f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

General

Target

Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Size

10.1MB
MD5

4dabfeed4b250a3248714458ae370ca8
SHA1

6e215b2a20039a4dbde18579a1419a4eb10946ac
SHA256

eb23cbc820d2b8fdc0227b2e89274edf2671163cae40e0a9bb930b91c05ac3a9
SHA512

7ea826cf27da942ce2e9db4a800b3c247670a8fc260af8686d14c48583f38f14b935d5af282a3774a9811f0957ca7318dc883307254554e907f7cfb5f6419a4c
SSDEEP

196608:m6+0f/ylacMb5mCbClb12UK4RDx5gRIAL1xXPm68DwOHRR+kc4N4FmDdgW7NaREE:m0f/KacMbR2J2UKEdiRIAL1xXPCwkEn7

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 29 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
4500	netsh.exe
2744	netsh.exe
4100	netsh.exe
2080	netsh.exe
4892	netsh.exe
5116	netsh.exe
4156	netsh.exe
4408	netsh.exe
5064	netsh.exe
1672	netsh.exe
764	netsh.exe
1044	netsh.exe
2876	netsh.exe
4212	netsh.exe
1988	netsh.exe
4388	netsh.exe
3644	netsh.exe
236	netsh.exe
4236	netsh.exe
4668	netsh.exe
1636	netsh.exe
2332	netsh.exe
2880	netsh.exe
4856	netsh.exe
2556	netsh.exe
396	netsh.exe
1448	netsh.exe
4196	netsh.exe
3268	netsh.exe

Drops startup file 2 IoCs

Processes:

firewall.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe

Executes dropped EXE 10 IoCs

Processes:

Venom Cracked.exeMajid Z Hacker.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exefirewall.exeMajid Z Hacker.exe

pid	process
4616	Venom Cracked.exe
1516	Majid Z Hacker.exe
2716	Majid Z Hacker.exe
3660	firewall.exe
1856	Majid Z Hacker.exe
1124	firewall.exe
2624	Majid Z Hacker.exe
1108	firewall.exe
2468	firewall.exe
1116	Majid Z Hacker.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

firewall.exefirewall.exefirewall.exefirewall.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

firewall.exefirewall.exefirewall.exefirewall.exe

description	pid	process
Token: SeDebugPrivilege	1124	firewall.exe
Token: SeDebugPrivilege	3660	firewall.exe
Token: SeDebugPrivilege	1108	firewall.exe
Token: SeDebugPrivilege	2468	firewall.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

Venom Activated Cracked.exeMajid Z Hacker.exeMajid Z Hacker.exefirewall.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exe

description	pid	process	target process
PID 4956 wrote to memory of 4616	4956	Venom Activated Cracked.exe	Venom Cracked.exe
PID 4956 wrote to memory of 4616	4956	Venom Activated Cracked.exe	Venom Cracked.exe
PID 4956 wrote to memory of 1516	4956	Venom Activated Cracked.exe	Majid Z Hacker.exe
PID 4956 wrote to memory of 1516	4956	Venom Activated Cracked.exe	Majid Z Hacker.exe
PID 4956 wrote to memory of 1516	4956	Venom Activated Cracked.exe	Majid Z Hacker.exe
PID 1516 wrote to memory of 2716	1516	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 1516 wrote to memory of 2716	1516	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 1516 wrote to memory of 2716	1516	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 1516 wrote to memory of 3660	1516	Majid Z Hacker.exe	firewall.exe
PID 1516 wrote to memory of 3660	1516	Majid Z Hacker.exe	firewall.exe
PID 1516 wrote to memory of 3660	1516	Majid Z Hacker.exe	firewall.exe
PID 2716 wrote to memory of 1856	2716	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2716 wrote to memory of 1856	2716	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2716 wrote to memory of 1856	2716	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2716 wrote to memory of 1124	2716	Majid Z Hacker.exe	firewall.exe
PID 2716 wrote to memory of 1124	2716	Majid Z Hacker.exe	firewall.exe
PID 2716 wrote to memory of 1124	2716	Majid Z Hacker.exe	firewall.exe
PID 1124 wrote to memory of 4236	1124	firewall.exe	netsh.exe
PID 1124 wrote to memory of 4236	1124	firewall.exe	netsh.exe
PID 1124 wrote to memory of 4236	1124	firewall.exe	netsh.exe
PID 3660 wrote to memory of 4408	3660	firewall.exe	netsh.exe
PID 3660 wrote to memory of 4408	3660	firewall.exe	netsh.exe
PID 3660 wrote to memory of 4408	3660	firewall.exe	netsh.exe
PID 1856 wrote to memory of 2624	1856	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 1856 wrote to memory of 2624	1856	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 1856 wrote to memory of 2624	1856	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 1856 wrote to memory of 1108	1856	Majid Z Hacker.exe	firewall.exe
PID 1856 wrote to memory of 1108	1856	Majid Z Hacker.exe	firewall.exe
PID 1856 wrote to memory of 1108	1856	Majid Z Hacker.exe	firewall.exe
PID 1108 wrote to memory of 2744	1108	firewall.exe	netsh.exe
PID 1108 wrote to memory of 2744	1108	firewall.exe	netsh.exe
PID 1108 wrote to memory of 2744	1108	firewall.exe	netsh.exe
PID 2624 wrote to memory of 1116	2624	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2624 wrote to memory of 1116	2624	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2624 wrote to memory of 1116	2624	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2624 wrote to memory of 2468	2624	Majid Z Hacker.exe	firewall.exe
PID 2624 wrote to memory of 2468	2624	Majid Z Hacker.exe	firewall.exe
PID 2624 wrote to memory of 2468	2624	Majid Z Hacker.exe	firewall.exe
PID 2468 wrote to memory of 5064	2468	firewall.exe	netsh.exe
PID 2468 wrote to memory of 5064	2468	firewall.exe	netsh.exe
PID 2468 wrote to memory of 5064	2468	firewall.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Activated Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Activated Cracked.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"
2⤵
- Executes dropped EXE
PID:4616

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
6⤵
- Executes dropped EXE
PID:1116

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
7⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
8⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
9⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
10⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
11⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
12⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
13⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
14⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
15⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
16⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
17⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
18⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
19⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
20⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
21⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
22⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
23⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
24⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
25⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
26⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
27⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
28⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
29⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
30⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
31⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
32⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
33⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
33⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
32⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
31⤵
PID:2412

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
32⤵
- Modifies Windows Firewall
PID:236

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
30⤵
PID:1652

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
31⤵
- Modifies Windows Firewall
PID:3268

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
29⤵
PID:3728

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
30⤵
- Modifies Windows Firewall
PID:4156

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
28⤵
PID:3612

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
29⤵
- Modifies Windows Firewall
PID:2332

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
27⤵
PID:4236

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
28⤵
- Modifies Windows Firewall
PID:396

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
26⤵
PID:1328

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
27⤵
- Modifies Windows Firewall
PID:2876

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
25⤵
PID:2596

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
26⤵
- Modifies Windows Firewall
PID:1044

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
24⤵
PID:4168

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
25⤵
- Modifies Windows Firewall
PID:2556

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
23⤵
PID:1904

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
24⤵
- Modifies Windows Firewall
PID:1636

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
22⤵
PID:644

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
23⤵
- Modifies Windows Firewall
PID:3644

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
21⤵
PID:4756

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
22⤵
- Modifies Windows Firewall
PID:4500

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
20⤵
PID:1868

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
21⤵
- Modifies Windows Firewall
PID:5116

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
19⤵
PID:4996

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
20⤵
- Modifies Windows Firewall
PID:764

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
18⤵
PID:2816

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
19⤵
- Modifies Windows Firewall
PID:4892

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
17⤵
PID:2948

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
18⤵
- Modifies Windows Firewall
PID:4196

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
16⤵
PID:404

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
17⤵
- Modifies Windows Firewall
PID:1448

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
15⤵
PID:3064

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
16⤵
- Modifies Windows Firewall
PID:1672

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
14⤵
PID:1076

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
15⤵
- Modifies Windows Firewall
PID:4388

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
13⤵
PID:1840

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
14⤵
- Modifies Windows Firewall
PID:1988

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
12⤵
PID:4840

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
13⤵
- Modifies Windows Firewall
PID:4856

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
11⤵
PID:1364

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
12⤵
- Modifies Windows Firewall
PID:2080

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
10⤵
PID:1492

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
11⤵
- Modifies Windows Firewall
PID:4668

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
9⤵
PID:4844

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
10⤵
- Modifies Windows Firewall
PID:4100

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
8⤵
PID:2064

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
9⤵
- Modifies Windows Firewall
PID:4212

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
7⤵
PID:2952

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
8⤵
- Modifies Windows Firewall
PID:2880

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
7⤵
- Modifies Windows Firewall
PID:5064

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
6⤵
- Modifies Windows Firewall
PID:2744

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
5⤵
- Modifies Windows Firewall
PID:4236

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
4⤵
- Modifies Windows Firewall
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BlackData.dat

Filesize
3B

MD5
93cba07454f06a4a960172bbd6e2a435

SHA1
5397e0583f14f6c88de06b1ef28f460a1fb5b0ae

SHA256
85a39ab345d672ff8ca9b9c6876f3adcacf45ee7c1e2dbd2408fd338bd55e07e

SHA512
6b99acba1e4e469610f9227829648fa52e7ad463f22568f0a04188f2d465a585ba077f12d1a527674c338470e79665fd16e54f25553482cddd85845232d186f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe

Filesize
462KB

MD5
a8a8d6f3b48466242959545235d1c9b6

SHA1
0c2d670dc3b3b07a2498756e1d46fd1fee53a621

SHA256
09d709640f6884d6b7e7501175cfdcc3724df07785c081c0e14b20cbcdf382ec

SHA512
09f08dd6026b2e24a05e20505723055deceffaba3d351dd49cdc934d038ef0796a3d8d481fe7734b3ec3ba80f4800994983441204dbc3f12baf4f637534a4796

Download Submit
C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe

Filesize
12.1MB

MD5
750015e08a9409c80cd3837daebb970a

SHA1
bfd1122f8c459862717b0b7a50b7216fc2573880

SHA256
3c413ee4b07c531c891ac1852d3d1b6a60bdc92e549e9cf4744d4fe85ebb5de2

SHA512
f35938eac84d6084d9239977462c965bab95924895cd2b73e501a7d7c2ff400aaeaefbdc3302ac8f8c13cd49e22d19e95ef530cf1cc10f79f6ab62653021e5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\firewall.exe

Filesize
40KB

MD5
085242fc50844dc41d1966e620d3e121

SHA1
5e9a343256313938468d5d4fb92e39c5ef6f8c91

SHA256
180b8e0169f2c89d3b4f34d3ee5b26f5578211068be74cf9c2fd194d8cda9b3d

SHA512
3341c74802aa98ce2bd7b15d2921d3082110c62ee6d82df784cb610c1594d905c82c6ae79cf43d76f98db7a8a4951686898ba1dddeb9615fca6480ac6bb7887b

Download Submit
C:\Users\Admin\Documents\My Music\autorun.inf

Filesize
287B

MD5
15755ea8c0f620cfdaf9ada425e6b4c2

SHA1
868d9aca932d7a1a0d26ba19d613e34f3325a4eb

SHA256
3ae21c30b4273c6dfcc5841aaa18d776e53dd9dd9458051cb5457e25af4250fe

SHA512
6a44ff83fcf9d22fe1d06d3333be2bcfd45df0a9bc449cdf857d255c69d88497efc8c00c6a4ba383da6ebd7d422e87fea2e78ad62ec678fa3dc1aac29e34fae9

Download Submit
C:\Users\Admin\Documents\My Pictures\autorun.inf

Filesize
299B

MD5
d7111cd7ccdee778d8261d4e03614a85

SHA1
f88c30e0403764b7384e3ef64cb54a1c2f5121f4

SHA256
6ad6f66d55b492f4f982a1bbe9ba99b20f3c77b93285cca02ca7843642336aa3

SHA512
15578fff5e7ee767edeaa4da93a66b2a634d8caa7a0a06223481fa6ab1c97c64f3871a36550406bc29f2e1262bb01e282d022cd55e9e7aa8ce9745fa3037c5b1

Download Submit
C:\Users\Admin\Documents\My Videos\autorun.inf

Filesize
291B

MD5
5cda9292cfaacb554b5ddda7a5d8daa0

SHA1
05d78ca665e4186a6245c29c9b392e090a9d0937

SHA256
8cbbcbdb2618fb7eaf7e09ceceee1c9d0cbdf609e4f0fc9a6a2de71912ceb174

SHA512
825381e97b7a0458898f27a95584affa011d1038a380a3e19c81cb04a80bbb9924536fa6c53dbde073d371de2918ede9a0e2427b9227888ce208b6ac50accdba

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\autorun.inf

Filesize
323B

MD5
f949be5c00056b76437bc780e92999de

SHA1
fd9920081f3bf1e7eb86433b1ac1a4d8f25174e6

SHA256
3c4ffecacd1c4c008d3fb69855972b2209e12e9695386b687038e12c5ec80ce8

SHA512
619eec04a8c1cce943aa27f69f65480428f07685a03a543d69800e0fdc41321ccd2cc57ff7ba310d22a0196b6cfdb5b30e5331c1a1ac6f0c94382cb27d32f270

Download Submit
memory/4616-19-0x00007FFB21613000-0x00007FFB21615000-memory.dmp

Filesize
8KB

Download
memory/4616-21-0x0000000000FB0000-0x0000000001BCA000-memory.dmp

Filesize
12.1MB

Download
memory/4616-388-0x00007FFB21613000-0x00007FFB21615000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads