netwire | c6116c1f7d5326b65000c44e2c690967672a658d6123f8ecb1634277748bebbc

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe
Size

543KB
MD5

841e9227af67d61b8db0d61e56a2674c
SHA1

53570172745634ae234cc5781c4537bfec5931b2
SHA256

c6116c1f7d5326b65000c44e2c690967672a658d6123f8ecb1634277748bebbc
SHA512

c12c17aafbd7d9ce65f7bb067f90ae7a9d1d4b494e2e60ec099b2afbe2d190b8840689217c58bd724fb1706489a063da49e1aa973df10cd6c004fa5af80b8c06
SSDEEP

12288:cQawNsW7lerECtu4aLgbqu6khVc0qI7oe3gP5WecUa/0TBPf0:cQa+HperrOUj6k7ZqC30tbBPf0

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

79.172.242.87:3305

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Summer
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
HsOoVGHW
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2896-30-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2896-22-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WARLYLeiLefdXcZF.lnk	RQKLOiEWbKfOiLhDWVGTf.cmd

Executes dropped EXE 25 IoCs

pid	Process
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2664	Host.exe
2468	Host.exe
768	Host.exe
756	Host.exe
2184	Host.exe
1172	Host.exe
2728	Host.exe
1988	Host.exe
1804	Host.exe
1120	Host.exe
2792	Host.exe
2316	Host.exe
2744	Host.exe
2460	Host.exe
2412	Host.exe
2468	Host.exe
2340	Host.exe
756	Host.exe
2040	Host.exe
2740	Host.exe
1504	Host.exe
2084	Host.exe
1200	Host.exe
2960	Host.exe

Loads dropped DLL 49 IoCs

pid	Process
2696	841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe
2896	wscript.exe
2896	wscript.exe
1760	wscript.exe
1760	wscript.exe
2408	wscript.exe
2408	wscript.exe
328	wscript.exe
328	wscript.exe
2584	wscript.exe
2584	wscript.exe
2692	wscript.exe
2692	wscript.exe
2720	wscript.exe
2720	wscript.exe
524	wscript.exe
524	wscript.exe
1068	wscript.exe
1068	wscript.exe
1304	wscript.exe
1304	wscript.exe
900	wscript.exe
900	wscript.exe
2876	wscript.exe
2876	wscript.exe
1500	wscript.exe
1500	wscript.exe
2496	wscript.exe
2496	wscript.exe
2724	wscript.exe
2724	wscript.exe
2348	wscript.exe
2348	wscript.exe
1248	wscript.exe
1248	wscript.exe
2592	wscript.exe
2592	wscript.exe
1540	wscript.exe
1540	wscript.exe
1696	wscript.exe
1696	wscript.exe
1620	wscript.exe
1620	wscript.exe
2780	wscript.exe
2780	wscript.exe
2144	wscript.exe
2144	wscript.exe
1836	wscript.exe
1836	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe

Suspicious use of SetThreadContext 25 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 2896	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	29
PID 2276 set thread context of 1760	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	31
PID 2276 set thread context of 2408	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	33
PID 2276 set thread context of 328	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	35
PID 2276 set thread context of 2584	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	37
PID 2276 set thread context of 2692	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	41
PID 2276 set thread context of 2720	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	43
PID 2276 set thread context of 524	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	45
PID 2276 set thread context of 1068	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	47
PID 2276 set thread context of 1304	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	49
PID 2276 set thread context of 900	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	51
PID 2276 set thread context of 2876	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	53
PID 2276 set thread context of 1500	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	55
PID 2276 set thread context of 2496	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	57
PID 2276 set thread context of 2724	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	59
PID 2276 set thread context of 2348	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	61
PID 2276 set thread context of 1248	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	66
PID 2276 set thread context of 2592	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	68
PID 2276 set thread context of 1540	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	70
PID 2276 set thread context of 1696	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	72
PID 2276 set thread context of 1620	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	75
PID 2276 set thread context of 2780	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	78
PID 2276 set thread context of 2144	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	80
PID 2276 set thread context of 1836	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	82
PID 2276 set thread context of 2808	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd
2276	RQKLOiEWbKfOiLhDWVGTf.cmd

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2276	2696	841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe	28
PID 2696 wrote to memory of 2276	2696	841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe	28
PID 2696 wrote to memory of 2276	2696	841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe	28
PID 2696 wrote to memory of 2276	2696	841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe	28
PID 2276 wrote to memory of 2896	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	29
PID 2276 wrote to memory of 2896	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	29
PID 2276 wrote to memory of 2896	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	29
PID 2276 wrote to memory of 2896	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	29
PID 2276 wrote to memory of 2896	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	29
PID 2276 wrote to memory of 2896	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	29
PID 2896 wrote to memory of 2664	2896	wscript.exe	30
PID 2896 wrote to memory of 2664	2896	wscript.exe	30
PID 2896 wrote to memory of 2664	2896	wscript.exe	30
PID 2896 wrote to memory of 2664	2896	wscript.exe	30
PID 2276 wrote to memory of 1760	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	31
PID 2276 wrote to memory of 1760	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	31
PID 2276 wrote to memory of 1760	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	31
PID 2276 wrote to memory of 1760	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	31
PID 2276 wrote to memory of 1760	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	31
PID 2276 wrote to memory of 1760	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	31
PID 1760 wrote to memory of 2468	1760	wscript.exe	32
PID 1760 wrote to memory of 2468	1760	wscript.exe	32
PID 1760 wrote to memory of 2468	1760	wscript.exe	32
PID 1760 wrote to memory of 2468	1760	wscript.exe	32
PID 2276 wrote to memory of 2408	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	33
PID 2276 wrote to memory of 2408	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	33
PID 2276 wrote to memory of 2408	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	33
PID 2276 wrote to memory of 2408	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	33
PID 2276 wrote to memory of 2408	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	33
PID 2276 wrote to memory of 2408	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	33
PID 2408 wrote to memory of 768	2408	wscript.exe	34
PID 2408 wrote to memory of 768	2408	wscript.exe	34
PID 2408 wrote to memory of 768	2408	wscript.exe	34
PID 2408 wrote to memory of 768	2408	wscript.exe	34
PID 2276 wrote to memory of 328	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	35
PID 2276 wrote to memory of 328	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	35
PID 2276 wrote to memory of 328	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	35
PID 2276 wrote to memory of 328	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	35
PID 2276 wrote to memory of 328	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	35
PID 2276 wrote to memory of 328	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	35
PID 328 wrote to memory of 756	328	wscript.exe	36
PID 328 wrote to memory of 756	328	wscript.exe	36
PID 328 wrote to memory of 756	328	wscript.exe	36
PID 328 wrote to memory of 756	328	wscript.exe	36
PID 2276 wrote to memory of 2584	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	37
PID 2276 wrote to memory of 2584	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	37
PID 2276 wrote to memory of 2584	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	37
PID 2276 wrote to memory of 2584	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	37
PID 2276 wrote to memory of 2584	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	37
PID 2276 wrote to memory of 2584	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	37
PID 2584 wrote to memory of 2184	2584	wscript.exe	40
PID 2584 wrote to memory of 2184	2584	wscript.exe	40
PID 2584 wrote to memory of 2184	2584	wscript.exe	40
PID 2584 wrote to memory of 2184	2584	wscript.exe	40
PID 2276 wrote to memory of 2692	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	41
PID 2276 wrote to memory of 2692	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	41
PID 2276 wrote to memory of 2692	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	41
PID 2276 wrote to memory of 2692	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	41
PID 2276 wrote to memory of 2692	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	41
PID 2276 wrote to memory of 2692	2276	RQKLOiEWbKfOiLhDWVGTf.cmd	41
PID 2692 wrote to memory of 1172	2692	wscript.exe	42
PID 2692 wrote to memory of 1172	2692	wscript.exe	42
PID 2692 wrote to memory of 1172	2692	wscript.exe	42
PID 2692 wrote to memory of 1172	2692	wscript.exe	42

C:\Users\Admin\AppData\Local\Temp\841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RQKLOiEWbKfOiLhDWVGTf.cmd
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RQKLOiEWbKfOiLhDWVGTf.cmd RQKLOiEWbKfOiLhDWVG
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2664
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2468
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:768
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:328
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:756
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2184
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:1172
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:2720
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2728
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:524
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:1988
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:1068
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:1804
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:1304
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:1120
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:900
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2792
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:2876
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2316
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:1500
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2744
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:2496
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2460
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:2724
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2412
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:2348
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2468
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:292
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:1248
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2340
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:2592
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:756
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:1540
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2040
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:1696
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2740
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:1620
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:1504
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:2780
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2084
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:2144
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:1200
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Loads dropped DLL
    PID:1836
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2960
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RQKLOiEWbKfOiLhDWVG

Filesize
47KB

MD5
18f33384d94dcb1b64c41ce700f09133

SHA1
ce3dc15e620224dfd617b325c6506ae64c5044c7

SHA256
03820afb4df4b6117811c1c537426e7bb3ac8d533a231f4981e228ddb6fbd7ab

SHA512
a0169c2c0eb667f6cc322efe42ebaabcd09dce68cd467ba0b62fe6b5b17c22a66dfaae79fa56cc736c34f1ba1a409a59bfcfdb626c14e3faab58dd1054f21ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WARLYLeiLefd

Filesize
84KB

MD5
547c89d00251c1f8e7b09e9e6dd44c33

SHA1
87f6452217915ba0f9232d80c8c53dfeab60e2e1

SHA256
97eca6ef0ffe505508e2176372283435ce1bd9cd6be41b66677071d7853211d4

SHA512
8622ce054473eaa8b5b7cc520249b71b22f42f701769f9cbe0db4ddc0e0ffb1bf9c3f280b880c947abaf3cb998661d971c744b94d5f3816b607c18e6d85b9b5b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RQKLOiEWbKfOiLhDWVGTf.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
memory/328-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1760-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2276-19-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2276-104-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2408-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-135-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2896-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2896-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2896-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2896-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download