5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
Size

260KB
MD5

59105763ed186bdb837026ad63003939
SHA1

6980c850bcf9f572fa8e635c7c6b10fc1779c87f
SHA256

5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689
SHA512

f6c681626de5431cef017b548450485e1bbad749aa80ab02e963dbaa71b07876725a2fdc3dea1797b98c51d76f07c25c8f519dae15dae70e25e1ec76922a6e03
SSDEEP

6144:ojZzVYQckMANv494D83pdcsTAROvgEMHHEMH:ojZ5YQckMANv494D83peoMEM

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2084	more files.exe

Executes dropped EXE 6 IoCs

pid	Process
2084	more files.exe
2648	wmiintegrator.exe
2812	wmihostwin.exe
892	wmimic.exe
2540	wmisecure64.exe
2416	wmisecure.exe

Loads dropped DLL 6 IoCs

pid	Process
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2084	more files.exe
2648	wmiintegrator.exe
2812	wmihostwin.exe
892	wmimic.exe
892	wmimic.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
2084	more files.exe
2084	more files.exe
2084	more files.exe
2084	more files.exe
2084	more files.exe
2084	more files.exe
2648	wmiintegrator.exe
2648	wmiintegrator.exe
2648	wmiintegrator.exe
2648	wmiintegrator.exe
2648	wmiintegrator.exe
2648	wmiintegrator.exe
2648	wmiintegrator.exe
2812	wmihostwin.exe
2812	wmihostwin.exe
2812	wmihostwin.exe
2812	wmihostwin.exe
2812	wmihostwin.exe
2812	wmihostwin.exe
2648	wmiintegrator.exe
2812	wmihostwin.exe
892	wmimic.exe
892	wmimic.exe
892	wmimic.exe
892	wmimic.exe
892	wmimic.exe
892	wmimic.exe
892	wmimic.exe
2648	wmiintegrator.exe
2812	wmihostwin.exe
2648	wmiintegrator.exe
2812	wmihostwin.exe
2540	wmisecure64.exe
2540	wmisecure64.exe
2540	wmisecure64.exe
2540	wmisecure64.exe
2540	wmisecure64.exe
2416	wmisecure.exe
2416	wmisecure.exe
2416	wmisecure.exe
2416	wmisecure.exe
2416	wmisecure.exe
892	wmimic.exe
892	wmimic.exe
2648	wmiintegrator.exe
2812	wmihostwin.exe
892	wmimic.exe
892	wmimic.exe
2648	wmiintegrator.exe
2812	wmihostwin.exe
2812	wmihostwin.exe
892	wmimic.exe
892	wmimic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2084	2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe	28
PID 2220 wrote to memory of 2084	2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe	28
PID 2220 wrote to memory of 2084	2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe	28
PID 2220 wrote to memory of 2084	2220	5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe	28
PID 2084 wrote to memory of 2648	2084	more files.exe	29
PID 2084 wrote to memory of 2648	2084	more files.exe	29
PID 2084 wrote to memory of 2648	2084	more files.exe	29
PID 2084 wrote to memory of 2648	2084	more files.exe	29
PID 2648 wrote to memory of 2812	2648	wmiintegrator.exe	30
PID 2648 wrote to memory of 2812	2648	wmiintegrator.exe	30
PID 2648 wrote to memory of 2812	2648	wmiintegrator.exe	30
PID 2648 wrote to memory of 2812	2648	wmiintegrator.exe	30
PID 2812 wrote to memory of 892	2812	wmihostwin.exe	31
PID 2812 wrote to memory of 892	2812	wmihostwin.exe	31
PID 2812 wrote to memory of 892	2812	wmihostwin.exe	31
PID 2812 wrote to memory of 892	2812	wmihostwin.exe	31
PID 892 wrote to memory of 2416	892	wmimic.exe	32
PID 892 wrote to memory of 2416	892	wmimic.exe	32
PID 892 wrote to memory of 2416	892	wmimic.exe	32
PID 892 wrote to memory of 2416	892	wmimic.exe	32
PID 892 wrote to memory of 2540	892	wmimic.exe	33
PID 892 wrote to memory of 2540	892	wmimic.exe	33
PID 892 wrote to memory of 2540	892	wmimic.exe	33
PID 892 wrote to memory of 2540	892	wmimic.exe	33
PID 2540 wrote to memory of 1940	2540	wmisecure64.exe	34
PID 2540 wrote to memory of 1940	2540	wmisecure64.exe	34
PID 2540 wrote to memory of 1940	2540	wmisecure64.exe	34
PID 2540 wrote to memory of 1940	2540	wmisecure64.exe	34
PID 2540 wrote to memory of 2140	2540	wmisecure64.exe	36
PID 2540 wrote to memory of 2140	2540	wmisecure64.exe	36
PID 2540 wrote to memory of 2140	2540	wmisecure64.exe	36
PID 2540 wrote to memory of 2140	2540	wmisecure64.exe	36
PID 2540 wrote to memory of 376	2540	wmisecure64.exe	38
PID 2540 wrote to memory of 376	2540	wmisecure64.exe	38
PID 2540 wrote to memory of 376	2540	wmisecure64.exe	38
PID 2540 wrote to memory of 376	2540	wmisecure64.exe	38
PID 2540 wrote to memory of 2256	2540	wmisecure64.exe	40
PID 2540 wrote to memory of 2256	2540	wmisecure64.exe	40
PID 2540 wrote to memory of 2256	2540	wmisecure64.exe	40
PID 2540 wrote to memory of 2256	2540	wmisecure64.exe	40
PID 2540 wrote to memory of 2348	2540	wmisecure64.exe	42
PID 2540 wrote to memory of 2348	2540	wmisecure64.exe	42
PID 2540 wrote to memory of 2348	2540	wmisecure64.exe	42
PID 2540 wrote to memory of 2348	2540	wmisecure64.exe	42
PID 2540 wrote to memory of 2776	2540	wmisecure64.exe	44
PID 2540 wrote to memory of 2776	2540	wmisecure64.exe	44
PID 2540 wrote to memory of 2776	2540	wmisecure64.exe	44
PID 2540 wrote to memory of 2776	2540	wmisecure64.exe	44
PID 2540 wrote to memory of 3040	2540	wmisecure64.exe	46
PID 2540 wrote to memory of 3040	2540	wmisecure64.exe	46
PID 2540 wrote to memory of 3040	2540	wmisecure64.exe	46
PID 2540 wrote to memory of 3040	2540	wmisecure64.exe	46
PID 2540 wrote to memory of 2880	2540	wmisecure64.exe	48
PID 2540 wrote to memory of 2880	2540	wmisecure64.exe	48
PID 2540 wrote to memory of 2880	2540	wmisecure64.exe	48
PID 2540 wrote to memory of 2880	2540	wmisecure64.exe	48
PID 2540 wrote to memory of 2208	2540	wmisecure64.exe	50
PID 2540 wrote to memory of 2208	2540	wmisecure64.exe	50
PID 2540 wrote to memory of 2208	2540	wmisecure64.exe	50
PID 2540 wrote to memory of 2208	2540	wmisecure64.exe	50
PID 2540 wrote to memory of 592	2540	wmisecure64.exe	54
PID 2540 wrote to memory of 592	2540	wmisecure64.exe	54
PID 2540 wrote to memory of 592	2540	wmisecure64.exe	54
PID 2540 wrote to memory of 592	2540	wmisecure64.exe	54

C:\Users\Admin\AppData\Local\Temp\5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
"C:\Users\Admin\AppData\Local\Temp\5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Roaming\more files.exe
  "C:\Users\Admin\AppData\Roaming\more files.exe" C:\Users\Admin\AppData\Local\Temp\5628a0c42720774b558738d129278e4df0c21d193f2ba0d8d9abc370b0e8f689.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
    "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:892
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe

Filesize
260KB

MD5
8264db2f586b59ecff7a60e601accbac

SHA1
df6d241b921dc3c97603bc17b6cc4b3f37e90a66

SHA256
b1f68f17f6853d9bba979a0362426cbd22ad738f6338927ad1f1515a77926c6f

SHA512
423e3f4f2cb6cb8972086e5600d1eea95fbf939dc48f97da0dfc71fc3c4fe095214780883b9abf87dcb2f99d86b8cf5b288fe08773258bb0354e9c793298c898

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

Filesize
260KB

MD5
f129d67bbc99736939aa3c674f2f243c

SHA1
aca9a9be80070a9ce95645453b9091f8ad1f0c62

SHA256
1e4888a96f05fa2afa567f20a0cf19253b9801daa5df7a1028b692d3b8079bfd

SHA512
d214dc24de3b7d8fe2a1ca74079fe6e5b57e05c99f56c5d0531be8d8d0342bc93a6f8eac983fc184d7a71804fde33939493e783dd2eee4170c4c43c7ae7bbd53

Download Submit
\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe

Filesize
260KB

MD5
da26f3c6a4cdb789f0ac77fafbe2285e

SHA1
8c0f1bb73e277404560f25602c073e7c45aaa57d

SHA256
6187123c161c2f503c206867c6cfd35ddf7a979f58158d06af24181a28d3e25d

SHA512
5034d1f1976517cfde514f2aa83df04e672f9a0ce6c736bd442175af44e1798f974ac6aab789d92cfdd5feb8423ce2bdd12bea65420f3f9d32b67c738c7a1276

Download Submit
\Users\Admin\AppData\Roaming\more files.exe

Filesize
260KB

MD5
2eaa039cbf89d6fb3738a5047cf2ebfb

SHA1
90b375ba7a186b5c147df5034ccc6b46cc27dea2

SHA256
9d1e170e60fd89e0214abbc84762dfc21cb6b9b152aa415386b157f5a67d4fc7

SHA512
f42e9a4436b30cfbe4fa210ee74a8dbaf3ea15dd91c184ccd76eb3ca46e547cf1cf3ac48c02ef03dec5b8b1b9961f75915d57728a592f76b1936ed60af47de05

Download Submit
memory/892-59-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/892-63-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/892-52-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/892-40-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/2084-14-0x0000000000D70000-0x0000000000DB0000-memory.dmp

Filesize
256KB

Download
memory/2084-13-0x0000000000D70000-0x0000000000DB0000-memory.dmp

Filesize
256KB

Download
memory/2084-11-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-37-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-20-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-3-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-10-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-1-0x00000000020C0000-0x0000000002100000-memory.dmp

Filesize
256KB

Download
memory/2220-0-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-66-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-56-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-67-0x0000000002320000-0x0000000002360000-memory.dmp

Filesize
256KB

Download
memory/2540-64-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-65-0x0000000000B10000-0x0000000000B50000-memory.dmp

Filesize
256KB

Download
memory/2540-53-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-55-0x0000000000B10000-0x0000000000B50000-memory.dmp

Filesize
256KB

Download
memory/2540-54-0x0000000000B10000-0x0000000000B50000-memory.dmp

Filesize
256KB

Download
memory/2648-57-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/2648-58-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-23-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-21-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/2812-60-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-61-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2812-39-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-38-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2812-35-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-62-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download