9ed4eef354ebf341f7c1e80face8ca83a494671bed731ac8fae0bc48c90adebc

Analysis

max time kernel
150s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdd33019418537e6f55edde56695856f.exe
Size

262KB
MD5

bdd33019418537e6f55edde56695856f
SHA1

837f3486600c870dd8d54f285803d5d2cc5342b2
SHA256

9ed4eef354ebf341f7c1e80face8ca83a494671bed731ac8fae0bc48c90adebc
SHA512

a084f3a0ad89b1569571e175f2c3dae0b1097091012ce8b8172813647d5afc9dc55a282349d436e547a0bc9a2eb07ff0b899c54417b18b2db0ac76d80e0fddd4
SSDEEP

6144:ldZUZZyznmkmANv494D83X5eg/lUVOv0KEEMHHEMHbV:DaZZ+nmkmANv494D83Xc8nMEMh

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3016	Objects.exe

Executes dropped EXE 6 IoCs

pid	Process
3016	Objects.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2884	wmimic.exe
1776	wmisecure.exe
2424	wmisecure64.exe

Loads dropped DLL 6 IoCs

pid	Process
1708	bdd33019418537e6f55edde56695856f.exe
3016	Objects.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2884	wmimic.exe
2884	wmimic.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	bdd33019418537e6f55edde56695856f.exe
1708	bdd33019418537e6f55edde56695856f.exe
1708	bdd33019418537e6f55edde56695856f.exe
1708	bdd33019418537e6f55edde56695856f.exe
1708	bdd33019418537e6f55edde56695856f.exe
1708	bdd33019418537e6f55edde56695856f.exe
3016	Objects.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2884	wmimic.exe
2884	wmimic.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2884	wmimic.exe
2884	wmimic.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2884	wmimic.exe
2884	wmimic.exe
2516	wmiintegrator.exe
2884	wmimic.exe
2884	wmimic.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe
2884	wmimic.exe
2884	wmimic.exe
2576	wmihostwin.exe
2516	wmiintegrator.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3016	1708	bdd33019418537e6f55edde56695856f.exe	28
PID 1708 wrote to memory of 3016	1708	bdd33019418537e6f55edde56695856f.exe	28
PID 1708 wrote to memory of 3016	1708	bdd33019418537e6f55edde56695856f.exe	28
PID 1708 wrote to memory of 3016	1708	bdd33019418537e6f55edde56695856f.exe	28
PID 3016 wrote to memory of 2516	3016	Objects.exe	29
PID 3016 wrote to memory of 2516	3016	Objects.exe	29
PID 3016 wrote to memory of 2516	3016	Objects.exe	29
PID 3016 wrote to memory of 2516	3016	Objects.exe	29
PID 2516 wrote to memory of 2576	2516	wmiintegrator.exe	30
PID 2516 wrote to memory of 2576	2516	wmiintegrator.exe	30
PID 2516 wrote to memory of 2576	2516	wmiintegrator.exe	30
PID 2516 wrote to memory of 2576	2516	wmiintegrator.exe	30
PID 2576 wrote to memory of 2884	2576	wmihostwin.exe	31
PID 2576 wrote to memory of 2884	2576	wmihostwin.exe	31
PID 2576 wrote to memory of 2884	2576	wmihostwin.exe	31
PID 2576 wrote to memory of 2884	2576	wmihostwin.exe	31
PID 2884 wrote to memory of 1776	2884	wmimic.exe	32
PID 2884 wrote to memory of 1776	2884	wmimic.exe	32
PID 2884 wrote to memory of 1776	2884	wmimic.exe	32
PID 2884 wrote to memory of 1776	2884	wmimic.exe	32
PID 2884 wrote to memory of 2424	2884	wmimic.exe	33
PID 2884 wrote to memory of 2424	2884	wmimic.exe	33
PID 2884 wrote to memory of 2424	2884	wmimic.exe	33
PID 2884 wrote to memory of 2424	2884	wmimic.exe	33
PID 2424 wrote to memory of 2312	2424	wmisecure64.exe	36
PID 2424 wrote to memory of 2312	2424	wmisecure64.exe	36
PID 2424 wrote to memory of 2312	2424	wmisecure64.exe	36
PID 2424 wrote to memory of 2312	2424	wmisecure64.exe	36
PID 2424 wrote to memory of 1968	2424	wmisecure64.exe	38
PID 2424 wrote to memory of 1968	2424	wmisecure64.exe	38
PID 2424 wrote to memory of 1968	2424	wmisecure64.exe	38
PID 2424 wrote to memory of 1968	2424	wmisecure64.exe	38
PID 2424 wrote to memory of 1640	2424	wmisecure64.exe	40
PID 2424 wrote to memory of 1640	2424	wmisecure64.exe	40
PID 2424 wrote to memory of 1640	2424	wmisecure64.exe	40
PID 2424 wrote to memory of 1640	2424	wmisecure64.exe	40
PID 2424 wrote to memory of 2240	2424	wmisecure64.exe	44
PID 2424 wrote to memory of 2240	2424	wmisecure64.exe	44
PID 2424 wrote to memory of 2240	2424	wmisecure64.exe	44
PID 2424 wrote to memory of 2240	2424	wmisecure64.exe	44
PID 2424 wrote to memory of 768	2424	wmisecure64.exe	46
PID 2424 wrote to memory of 768	2424	wmisecure64.exe	46
PID 2424 wrote to memory of 768	2424	wmisecure64.exe	46
PID 2424 wrote to memory of 768	2424	wmisecure64.exe	46
PID 2424 wrote to memory of 1436	2424	wmisecure64.exe	48
PID 2424 wrote to memory of 1436	2424	wmisecure64.exe	48
PID 2424 wrote to memory of 1436	2424	wmisecure64.exe	48
PID 2424 wrote to memory of 1436	2424	wmisecure64.exe	48
PID 2424 wrote to memory of 3052	2424	wmisecure64.exe	50
PID 2424 wrote to memory of 3052	2424	wmisecure64.exe	50
PID 2424 wrote to memory of 3052	2424	wmisecure64.exe	50
PID 2424 wrote to memory of 3052	2424	wmisecure64.exe	50
PID 2424 wrote to memory of 1988	2424	wmisecure64.exe	52
PID 2424 wrote to memory of 1988	2424	wmisecure64.exe	52
PID 2424 wrote to memory of 1988	2424	wmisecure64.exe	52
PID 2424 wrote to memory of 1988	2424	wmisecure64.exe	52
PID 2424 wrote to memory of 1548	2424	wmisecure64.exe	54
PID 2424 wrote to memory of 1548	2424	wmisecure64.exe	54
PID 2424 wrote to memory of 1548	2424	wmisecure64.exe	54
PID 2424 wrote to memory of 1548	2424	wmisecure64.exe	54
PID 2424 wrote to memory of 1740	2424	wmisecure64.exe	56
PID 2424 wrote to memory of 1740	2424	wmisecure64.exe	56
PID 2424 wrote to memory of 1740	2424	wmisecure64.exe	56
PID 2424 wrote to memory of 1740	2424	wmisecure64.exe	56

C:\Users\Admin\AppData\Local\Temp\bdd33019418537e6f55edde56695856f.exe
"C:\Users\Admin\AppData\Local\Temp\bdd33019418537e6f55edde56695856f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Roaming\Objects.exe
  "C:\Users\Admin\AppData\Roaming\Objects.exe" C:\Users\Admin\AppData\Local\Temp\bdd33019418537e6f55edde56695856f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
    "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:1776
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

Filesize
262KB

MD5
1fc13eb25dc703642fe877d0be015bfb

SHA1
47f7a0e46d36d4162f8934e13c802fa4ed109ca0

SHA256
03ce6ff9da9c095483f41fd3ad76b2ff559116fb3e1fa28410732fa4604c6901

SHA512
b40c17de758ebe5ee54103d25da75500e76351c9ce3d93a72673b1ea956c0adb5db55f9741058e5c362674437da30f04c6546eb9e2eaa06f73a5b8d172aeaedb

Download Submit
\Users\Admin\AppData\Roaming\Objects.exe

Filesize
262KB

MD5
d5a686a46b46b52b8368b949d0e66590

SHA1
7b15ec948d8110c00391a951212ad45a0117f141

SHA256
ee9450f7d987af38223447e0dfe31e18e243d08a37e085d0259a8a50b31c96c7

SHA512
5e9b7fcbc4e6d338e3e079f0d364b5c55130e78ab3ecba22a66966758423cd9611c0a7b434b5c7669e7602c19d6d314f50730f7bf0dbeb8c30b414fd7e4b285b

Download Submit
\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe

Filesize
262KB

MD5
a666854d9cf615c1b37358a2a3f9e717

SHA1
d59e4153456c9d5d54ac2448f01bd817d3efec5d

SHA256
8bce870aa72df13985314a046f18e1d66a30f0acb077c301c789aaca7a16270d

SHA512
d873710febf5765270f0167e11a90845d1e985032bc74068f700aca5f8112931be5d1786cf9e265d1a60f46e4f588cb5175405071b88d256d4e6de05003a637c

Download Submit
\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe

Filesize
262KB

MD5
9434f089abfcf70cd5ac38fa30116145

SHA1
1f65c0d8022b24bf3fec92e18ac8c3cc77a064a7

SHA256
fb715c9f9426e03c235b0134f790eb882ee8bfdaca36a1d50d8b6ccff321bde1

SHA512
543d8016e2440383ba592bcb8ffde265638bf25df54885db5c4528bd95d775c7f34d2d1e5b42699e9c917f388f8ab87d08c937c9c99070f22224e4d40e1892a7

Download Submit
\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
d17de77644af497abb5d753a155abdc6

SHA1
9d7a2fb47583e7ef122ea02c42b6258088a52101

SHA256
9480a058f01db9ff1f6dabf3c53289b4b4c8badbc2c1acd05e650f396e4df285

SHA512
c55a6707ae1145594c25b6736c07747b3c919179bcf9da912d9cf29b21a52c5e9c6a30d2c718d34b9e2621a10a871b4fe5243bdc31e74044a0ac89d7234d0029

Download Submit
\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

Filesize
64KB

MD5
098a3cdbd73bee24b40ae470757294fb

SHA1
8afde65ec0877ba005c5fc931f2e9d7fddbb9d11

SHA256
08684d9ade2a5277e82cb6ce7b2135ad875e5c937c8ae226e827ea7feaccf7e9

SHA512
2042e603df84849e5848dafec98eb4a673ace49ca4e761af0b9436cb89b6c1df0f2cf55af1536ff7acb3ed07dac232759c2cbe794359070cf75666773438207f

Download Submit
memory/1708-0-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-10-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-3-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-1-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/1776-88-0x00000000005B0000-0x00000000005F0000-memory.dmp

Filesize
256KB

Download
memory/1776-89-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-57-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-90-0x00000000005B0000-0x00000000005F0000-memory.dmp

Filesize
256KB

Download
memory/1776-56-0x00000000005B0000-0x00000000005F0000-memory.dmp

Filesize
256KB

Download
memory/1776-50-0x00000000005B0000-0x00000000005F0000-memory.dmp

Filesize
256KB

Download
memory/1776-49-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2424-60-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/2424-93-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/2424-92-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/2424-91-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2424-59-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/2424-58-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-21-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-83-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-28-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-30-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-84-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-29-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-86-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2884-38-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-85-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-41-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-87-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2884-40-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2884-39-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/3016-15-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-13-0x0000000002240000-0x0000000002280000-memory.dmp

Filesize
256KB

Download
memory/3016-12-0x0000000002240000-0x0000000002280000-memory.dmp

Filesize
256KB

Download
memory/3016-11-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-46-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download