820 netX.exe netX.exe -
Runs .reg file with regedit 11 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exepid process 2488 regedit.exe 1756 regedit.exe 2112 regedit.exe 2420 regedit.exe 1012 regedit.exe 1836 regedit.exe 2452 regedit.exe 1184 regedit.exe 2864 regedit.exe 1080 regedit.exe 592 regedit.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
a81de519432b6d76d9b881cff0cf9cef.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exepid process 3036 a81de519432b6d76d9b881cff0cf9cef.exe 1880 netX.exe 1452 netX.exe 736 netX.exe 1036 netX.exe 2500 netX.exe 2272 netX.exe 2600 netX.exe 2712 netX.exe 2336 netX.exe 2820 netX.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a81de519432b6d76d9b881cff0cf9cef.exea81de519432b6d76d9b881cff0cf9cef.execmd.exenetX.exenetX.execmd.exenetX.exenetX.execmd.exenetX.exedescription pid process target process PID 3036 wrote to memory of 2208 3036 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 3036 wrote to memory of 2208 3036 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 3036 wrote to memory of 2208 3036 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 3036 wrote to memory of 2208 3036 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 3036 wrote to memory of 2208 3036 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 3036 wrote to memory of 2208 3036 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 3036 wrote to memory of 2208 3036 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 3036 wrote to memory of 2208 3036 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 3036 wrote to memory of 2208 3036 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 2208 wrote to memory of 2616 2208 a81de519432b6d76d9b881cff0cf9cef.exe cmd.exe PID 2208 wrote to memory of 2616 2208 a81de519432b6d76d9b881cff0cf9cef.exe cmd.exe PID 2208 wrote to memory of 2616 2208 a81de519432b6d76d9b881cff0cf9cef.exe cmd.exe PID 2208 wrote to memory of 2616 2208 a81de519432b6d76d9b881cff0cf9cef.exe cmd.exe PID 2208 wrote to memory of 1880 2208 a81de519432b6d76d9b881cff0cf9cef.exe netX.exe PID 2208 wrote to memory of 1880 2208 a81de519432b6d76d9b881cff0cf9cef.exe netX.exe PID 2208 wrote to memory of 1880 2208 a81de519432b6d76d9b881cff0cf9cef.exe netX.exe PID 2208 wrote to memory of 1880 2208 a81de519432b6d76d9b881cff0cf9cef.exe netX.exe PID 2616 wrote to memory of 2864 2616 cmd.exe regedit.exe PID 2616 wrote to memory of 2864 2616 cmd.exe regedit.exe PID 2616 wrote to memory of 2864 2616 cmd.exe regedit.exe PID 2616 wrote to memory of 2864 2616 cmd.exe regedit.exe PID 1880 wrote to memory of 1972 1880 netX.exe netX.exe PID 1880 wrote to memory of 1972 1880 netX.exe netX.exe PID 1880 wrote to memory of 1972 1880 netX.exe netX.exe PID 1880 wrote to memory of 1972 1880 netX.exe netX.exe PID 1880 wrote to memory of 1972 1880 netX.exe netX.exe PID 1880 wrote to memory of 1972 1880 netX.exe netX.exe PID 1880 wrote to memory of 1972 1880 netX.exe netX.exe PID 1880 wrote to memory of 1972 1880 netX.exe netX.exe PID 1880 wrote to memory of 1972 1880 netX.exe netX.exe PID 1972 wrote to memory of 972 1972 netX.exe cmd.exe PID 1972 wrote to memory of 972 1972 netX.exe cmd.exe PID 1972 wrote to memory of 972 1972 netX.exe cmd.exe PID 1972 wrote to memory of 972 1972 netX.exe cmd.exe PID 972 wrote to memory of 1080 972 cmd.exe regedit.exe PID 972 wrote to memory of 1080 972 cmd.exe regedit.exe PID 972 wrote to memory of 1080 972 cmd.exe regedit.exe PID 972 wrote to memory of 1080 972 cmd.exe regedit.exe PID 1972 wrote to memory of 1452 1972 netX.exe netX.exe PID 1972 wrote to memory of 1452 1972 netX.exe netX.exe PID 1972 wrote to memory of 1452 1972 netX.exe netX.exe PID 1972 wrote to memory of 1452 1972 netX.exe netX.exe PID 1452 wrote to memory of 292 1452 netX.exe netX.exe PID 1452 wrote to memory of 292 1452 netX.exe netX.exe PID 1452 wrote to memory of 292 1452 netX.exe netX.exe PID 1452 wrote to memory of 292 1452 netX.exe netX.exe PID 1452 wrote to memory of 292 1452 netX.exe netX.exe PID 1452 wrote to memory of 292 1452 netX.exe netX.exe PID 1452 wrote to memory of 292 1452 netX.exe netX.exe PID 1452 wrote to memory of 292 1452 netX.exe netX.exe PID 1452 wrote to memory of 292 1452 netX.exe netX.exe PID 292 wrote to memory of 2200 292 netX.exe cmd.exe PID 292 wrote to memory of 2200 292 netX.exe cmd.exe PID 292 wrote to memory of 2200 292 netX.exe cmd.exe PID 292 wrote to memory of 2200 292 netX.exe cmd.exe PID 2200 wrote to memory of 2488 2200 cmd.exe regedit.exe PID 2200 wrote to memory of 2488 2200 cmd.exe regedit.exe PID 2200 wrote to memory of 2488 2200 cmd.exe regedit.exe PID 2200 wrote to memory of 2488 2200 cmd.exe regedit.exe PID 292 wrote to memory of 736 292 netX.exe netX.exe PID 292 wrote to memory of 736 292 netX.exe netX.exe PID 292 wrote to memory of 736 292 netX.exe netX.exe PID 292 wrote to memory of 736 292 netX.exe netX.exe PID 736 wrote to memory of 1276 736 netX.exe netX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exeC:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
PID:2864 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 512 "C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880
-
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat2⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat4⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- Runs .reg file with regedit
PID:2488 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵PID:2512
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
PID:592 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1036 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵PID:1132
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
PID:2420 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2500 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵PID:2980
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
PID:1756 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2272 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵PID:1524
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
PID:1012 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2600 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat14⤵PID:2708
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg15⤵
- Modifies security service
- Runs .reg file with regedit
PID:2112 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2712 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat16⤵PID:2000
-
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2336 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat18⤵PID:1992
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg19⤵
- Modifies security service
- Runs .reg file with regedit
PID:2452 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 524 "C:\Windows\SysWOW64\netX.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2820 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe"19⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat20⤵PID:2112
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg21⤵
- Modifies security service
- Runs .reg file with regedit
PID:1184
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Modifies security service
- Runs .reg file with regedit
PID:1080
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Modifies security service
- Runs .reg file with regedit
PID:1836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD57fe70731de9e888ca911baeb99ee503d
SHA10073da5273512f66dbf570580dc55957535c2478
SHA256ec8ce13a4cab475695329eddc61ff2eee378e79f0d2f9ca3a9bc7b18bd52b89a
SHA5124421df7085fd2aac218d5544152d77080b99c1eaa24076975a6b1bb01149a19a1c0d6cc2c042cd507b37af9a220e7ce1f026103cdabfaec5994b1533c2f3eeac
-
Filesize
849B
MD5558ce6da965ba1758d112b22e15aa5a2
SHA1a365542609e4d1dc46be62928b08612fcabe2ede
SHA256c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA51237f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c
-
Filesize
784B
MD55a466127fedf6dbcd99adc917bd74581
SHA1a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA2568cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5
-
Filesize
2KB
MD554ca6e3ef1c12b994043e85a8c9895f0
SHA15eaccfb482cbe24cf5c3203ffdc926184097427e
SHA2560db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0
SHA512925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
1KB
MD55f6aefafda312b288b7d555c1fc36dc9
SHA1f25e2fdea9dd714d0fae68af71cace7bb49302ce
SHA25660f6d3cbf831857bf18e46a43ff403a03e2035d9430a72d768ea9cec1947917a
SHA51297f0250ba79b008d7632a2f32a7b851d9ca87f116b2854d5343c120511cfd55551a1f3eb3e0959602656b39b3f86003a0f9d04243ceb8b73d28eb9bb9449a6de
-
Filesize
2KB
MD5b79d7c7385eb2936ecd5681762227a9b
SHA1c2a21fb49bd3cc8be9baac1bf6f6389453ad785d
SHA256fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019
SHA5127ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b
-
Filesize
1KB
MD5908860a865f8ed2e14085e35256578dd
SHA17ff5ee35cc7e96a661848eb95a70d0b8d2d78603
SHA256d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f
SHA512a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9
-
Filesize
2KB
MD5501effddf60a974e98b67dc8921aa7e8
SHA1734dfe4b508dbc1527ec92e91821a1251aec5b2e
SHA256672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06
SHA51228081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c
-
Filesize
2KB
MD56bf876cd9994f0d41be4eca36d22c42a
SHA150cda4b940e6ba730ce59000cfc59e6c4d7fdc79
SHA256ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a
SHA512605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106
-
Filesize
136KB
MD5a44ba2322cc89663d4f956a1f29b124b
SHA1f27eabd4a09aa6063c591bd2fb64dbb0aad0955b
SHA25670c777afc8d0c0825ac19eccec2ca19b815b24f125ad5df70e9c19fbf0494f40
SHA51298cb33d231971176fc8744cfa106d1791e10fe1538ca66f9b28750b7a90e9aa9b2ecf9a8f285bd2889e513c6a5535e7f9844ef93cef5ea82254510af545c55ba
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
304KB
MD5a81de519432b6d76d9b881cff0cf9cef
SHA1e35a6446307b3e55db9097cee2cdeec87e6145b6
SHA256bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce
SHA512eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730