warzonerat | a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40

General

Target

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
Size

1.2MB
MD5

75b35c4297d42c36dd13420ea527fc97
SHA1

f25cf1973dd627c9f8692bde299b21db9946a078
SHA256

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40
SHA512

14269aba39d8fd5785cfcfc55b4266c31e98e62ebb409106d18dba7bc2914c53962fd3c313e8b38384726bc35c1ea03ee7323c5b2bfdf6979baeb5a8e962e780
SSDEEP

12288:GIbsBDU0I6+Tu0TJ0N1oYgeOF5A7W2FeDSIGVH/KIDgDgUeHbY1tkL:GIbGD2JTu0GoWQDbGV6eH8tkL

Score

10^/10

warzonerat aspackv2 evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\svchost.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\svchost.exe	aspack_v212_v242

Executes dropped EXE 9 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exe

pid process

2476 explorer.exe
1772 explorer.exe
1516 spoolsv.exe
1264 spoolsv.exe
672 spoolsv.exe
412 spoolsv.exe
1992 spoolsv.exe
608 spoolsv.exe
2936 svchost.exe

pid	process
2476	explorer.exe
1772	explorer.exe
1516	spoolsv.exe
1264	spoolsv.exe
672	spoolsv.exe
412	spoolsv.exe
1992	spoolsv.exe
608	spoolsv.exe
2936	svchost.exe

Loads dropped DLL 43 IoCs

Processes:

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exeexplorer.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exespoolsv.exespoolsv.exe

pid	process
2572	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
2572	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
1772	explorer.exe
1772	explorer.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
592	WerFault.exe
1772	explorer.exe
1772	explorer.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
1772	explorer.exe
1772	explorer.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
1516	spoolsv.exe
608	spoolsv.exe
608	spoolsv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exespoolsv.exea339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2932 set thread context of 2572	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 2932 set thread context of 2580	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 2476 set thread context of 1772	2476	explorer.exe	explorer.exe
PID 2476 set thread context of 2688	2476	explorer.exe	diskperf.exe
PID 1516 set thread context of 608	1516	spoolsv.exe	spoolsv.exe
PID 1516 set thread context of 2164	1516	spoolsv.exe	diskperf.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exespoolsv.exea339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2888	1264	WerFault.exe	spoolsv.exe
592	672	WerFault.exe	spoolsv.exe
2072	412	WerFault.exe	spoolsv.exe
900	1992	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exeexplorer.exe

pid	process
2572	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1772 explorer.exe

pid	process
1772	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exeexplorer.exespoolsv.exe

pid	process
2572	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
2572	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
608	spoolsv.exe
608	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exea339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2932 wrote to memory of 2572	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 2932 wrote to memory of 2572	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 2932 wrote to memory of 2572	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 2932 wrote to memory of 2572	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 2932 wrote to memory of 2572	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 2932 wrote to memory of 2572	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 2932 wrote to memory of 2572	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 2932 wrote to memory of 2572	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 2932 wrote to memory of 2572	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
PID 2932 wrote to memory of 2580	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 2932 wrote to memory of 2580	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 2932 wrote to memory of 2580	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 2932 wrote to memory of 2580	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 2932 wrote to memory of 2580	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 2932 wrote to memory of 2580	2932	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	diskperf.exe
PID 2572 wrote to memory of 2476	2572	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	explorer.exe
PID 2572 wrote to memory of 2476	2572	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	explorer.exe
PID 2572 wrote to memory of 2476	2572	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	explorer.exe
PID 2572 wrote to memory of 2476	2572	a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe	explorer.exe
PID 2476 wrote to memory of 1772	2476	explorer.exe	explorer.exe
PID 2476 wrote to memory of 1772	2476	explorer.exe	explorer.exe
PID 2476 wrote to memory of 1772	2476	explorer.exe	explorer.exe
PID 2476 wrote to memory of 1772	2476	explorer.exe	explorer.exe
PID 2476 wrote to memory of 1772	2476	explorer.exe	explorer.exe
PID 2476 wrote to memory of 1772	2476	explorer.exe	explorer.exe
PID 2476 wrote to memory of 1772	2476	explorer.exe	explorer.exe
PID 2476 wrote to memory of 1772	2476	explorer.exe	explorer.exe
PID 2476 wrote to memory of 1772	2476	explorer.exe	explorer.exe
PID 2476 wrote to memory of 2688	2476	explorer.exe	diskperf.exe
PID 2476 wrote to memory of 2688	2476	explorer.exe	diskperf.exe
PID 2476 wrote to memory of 2688	2476	explorer.exe	diskperf.exe
PID 2476 wrote to memory of 2688	2476	explorer.exe	diskperf.exe
PID 2476 wrote to memory of 2688	2476	explorer.exe	diskperf.exe
PID 2476 wrote to memory of 2688	2476	explorer.exe	diskperf.exe
PID 1772 wrote to memory of 1516	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 1516	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 1516	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 1516	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 1264	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 1264	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 1264	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 1264	1772	explorer.exe	spoolsv.exe
PID 1264 wrote to memory of 2888	1264	spoolsv.exe	WerFault.exe
PID 1264 wrote to memory of 2888	1264	spoolsv.exe	WerFault.exe
PID 1264 wrote to memory of 2888	1264	spoolsv.exe	WerFault.exe
PID 1264 wrote to memory of 2888	1264	spoolsv.exe	WerFault.exe
PID 1772 wrote to memory of 672	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 672	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 672	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 672	1772	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 592	672	spoolsv.exe	WerFault.exe
PID 672 wrote to memory of 592	672	spoolsv.exe	WerFault.exe
PID 672 wrote to memory of 592	672	spoolsv.exe	WerFault.exe
PID 672 wrote to memory of 592	672	spoolsv.exe	WerFault.exe
PID 1772 wrote to memory of 412	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 412	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 412	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 412	1772	explorer.exe	spoolsv.exe
PID 412 wrote to memory of 2072	412	spoolsv.exe	WerFault.exe
PID 412 wrote to memory of 2072	412	spoolsv.exe	WerFault.exe
PID 412 wrote to memory of 2072	412	spoolsv.exe	WerFault.exe
PID 412 wrote to memory of 2072	412	spoolsv.exe	WerFault.exe
PID 1772 wrote to memory of 1992	1772	explorer.exe	spoolsv.exe
PID 1772 wrote to memory of 1992	1772	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
"C:\Users\Admin\AppData\Local\Temp\a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe
"C:\Users\Admin\AppData\Local\Temp\a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2476

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Executes dropped EXE
PID:2936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:900

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:2688

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:2580

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
1.2MB

MD5
75b35c4297d42c36dd13420ea527fc97

SHA1
f25cf1973dd627c9f8692bde299b21db9946a078

SHA256
a339fe8310da76d56224272a297b281a235bc8ab1af751f33351832e72ae8c40

SHA512
14269aba39d8fd5785cfcfc55b4266c31e98e62ebb409106d18dba7bc2914c53962fd3c313e8b38384726bc35c1ea03ee7323c5b2bfdf6979baeb5a8e962e780

Download Submit
C:\Windows\system\explorer.exe
Filesize
1.2MB

MD5
d1a30cdee9c80eb61261f9fdd26b484e

SHA1
c14ba5ddcd8cc9a32f23951cdaad0a41d85bdbdd

SHA256
03e3820fbea85801019b988f93fc3e2e5b8ebf3b35f3cdbde6f454ca4c0a89fa

SHA512
70866c4b1da7c853e0fb10ab7f6291e77067868f1439e4f1a75bafe6609bdfd2a4c8b3eaab004342adfee08809314a1646f06d1f39979c5589dd839c6fca715c

Download Submit
\Windows\system\spoolsv.exe
Filesize
1.2MB

MD5
32da1e497692a0c819c47d9729518765

SHA1
3be0bb491be596c51c12051736f79cb90a0d0288

SHA256
d1425d749944e0a81f9f54c84d4e6154e1d052f0ef0a9e5cd18653523a109156

SHA512
97988da4da05ba6e25895f39a3bb74fb2cb4464944151a27fea3ef3ee42cd2cc932938294a7bb16058959f3b5e5a23edddd74b59b0e9d4649219083ada431700

Download Submit
\Windows\system\svchost.exe
Filesize
1.2MB

MD5
ae3a77057593709b4253c7e8a6eb0c9e

SHA1
e33436fa43d9226e9696f87d4c212c747f2691f5

SHA256
8978a449980379385456753a0f963e95d195804bb3305823e8adf892d5f9fb53

SHA512
53a10474958606c27d15c1a7c39c4c683cf2ac349fd8c9c0afb5860692d915259ad390e3592b29e901f74d15b1295259fe6e9f443213beaf69a2fbdb59b3d1bd

Download Submit
memory/608-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/608-218-0x00000000031B0000-0x00000000032C4000-memory.dmp

Filesize
1.1MB

Download
memory/608-217-0x00000000031B0000-0x00000000032C4000-memory.dmp

Filesize
1.1MB

Download
memory/608-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/672-131-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1264-112-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1516-204-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1516-98-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1516-97-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1516-99-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1516-129-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1772-150-0x00000000032B0000-0x00000000033C4000-memory.dmp

Filesize
1.1MB

Download
memory/1772-141-0x00000000032B0000-0x00000000033C4000-memory.dmp

Filesize
1.1MB

Download
memory/1772-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1772-130-0x00000000032B0000-0x00000000033C4000-memory.dmp

Filesize
1.1MB

Download
memory/1772-168-0x00000000032B0000-0x00000000033C4000-memory.dmp

Filesize
1.1MB

Download
memory/1772-111-0x00000000032B0000-0x00000000033C4000-memory.dmp

Filesize
1.1MB

Download
memory/1772-178-0x00000000032B0000-0x00000000033C4000-memory.dmp

Filesize
1.1MB

Download
memory/1772-179-0x00000000032B0000-0x00000000033C4000-memory.dmp

Filesize
1.1MB

Download
memory/1772-225-0x00000000032B0000-0x00000000033C4000-memory.dmp

Filesize
1.1MB

Download
memory/1772-100-0x00000000032B0000-0x00000000033C4000-memory.dmp

Filesize
1.1MB

Download
memory/1772-226-0x00000000032B0000-0x00000000033C4000-memory.dmp

Filesize
1.1MB

Download
memory/2476-83-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2476-51-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2476-56-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2476-50-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2476-53-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2476-49-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2572-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-52-0x0000000003290000-0x00000000033A4000-memory.dmp

Filesize
1.1MB

Download
memory/2572-48-0x0000000003290000-0x00000000033A4000-memory.dmp

Filesize
1.1MB

Download
memory/2572-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2580-35-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2580-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2580-37-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2580-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2932-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2932-29-0x0000000002100000-0x0000000002214000-memory.dmp

Filesize
1.1MB

Download
memory/2932-33-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2932-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2932-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2932-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2932-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2932-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2936-221-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads