Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2024, 15:42
Behavioral task
behavioral1
Sample
Xylex-Executor.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Xylex-Executor.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
Stub.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Stub.pyc
Resource
win10v2004-20240426-en
General
-
Target
Xylex-Executor.exe
-
Size
10.9MB
-
MD5
13193ff628a2dcb77215278237789854
-
SHA1
5f7f1dbafc5a0b72db0425bb7be081f227034994
-
SHA256
fa9e580d42e1779416aacd9e607f91ffb317411485f1ea7576b53e07ad8d4df1
-
SHA512
35037d4bef970b27bc8f40d8859b6dc19ae6596af880124cb7e173d1876e96867a3fcf8e21fb28559d3c3d4d03481780cb1c3d80626905aef3b7f32245af1286
-
SSDEEP
196608:Gt6LxwYlz2Jp5UfDC3njkY49eNz4+2Pfm/pf+xZfdcRBZZWKsnqrMWOzW0DjqT:M6KYh2Jp5qC3njkGz4+2m/pWvfCRB7B3
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 868 netsh.exe 4968 netsh.exe -
Loads dropped DLL 31 IoCs
pid Process 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe 3504 Xylex-Executor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000a000000023bb1-46.dat upx behavioral2/memory/3504-50-0x00007FFDDC3E0000-0x00007FFDDC9C7000-memory.dmp upx behavioral2/files/0x000a000000023b94-52.dat upx behavioral2/files/0x000a000000023bab-57.dat upx behavioral2/memory/3504-59-0x00007FFDEBB30000-0x00007FFDEBB54000-memory.dmp upx behavioral2/memory/3504-60-0x00007FFDF5010000-0x00007FFDF501F000-memory.dmp upx behavioral2/files/0x000a000000023b9b-61.dat upx behavioral2/memory/3504-63-0x00007FFDF0CC0000-0x00007FFDF0CD9000-memory.dmp upx behavioral2/files/0x000a000000023bb2-64.dat upx behavioral2/memory/3504-66-0x00007FFDEFE90000-0x00007FFDEFE9D000-memory.dmp upx behavioral2/files/0x000a000000023b92-67.dat upx behavioral2/memory/3504-70-0x00007FFDEEDD0000-0x00007FFDEEDE9000-memory.dmp upx behavioral2/files/0x000a000000023b97-69.dat upx behavioral2/files/0x000a000000023b9c-72.dat upx behavioral2/memory/3504-73-0x00007FFDEBA50000-0x00007FFDEBA7D000-memory.dmp upx behavioral2/memory/3504-76-0x00007FFDEBA20000-0x00007FFDEBA43000-memory.dmp upx behavioral2/files/0x000a000000023bb3-75.dat upx behavioral2/files/0x000a000000023b9d-80.dat upx behavioral2/files/0x000a000000023baa-82.dat upx behavioral2/memory/3504-81-0x00007FFDEB500000-0x00007FFDEB52E000-memory.dmp upx behavioral2/files/0x000a000000023bac-84.dat upx behavioral2/memory/3504-78-0x00007FFDDBE40000-0x00007FFDDBFB3000-memory.dmp upx behavioral2/memory/3504-85-0x00007FFDEB3B0000-0x00007FFDEB468000-memory.dmp upx behavioral2/memory/3504-88-0x00007FFDDC3E0000-0x00007FFDDC9C7000-memory.dmp upx behavioral2/files/0x000a000000023b91-92.dat upx behavioral2/files/0x000a000000023b99-94.dat upx behavioral2/files/0x000a000000023b96-98.dat upx behavioral2/files/0x0031000000023bb6-102.dat upx behavioral2/files/0x000a000000023ba0-104.dat upx behavioral2/files/0x000a000000023ba3-109.dat upx behavioral2/files/0x000a000000023ba9-114.dat upx behavioral2/files/0x000a000000023ba7-115.dat upx behavioral2/memory/3504-129-0x00007FFDEB0C0000-0x00007FFDEB0DE000-memory.dmp upx behavioral2/memory/3504-130-0x00007FFDDB3C0000-0x00007FFDDBAB4000-memory.dmp upx behavioral2/memory/3504-128-0x00007FFDEED20000-0x00007FFDEED2A000-memory.dmp upx behavioral2/memory/3504-127-0x00007FFDEB310000-0x00007FFDEB321000-memory.dmp upx behavioral2/files/0x000a000000023b93-132.dat upx behavioral2/memory/3504-134-0x00007FFDE23C0000-0x00007FFDE23F8000-memory.dmp upx behavioral2/memory/3504-133-0x00007FFDF0CC0000-0x00007FFDF0CD9000-memory.dmp upx behavioral2/memory/3504-126-0x00007FFDEABA0000-0x00007FFDEABED000-memory.dmp upx behavioral2/memory/3504-125-0x00007FFDEB670000-0x00007FFDEB689000-memory.dmp upx behavioral2/memory/3504-124-0x00007FFDEB690000-0x00007FFDEB6A7000-memory.dmp upx behavioral2/memory/3504-123-0x00007FFDEB6B0000-0x00007FFDEB6D2000-memory.dmp upx behavioral2/memory/3504-122-0x00007FFDEABF0000-0x00007FFDEAD0C000-memory.dmp upx behavioral2/memory/3504-121-0x00007FFDEB6E0000-0x00007FFDEB6F4000-memory.dmp upx behavioral2/memory/3504-120-0x00007FFDEB700000-0x00007FFDEB714000-memory.dmp upx behavioral2/memory/3504-119-0x00007FFDEB9C0000-0x00007FFDEB9D2000-memory.dmp upx behavioral2/memory/3504-118-0x00007FFDEB9F0000-0x00007FFDEBA05000-memory.dmp upx behavioral2/memory/3504-117-0x00007FFDEBB30000-0x00007FFDEBB54000-memory.dmp upx behavioral2/files/0x000a000000023b9e-112.dat upx behavioral2/files/0x000a000000023ba1-108.dat upx behavioral2/files/0x000a000000023ba2-106.dat upx behavioral2/files/0x000a000000023bb4-100.dat upx behavioral2/files/0x000a000000023bae-96.dat upx behavioral2/memory/3504-91-0x00007FFDDBAC0000-0x00007FFDDBE35000-memory.dmp upx behavioral2/files/0x000a000000023b9a-183.dat upx behavioral2/memory/3504-185-0x00007FFDEAB00000-0x00007FFDEAB0D000-memory.dmp upx behavioral2/memory/3504-223-0x00007FFDDBAC0000-0x00007FFDDBE35000-memory.dmp upx behavioral2/memory/3504-239-0x00007FFDEBA20000-0x00007FFDEBA43000-memory.dmp upx behavioral2/memory/3504-236-0x00007FFDDB3C0000-0x00007FFDDBAB4000-memory.dmp upx behavioral2/memory/3504-232-0x00007FFDEABA0000-0x00007FFDEABED000-memory.dmp upx behavioral2/memory/3504-231-0x00007FFDEB670000-0x00007FFDEB689000-memory.dmp upx behavioral2/memory/3504-230-0x00007FFDEB690000-0x00007FFDEB6A7000-memory.dmp upx behavioral2/memory/3504-229-0x00007FFDEB6B0000-0x00007FFDEB6D2000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 39 discord.com 40 discord.com 35 discord.com 36 discord.com 37 discord.com 38 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3388 sc.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023bcb-146.dat pyinstaller -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 4336 WMIC.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3272 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 5 IoCs
pid Process 4128 tasklist.exe 3052 tasklist.exe 1648 tasklist.exe 2388 tasklist.exe 3000 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1420 ipconfig.exe 3772 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3588 systeminfo.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3272 WMIC.exe Token: SeSecurityPrivilege 3272 WMIC.exe Token: SeTakeOwnershipPrivilege 3272 WMIC.exe Token: SeLoadDriverPrivilege 3272 WMIC.exe Token: SeSystemProfilePrivilege 3272 WMIC.exe Token: SeSystemtimePrivilege 3272 WMIC.exe Token: SeProfSingleProcessPrivilege 3272 WMIC.exe Token: SeIncBasePriorityPrivilege 3272 WMIC.exe Token: SeCreatePagefilePrivilege 3272 WMIC.exe Token: SeBackupPrivilege 3272 WMIC.exe Token: SeRestorePrivilege 3272 WMIC.exe Token: SeShutdownPrivilege 3272 WMIC.exe Token: SeDebugPrivilege 3272 WMIC.exe Token: SeSystemEnvironmentPrivilege 3272 WMIC.exe Token: SeRemoteShutdownPrivilege 3272 WMIC.exe Token: SeUndockPrivilege 3272 WMIC.exe Token: SeManageVolumePrivilege 3272 WMIC.exe Token: 33 3272 WMIC.exe Token: 34 3272 WMIC.exe Token: 35 3272 WMIC.exe Token: 36 3272 WMIC.exe Token: SeDebugPrivilege 4128 tasklist.exe Token: SeIncreaseQuotaPrivilege 4884 WMIC.exe Token: SeSecurityPrivilege 4884 WMIC.exe Token: SeTakeOwnershipPrivilege 4884 WMIC.exe Token: SeLoadDriverPrivilege 4884 WMIC.exe Token: SeSystemProfilePrivilege 4884 WMIC.exe Token: SeSystemtimePrivilege 4884 WMIC.exe Token: SeProfSingleProcessPrivilege 4884 WMIC.exe Token: SeIncBasePriorityPrivilege 4884 WMIC.exe Token: SeCreatePagefilePrivilege 4884 WMIC.exe Token: SeBackupPrivilege 4884 WMIC.exe Token: SeRestorePrivilege 4884 WMIC.exe Token: SeShutdownPrivilege 4884 WMIC.exe Token: SeDebugPrivilege 4884 WMIC.exe Token: SeSystemEnvironmentPrivilege 4884 WMIC.exe Token: SeRemoteShutdownPrivilege 4884 WMIC.exe Token: SeUndockPrivilege 4884 WMIC.exe Token: SeManageVolumePrivilege 4884 WMIC.exe Token: 33 4884 WMIC.exe Token: 34 4884 WMIC.exe Token: 35 4884 WMIC.exe Token: 36 4884 WMIC.exe Token: SeIncreaseQuotaPrivilege 3272 WMIC.exe Token: SeSecurityPrivilege 3272 WMIC.exe Token: SeTakeOwnershipPrivilege 3272 WMIC.exe Token: SeLoadDriverPrivilege 3272 WMIC.exe Token: SeSystemProfilePrivilege 3272 WMIC.exe Token: SeSystemtimePrivilege 3272 WMIC.exe Token: SeProfSingleProcessPrivilege 3272 WMIC.exe Token: SeIncBasePriorityPrivilege 3272 WMIC.exe Token: SeCreatePagefilePrivilege 3272 WMIC.exe Token: SeBackupPrivilege 3272 WMIC.exe Token: SeRestorePrivilege 3272 WMIC.exe Token: SeShutdownPrivilege 3272 WMIC.exe Token: SeDebugPrivilege 3272 WMIC.exe Token: SeSystemEnvironmentPrivilege 3272 WMIC.exe Token: SeRemoteShutdownPrivilege 3272 WMIC.exe Token: SeUndockPrivilege 3272 WMIC.exe Token: SeManageVolumePrivilege 3272 WMIC.exe Token: 33 3272 WMIC.exe Token: 34 3272 WMIC.exe Token: 35 3272 WMIC.exe Token: 36 3272 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4192 wrote to memory of 3504 4192 Xylex-Executor.exe 85 PID 4192 wrote to memory of 3504 4192 Xylex-Executor.exe 85 PID 3504 wrote to memory of 1356 3504 Xylex-Executor.exe 88 PID 3504 wrote to memory of 1356 3504 Xylex-Executor.exe 88 PID 3504 wrote to memory of 3388 3504 Xylex-Executor.exe 91 PID 3504 wrote to memory of 3388 3504 Xylex-Executor.exe 91 PID 3504 wrote to memory of 2132 3504 Xylex-Executor.exe 92 PID 3504 wrote to memory of 2132 3504 Xylex-Executor.exe 92 PID 3504 wrote to memory of 4668 3504 Xylex-Executor.exe 94 PID 3504 wrote to memory of 4668 3504 Xylex-Executor.exe 94 PID 3504 wrote to memory of 404 3504 Xylex-Executor.exe 95 PID 3504 wrote to memory of 404 3504 Xylex-Executor.exe 95 PID 3388 wrote to memory of 3272 3388 cmd.exe 99 PID 3388 wrote to memory of 3272 3388 cmd.exe 99 PID 404 wrote to memory of 4128 404 cmd.exe 100 PID 404 wrote to memory of 4128 404 cmd.exe 100 PID 2132 wrote to memory of 4884 2132 cmd.exe 101 PID 2132 wrote to memory of 4884 2132 cmd.exe 101 PID 3504 wrote to memory of 1484 3504 Xylex-Executor.exe 103 PID 3504 wrote to memory of 1484 3504 Xylex-Executor.exe 103 PID 1484 wrote to memory of 3168 1484 cmd.exe 105 PID 1484 wrote to memory of 3168 1484 cmd.exe 105 PID 3504 wrote to memory of 4596 3504 Xylex-Executor.exe 106 PID 3504 wrote to memory of 4596 3504 Xylex-Executor.exe 106 PID 3504 wrote to memory of 432 3504 Xylex-Executor.exe 107 PID 3504 wrote to memory of 432 3504 Xylex-Executor.exe 107 PID 432 wrote to memory of 3052 432 cmd.exe 110 PID 432 wrote to memory of 3052 432 cmd.exe 110 PID 4596 wrote to memory of 2752 4596 cmd.exe 111 PID 4596 wrote to memory of 2752 4596 cmd.exe 111 PID 3504 wrote to memory of 1052 3504 Xylex-Executor.exe 112 PID 3504 wrote to memory of 1052 3504 Xylex-Executor.exe 112 PID 1052 wrote to memory of 4440 1052 cmd.exe 115 PID 1052 wrote to memory of 4440 1052 cmd.exe 115 PID 3504 wrote to memory of 3256 3504 Xylex-Executor.exe 116 PID 3504 wrote to memory of 3256 3504 Xylex-Executor.exe 116 PID 3256 wrote to memory of 1648 3256 cmd.exe 118 PID 3256 wrote to memory of 1648 3256 cmd.exe 118 PID 3504 wrote to memory of 1184 3504 Xylex-Executor.exe 119 PID 3504 wrote to memory of 1184 3504 Xylex-Executor.exe 119 PID 3504 wrote to memory of 3748 3504 Xylex-Executor.exe 120 PID 3504 wrote to memory of 3748 3504 Xylex-Executor.exe 120 PID 3504 wrote to memory of 3852 3504 Xylex-Executor.exe 121 PID 3504 wrote to memory of 3852 3504 Xylex-Executor.exe 121 PID 3504 wrote to memory of 4848 3504 Xylex-Executor.exe 122 PID 3504 wrote to memory of 4848 3504 Xylex-Executor.exe 122 PID 3852 wrote to memory of 2388 3852 cmd.exe 127 PID 3852 wrote to memory of 2388 3852 cmd.exe 127 PID 4848 wrote to memory of 3924 4848 cmd.exe 128 PID 4848 wrote to memory of 3924 4848 cmd.exe 128 PID 1184 wrote to memory of 1496 1184 cmd.exe 129 PID 1184 wrote to memory of 1496 1184 cmd.exe 129 PID 3748 wrote to memory of 3668 3748 cmd.exe 130 PID 3748 wrote to memory of 3668 3748 cmd.exe 130 PID 1496 wrote to memory of 4984 1496 cmd.exe 131 PID 1496 wrote to memory of 4984 1496 cmd.exe 131 PID 3668 wrote to memory of 4668 3668 cmd.exe 132 PID 3668 wrote to memory of 4668 3668 cmd.exe 132 PID 3504 wrote to memory of 536 3504 Xylex-Executor.exe 133 PID 3504 wrote to memory of 536 3504 Xylex-Executor.exe 133 PID 3504 wrote to memory of 4344 3504 Xylex-Executor.exe 134 PID 3504 wrote to memory of 4344 3504 Xylex-Executor.exe 134 PID 536 wrote to memory of 3588 536 cmd.exe 137 PID 536 wrote to memory of 3588 536 cmd.exe 137 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4440 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xylex-Executor.exe"C:\Users\Admin\AppData\Local\Temp\Xylex-Executor.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\Xylex-Executor.exe"C:\Users\Admin\AppData\Local\Temp\Xylex-Executor.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:1356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"3⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get Manufacturer4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "gdb --version"3⤵PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"3⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get Manufacturer4⤵PID:3168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:3052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""3⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"4⤵
- Views/modifies file attributes
PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:1648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"3⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\system32\cmd.execmd.exe /c chcp4⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\system32\chcp.comchcp5⤵PID:4984
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"3⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\system32\cmd.execmd.exe /c chcp4⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\system32\chcp.comchcp5⤵PID:4668
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"3⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:3588
-
-
C:\Windows\system32\HOSTNAME.EXEhostname4⤵PID:4056
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername4⤵
- Collects information from the system
PID:4336
-
-
C:\Windows\system32\net.exenet user4⤵PID:3520
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user5⤵PID:1120
-
-
-
C:\Windows\system32\query.exequery user4⤵PID:1376
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"5⤵PID:3432
-
-
-
C:\Windows\system32\net.exenet localgroup4⤵PID:4880
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup5⤵PID:1332
-
-
-
C:\Windows\system32\net.exenet localgroup administrators4⤵PID:1036
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:4428
-
-
-
C:\Windows\system32\net.exenet user guest4⤵PID:4852
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest5⤵PID:3144
-
-
-
C:\Windows\system32\net.exenet user administrator4⤵PID:4240
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator5⤵PID:3484
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command4⤵PID:916
-
-
C:\Windows\system32\tasklist.exetasklist /svc4⤵
- Enumerates processes with tasklist
PID:3000
-
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:1420
-
-
C:\Windows\system32\ROUTE.EXEroute print4⤵PID:2484
-
-
C:\Windows\system32\ARP.EXEarp -a4⤵PID:1464
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
PID:3772
-
-
C:\Windows\system32\sc.exesc query type= service state= all4⤵
- Launches sc.exe
PID:3388
-
-
C:\Windows\system32\netsh.exenetsh firewall show state4⤵
- Modifies Windows Firewall
PID:868
-
-
C:\Windows\system32\netsh.exenetsh firewall show config4⤵
- Modifies Windows Firewall
PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"3⤵PID:4344
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:4848
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:1440
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:1484
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.9MB
MD513193ff628a2dcb77215278237789854
SHA15f7f1dbafc5a0b72db0425bb7be081f227034994
SHA256fa9e580d42e1779416aacd9e607f91ffb317411485f1ea7576b53e07ad8d4df1
SHA51235037d4bef970b27bc8f40d8859b6dc19ae6596af880124cb7e173d1876e96867a3fcf8e21fb28559d3c3d4d03481780cb1c3d80626905aef3b7f32245af1286
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
34KB
MD54c048d296ebfa5f994136333a4adf323
SHA14958fa06e050d1661e94cf2acf483a58ef0f0cc0
SHA2566529fbf5371e78ee12b6038814dced3369def45cab265d5b0c511e82cd141cfb
SHA5126df5fa74aa9a9a1e9de1d902e27d7095061c76e734cc5e614277f13ae0e67af03c4dee1fa2752252cc1cbbff9351e48d0ebcd285e25c7fd0f43c3e3a82e9bf75
-
Filesize
46KB
MD56595f8375a6261c5e5ec75df3b43312e
SHA1d7968d753e3b4006f3e5936412a5329b2ed4bd6c
SHA25679d3755a1cc631146f480c8637620d840f5c51a08f78c3db11b25390e0cad51f
SHA5127bc5c33a1c9ac6e3f19fa892e3e3accf5e04f53459abbb3feaea550a22ae12d43147a9369635d2337c12601574b4758c1795055170df12408e09c0bd33eb1aa8
-
Filesize
71KB
MD5b138dbd0e88b3e879fdb5e790090e2f9
SHA16e61a55b7d66e9e5dc8fb777fa1c9d379abb89d5
SHA25619aad3ff24963ebd308a7086699d318c6043a0481f86c76e4084110d426929f0
SHA51294cdd4d7cefb5ee00053bfac7c28791d57a55d8d9888f3fe44bf695859ddedcb70ba6ee2055a89b55e6a876a04bba3abd523a87e4f0f4953e9422c181ef4ed29
-
Filesize
57KB
MD5a93f53ad8470c4ee7ffa8cef138b2b1f
SHA16dfb57e51fdd2e68c8ae40cef09c6b9cb7213e6a
SHA256de7cf774fb9aefd4c63680052fac07d1a131a643612bcbce1314a8f0ca0c8bad
SHA51205d5826831dd795cfd08754f043bc5c9f2cca4fba0c5083d8eb6b43d04b04bf7422b97d93e21267cd123b60394239e2a2ae7a0089199fc5f92659be4de0f1892
-
Filesize
33KB
MD5c3b00aec855bad560e5220b4a6d251ba
SHA1a8f693212fefa3bab7687c70c5ca41714ab1405c
SHA2566f9780138039f2ca57786b850c19e8e82d9ecbe12d4638a08f862ce39ab2cdd3
SHA5120ead5d3d9d50b44ea3b724ea33f06be347843cdedebff28db72e241cbcf15b5ab1d2be7f839ec9b352ec9b2bd7970622e17cdbba5d8eb42a8a59024f3d8b4553
-
Filesize
84KB
MD5379a83fc8408b9a66113ca6eaab49468
SHA1ddd5434e3cd81b9065001ffb11df19984dba33c7
SHA256b7e41a80c5af2323533f80ce8d5feef3b450ec64ad1310ccdeaf220332f09a55
SHA512e404a704981a5badcb9199434daafa4707ed33b03e73a113448c6120d7d6768d61adb8bf859c4806ed5b3338fa434c740af8a33d68cc09a0412a4ab16f660909
-
Filesize
30KB
MD52b319604e5dfcbb2d0287782e3fe338e
SHA1e764c28222e8d297e2d2cab9412967af97e79a00
SHA2566ff5713d6377e29aade27f634ef44c7e3d02cf3936a75dcb29b3ac0d7c346db7
SHA51219f0edbf729e10ee15d263769844cccab61006c085e0a2e8700c1ff2c173aba966e22f31367eb47df776f59a3384088dd38f1726568ca2357510ca0347062d01
-
Filesize
24KB
MD5572b7317adb471db2026e7a1fa79271c
SHA1fb65da3c8dd30bca091a2f915313033b302236e4
SHA2563e689887768bf342b15fe1a7dd0450f090bfa3008590836e5a2b0eb0301f9a2b
SHA5121d6a96219692babe85ebfbadf6ae0b6006f65a79ee299a41f2802255b01902f888f3ceafaa0c28eb2c4829b9f1ff047902f69fec26d593455374f29f17fb0278
-
Filesize
41KB
MD5c198a07f6bc1c157bd570942cee24fb8
SHA14065ece086dd8921ce674cb63402bcef57391cdc
SHA256ef64e93489b5ede7e657b375249a7b3f688e27e31a3e674c7f5ef732a6f2d1a3
SHA51299d72d7137da130c4b3433c43057442f499336566fc5d7fd690ecb6a1217f7bca889f0ca45522ede10bdadedf18294da0490b8fc6f49e4467a13cd021ba8d309
-
Filesize
54KB
MD5b54f269ced880a62c44666e880104074
SHA169548006aec8dd40dd44c6cd7bcae8b111c9814c
SHA256ca261a176594232a5d639c49282ba3dea15557bd8d6000e8e369b5d91c1062be
SHA512927ae36b4a82d2e742c99eb6a79948a6c8c5d567f1c2ad8bd5ed20d37f3a4b957f6e700fa8f5ef2f06c7ed025ae3660ffd83e4c2e50304fe68ca54019ee1ee7b
-
Filesize
60KB
MD5b9e58dc5e1303fc436ffa1c9ea227f4b
SHA19a1c360eb602ee08520ec474a71611ebbe60e60b
SHA2569af4dfc951acf2dd10097c782c3941c65e3cf62e5977ed0609390d638da49ee0
SHA5124f6952422ba4bbd3cb15645b04c42dcce131903e50e80eedac4fcf74dd905c73ad9b9613ee35f6f8bc6dc79262430176bd78937496098170e80c6547d4ab8aeb
-
Filesize
21KB
MD501bbe98c61b7010d2341f7dbf0f92750
SHA1567f9dfcf1ce689a4099c5903b031ecba7ad2318
SHA25689373579c32cc502897b90ed8f83ec526f8b97f4b4fbb6bdb44492beb4cbe9a8
SHA512dd900d869d165024351113e80133b7f5e690a1a8c1c334272596a9d59e8ed9bc5b3e1ce295b6b0bc582a96414bccf3fa96c1963380e89ce2d135301511068763
-
Filesize
26KB
MD5bb044c574c6173d8f0b79ee882c1c7b7
SHA18cda12f6903f04ac79a7e69dc9fb906ba1cc294a
SHA25614feceb73c66908df8de837620b0de584ec1eb0acd5bc9937154e6cef003e78f
SHA512c90cccaef6a888909cb50a8049cc6b60302dfd155bcf99d4a851af5d7e0f3bbd7f971924fb85b038798a62683227920ab4226da2322b701c1956cfd8aa7ef8a8
-
Filesize
80KB
MD5af6ee9959d8b1a60c6d5091e7900fc7f
SHA1a34b2dca060c890025a54107148590aae14ce570
SHA256f1325cd788c81ac2534215f528f6c58849c7143f41fd6af539cf9f50e01a6d87
SHA5124a2b5b4a56db59664a2052be5ba5366fe24196560e905991bdcffd0e0cc12a788a2de1ac717044eb42ce075278f1ab80ce2c7da483e2bf27d42fa0ef8b4c13b7
-
Filesize
24KB
MD5f5b8ab9b88273615699cbec6e922bd8e
SHA1e1bec9f7e051a19c0d9727298ac01396bae06c7d
SHA256abb8100362cd6f5270a0e54eb700d8242fa40d27ca58b2e9272fdde11beb50a2
SHA51232c298134d392fc5d3125c84309c0840d349148bdf1fc501eb7fa446e578994a2cf7cd015d7c7831be560c3777f7ed80ef78737cca5116fb091122d7597342e3
-
Filesize
19KB
MD5cbbb0e67432c2e17e5aacb38b89cbc87
SHA1852c363197e3d8468803c49bfabb6bb43508daec
SHA25622ba49f7633c2bf26d768fdcd0f0d89dac325dd262afe042cc35023afa1f07f5
SHA512aeda665a587b3f771d0ecdeb970bbbfee05a61e5bb1688fd2eb24a44b0f866879d85ae1810e17085126143445d70e41f6e609321318b146008497d70382a2a1c
-
Filesize
1.7MB
MD5334e5d6e591eccd91d2121194db22815
SHA1821d70c44dc7f25a784e9938d74e75a3471e1ad0
SHA2569e830533f6e67b84d9dbc502db38a6f25d3c984f1a6a195a50f838d48d5b3ba5
SHA512bac4a1283745e5eb4db953227bbf00831c8a0c3c831f5889e0d0630841e59c8ad96c3386ce3ad48300f4754fde188212edc79b78c9c98f76bca21987c1c05866
-
Filesize
2.0MB
MD529029cacb83854cc386584efd26b4ecf
SHA12e7b1bdb625184f1a814ad7c5b8b6a817c1a84cf
SHA256b3906df5b31bf7f0604df4a449a67bd9aea37701e0c2d78a78ac0935a55c37e9
SHA512fecd5368a51004685e78edc54d254e49c9361c588a0f2d4ea1de5971584d48d161fa88d46de22fabba7f6aef6c8b5d0fbcd2526a426d100c3a4d8933ed97e05d
-
Filesize
35KB
MD585e6033d6e87510d84b68dc7cba4b363
SHA19fcf2d9eb40d25ee676f72f3348676ba70ac9971
SHA2569b8805eba76c1f6d1d62eede5e7ee3e4b7d62fea87afc345a357fc45ddc060ef
SHA512b19cccad0406a5652277d22e47971c41f85d6e2cf909b8f2cb5b26da1c395c4030a00c17ad8072852804c3592a548594e5a9a1119ae84743b65beb68890c7e9a
-
Filesize
1.1MB
MD59c2ffedb0ae90b3985e5cdbedd3363e9
SHA1a475fbe289a716e1fbe2eab97f76dbba1da322a9
SHA2567c9418ad6fb6d15acb7d340b7a6533f76337ad302a18e2b4e08d4ee37689913a
SHA51270d2635d42e24c7426cf5306ed010808f2222049915adb43ffc12c13259c8e7a9fee3a49e096d5ba2b6b733fef18574823d00df2e8d7fb1532e1d65d0c478008
-
Filesize
24KB
MD58996f66621b860b8dbdac8dfced15ed4
SHA16e5c6e9140565f016eeb4005930fc9809c1dd06c
SHA256f28a9c3e6430fb3628f1cf79ad6c56f6314da8158aee666ba635d0310c69bff6
SHA512868567802d15c0a643b58eb4b72445b909ff8d8f505785ad734c5399c68c634e881efdbd601775f35906b6ca43a26f6df8cd239f19536b92730883df662d4401
-
Filesize
203KB
MD587bb1a8526b475445b2d7fd298c57587
SHA1aaad18ea92b132ca74942fd5a9f4c901d02d9b09
SHA256c35a97d8f24ea84d1e39a8621b6b3027c9ac24885bdd37386c9fcaad1858419d
SHA512956bd8e9f35c917cbfb570fc633bb2df0d1c2686731fa7179f5e7cd8789e665dd6ff8443e712eafa4e3f8d8661f933cb5675aeb1a2efc195c3bb32211e6d2506
-
Filesize
20KB
MD562617acd2ba89a39afc13734208e1285
SHA1a6319eab3da0886a798bb00a05fb790ed3a7eada
SHA25656437457c4145c4ab9bb6affe71000907ee36b5552618b2c1a7779b76fbad2dc
SHA512d97f172dac58c11119ee78c9beaea99a907f744eea462ece3185f48a048632956fdb3da42e8120a867d0751cf8f272c5c3f9cd3aa6a5d610b32107aa54f4fa15
-
Filesize
64KB
MD534e49bb1dfddf6037f0001d9aefe7d61
SHA1a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA2564055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856
-
Filesize
1.6MB
MD585efe50152d2f52183074085dcf571db
SHA1392e27ba3948d790cf44b7dbda1bd34e7e17f2e8
SHA2560244ff0d1daa49748db7b9c9d492c914da2a465789456b3dbe4af2526d33c695
SHA51215c954880cc117ec17d193852fdbc9df78379b18bd8cb66c2f08f7fda0dc2351518826dbfa046863f8606b71bc72ab3d1cf7936a1498e282f854267d4be015b3
-
Filesize
24KB
MD5f4c341cf38f0722feac000e62dee82e8
SHA19d1e1e3d7f20d04c196fe4cc8ee7aee221b653c2
SHA256dcde2f0def7bf83d6ea93bca38870b6bbef3ab30e11a9a4668d74b43251370e9
SHA5120fb73f275c70ab3b14bd2c744004647ce7dcb39e036fd5fcff89389e195a4a7e903cb9050cdeb779d27674f7bbef5b9101f55e2689d257590132dc615e6efc23
-
Filesize
608KB
MD58659e2b9551ecd719fc97d193ed34a46
SHA1e1a64923285d481585b8d045ba409d3ceea3bad5
SHA2564b4df95850e30681a30d236cf46a6e338a45f133dabe972f286a938a23db6599
SHA5122bc7ef5fcbfdd74aebd4e97b0ea5efe307656066a55e5c97a165552700ffa796fce43aae79489b2139ffb14792b1179ffbd446a88dfd48d23b5fc0bb52684c0d
-
Filesize
293KB
MD57ba9655be9b97bad709f7813b3e25353
SHA1dd06a59dad58f3924eaf993462c9d5df92c3a9d1
SHA256051eab8fd2b9910b8871865977ae8aca09f526f7e9665c53cce74369aa8d84e9
SHA51265e90f511dd3d6c8f99152e342e6b2fc3f74d29431aac9f25e20ec3897244e30f0c1b259f2d7d3f0572522deddf12f39cfcf2d46f38e610f0cfcea4f1da3840e
-
Filesize
40KB
MD5822ec26b5534355847871db109eaae65
SHA1fb9b1d0441b1775a286eb4fa12eae031f25bbd2c
SHA2560da6b978316acfb08495fc09034ff2d8e319fb04e336fe40a195dea59f272fd7
SHA51275a98c9177ca182cd3576da18efca8ba172db3e2256dbef090ed93f4416d4d42d822464a737d9166bcbd09caa35738fbbab798fa3f019251c41d112f49f179ab
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82