Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
17s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 19:59
Behavioral task
behavioral1
Sample
Exela.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Stub.pyc
Resource
win10v2004-20240611-en
General
-
Target
Exela.exe
-
Size
21.0MB
-
MD5
78352c63f0742abb60ef2c4d3d6d5056
-
SHA1
e546b7f2f3b8415af09130bb50bec5fb3d94a6fd
-
SHA256
555193b4bf22d78d744acb28089caf091ca95bdd57653dd3ac267c71708dd001
-
SHA512
e2e91829fc1ecc67d5e8512b9064a5423dc2f718db2644d2aa67c2d3a66fce22b4c6d0f6d50d4224fffc3c37761463df3779250856bffb04a32b1aa86f0a11e7
-
SSDEEP
196608:KGlZOOepe+x+aPXq7n0jc/bPeNlInY7/s/bRy8rlMxRW5ygjbM:NY+X7n0jcwlIus/b02r
Malware Config
Signatures
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1556 netsh.exe 3976 netsh.exe -
Loads dropped DLL 32 IoCs
pid Process 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe 2388 Exela.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0007000000023443-47.dat upx behavioral1/memory/2388-51-0x00007FFB95EF0000-0x00007FFB9635E000-memory.dmp upx behavioral1/files/0x000700000002343d-59.dat upx behavioral1/memory/2388-61-0x00007FFBAB820000-0x00007FFBAB82F000-memory.dmp upx behavioral1/memory/2388-60-0x00007FFBAA6D0000-0x00007FFBAA6F4000-memory.dmp upx behavioral1/files/0x0007000000023426-57.dat upx behavioral1/files/0x000700000002342d-62.dat upx behavioral1/files/0x0007000000023444-64.dat upx behavioral1/files/0x0007000000023424-68.dat upx behavioral1/memory/2388-67-0x00007FFBAA5E0000-0x00007FFBAA5ED000-memory.dmp upx behavioral1/memory/2388-71-0x00007FFBA5E90000-0x00007FFBA5EA9000-memory.dmp upx behavioral1/files/0x0007000000023429-72.dat upx behavioral1/files/0x000700000002342e-73.dat upx behavioral1/files/0x0007000000023445-75.dat upx behavioral1/memory/2388-78-0x00007FFBA5E40000-0x00007FFBA5E5F000-memory.dmp upx behavioral1/files/0x000700000002342f-81.dat upx behavioral1/files/0x000700000002343e-84.dat upx behavioral1/files/0x000700000002343c-87.dat upx behavioral1/memory/2388-88-0x00007FFB96550000-0x00007FFB96608000-memory.dmp upx behavioral1/memory/2388-89-0x00007FFB95330000-0x00007FFB956A5000-memory.dmp upx behavioral1/memory/2388-83-0x00007FFBA5BF0000-0x00007FFBA5C1E000-memory.dmp upx behavioral1/memory/2388-79-0x00007FFB96610000-0x00007FFB96779000-memory.dmp upx behavioral1/files/0x0007000000023422-92.dat upx behavioral1/files/0x000700000002342b-94.dat upx behavioral1/files/0x0007000000023428-98.dat upx behavioral1/memory/2388-102-0x00007FFBA52F0000-0x00007FFBA5304000-memory.dmp upx behavioral1/files/0x0007000000023448-106.dat upx behavioral1/memory/2388-107-0x00007FFB95EF0000-0x00007FFB9635E000-memory.dmp upx behavioral1/files/0x0007000000023446-104.dat upx behavioral1/memory/2388-103-0x00007FFBA5090000-0x00007FFBA50A4000-memory.dmp upx behavioral1/memory/2388-109-0x00007FFBA1C90000-0x00007FFBA1CB2000-memory.dmp upx behavioral1/files/0x0007000000023432-110.dat upx behavioral1/files/0x0007000000023423-112.dat upx behavioral1/memory/2388-126-0x00007FFB957C0000-0x00007FFB957D1000-memory.dmp upx behavioral1/memory/2388-129-0x00007FFBA58F0000-0x00007FFBA58FA000-memory.dmp upx behavioral1/memory/2388-128-0x00007FFBA5C20000-0x00007FFBA5C39000-memory.dmp upx behavioral1/files/0x0007000000023430-127.dat upx behavioral1/memory/2388-125-0x00007FFB96360000-0x00007FFB963AC000-memory.dmp upx behavioral1/memory/2388-124-0x00007FFB963B0000-0x00007FFB963C9000-memory.dmp upx behavioral1/memory/2388-123-0x00007FFB957E0000-0x00007FFB958AF000-memory.dmp upx behavioral1/memory/2388-122-0x00007FFB9C0B0000-0x00007FFB9C0C7000-memory.dmp upx behavioral1/memory/2388-121-0x00007FFBAA6D0000-0x00007FFBAA6F4000-memory.dmp upx behavioral1/files/0x0007000000023435-119.dat upx behavioral1/files/0x0007000000023433-117.dat upx behavioral1/files/0x0007000000023434-115.dat upx behavioral1/files/0x000700000002343b-131.dat upx behavioral1/files/0x0007000000023439-132.dat upx behavioral1/memory/2388-133-0x00007FFB95720000-0x00007FFB9573E000-memory.dmp upx behavioral1/memory/2388-108-0x00007FFB958B0000-0x00007FFB959C8000-memory.dmp upx behavioral1/memory/2388-101-0x00007FFBA5920000-0x00007FFBA5930000-memory.dmp upx behavioral1/memory/2388-100-0x00007FFBA5AA0000-0x00007FFBA5AB5000-memory.dmp upx behavioral1/files/0x0007000000023440-96.dat upx behavioral1/memory/2388-77-0x00007FFBA5E60000-0x00007FFBA5E8D000-memory.dmp upx behavioral1/memory/2388-135-0x00007FFB94650000-0x00007FFB94D45000-memory.dmp upx behavioral1/memory/2388-66-0x00007FFBA5C20000-0x00007FFBA5C39000-memory.dmp upx behavioral1/files/0x0007000000023425-136.dat upx behavioral1/memory/2388-138-0x00007FFBA5E40000-0x00007FFBA5E5F000-memory.dmp upx behavioral1/memory/2388-140-0x00007FFBA59B0000-0x00007FFBA59E8000-memory.dmp upx behavioral1/memory/2388-139-0x00007FFB96610000-0x00007FFB96779000-memory.dmp upx behavioral1/files/0x000700000002342c-188.dat upx behavioral1/memory/2388-190-0x00007FFBA5BF0000-0x00007FFBA5C1E000-memory.dmp upx behavioral1/memory/2388-191-0x00007FFBA5E30000-0x00007FFBA5E3D000-memory.dmp upx behavioral1/memory/2388-208-0x00007FFB96550000-0x00007FFB96608000-memory.dmp upx behavioral1/memory/2388-209-0x00007FFB95330000-0x00007FFB956A5000-memory.dmp upx -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 1156 cmd.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2064 sc.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x00030000000229d4-152.dat pyinstaller -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 4756 WMIC.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 536 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 5 IoCs
pid Process 1216 tasklist.exe 4736 tasklist.exe 2156 tasklist.exe 3604 tasklist.exe 5052 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 4076 ipconfig.exe 1648 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2556 systeminfo.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2676 powershell.exe 2676 powershell.exe 2676 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 536 WMIC.exe Token: SeSecurityPrivilege 536 WMIC.exe Token: SeTakeOwnershipPrivilege 536 WMIC.exe Token: SeLoadDriverPrivilege 536 WMIC.exe Token: SeSystemProfilePrivilege 536 WMIC.exe Token: SeSystemtimePrivilege 536 WMIC.exe Token: SeProfSingleProcessPrivilege 536 WMIC.exe Token: SeIncBasePriorityPrivilege 536 WMIC.exe Token: SeCreatePagefilePrivilege 536 WMIC.exe Token: SeBackupPrivilege 536 WMIC.exe Token: SeRestorePrivilege 536 WMIC.exe Token: SeShutdownPrivilege 536 WMIC.exe Token: SeDebugPrivilege 536 WMIC.exe Token: SeSystemEnvironmentPrivilege 536 WMIC.exe Token: SeRemoteShutdownPrivilege 536 WMIC.exe Token: SeUndockPrivilege 536 WMIC.exe Token: SeManageVolumePrivilege 536 WMIC.exe Token: 33 536 WMIC.exe Token: 34 536 WMIC.exe Token: 35 536 WMIC.exe Token: 36 536 WMIC.exe Token: SeIncreaseQuotaPrivilege 2212 WMIC.exe Token: SeSecurityPrivilege 2212 WMIC.exe Token: SeTakeOwnershipPrivilege 2212 WMIC.exe Token: SeLoadDriverPrivilege 2212 WMIC.exe Token: SeSystemProfilePrivilege 2212 WMIC.exe Token: SeSystemtimePrivilege 2212 WMIC.exe Token: SeProfSingleProcessPrivilege 2212 WMIC.exe Token: SeIncBasePriorityPrivilege 2212 WMIC.exe Token: SeCreatePagefilePrivilege 2212 WMIC.exe Token: SeBackupPrivilege 2212 WMIC.exe Token: SeRestorePrivilege 2212 WMIC.exe Token: SeShutdownPrivilege 2212 WMIC.exe Token: SeDebugPrivilege 2212 WMIC.exe Token: SeSystemEnvironmentPrivilege 2212 WMIC.exe Token: SeRemoteShutdownPrivilege 2212 WMIC.exe Token: SeUndockPrivilege 2212 WMIC.exe Token: SeManageVolumePrivilege 2212 WMIC.exe Token: 33 2212 WMIC.exe Token: 34 2212 WMIC.exe Token: 35 2212 WMIC.exe Token: 36 2212 WMIC.exe Token: SeDebugPrivilege 3604 tasklist.exe Token: SeIncreaseQuotaPrivilege 2212 WMIC.exe Token: SeSecurityPrivilege 2212 WMIC.exe Token: SeTakeOwnershipPrivilege 2212 WMIC.exe Token: SeLoadDriverPrivilege 2212 WMIC.exe Token: SeSystemProfilePrivilege 2212 WMIC.exe Token: SeSystemtimePrivilege 2212 WMIC.exe Token: SeProfSingleProcessPrivilege 2212 WMIC.exe Token: SeIncBasePriorityPrivilege 2212 WMIC.exe Token: SeCreatePagefilePrivilege 2212 WMIC.exe Token: SeBackupPrivilege 2212 WMIC.exe Token: SeRestorePrivilege 2212 WMIC.exe Token: SeShutdownPrivilege 2212 WMIC.exe Token: SeDebugPrivilege 2212 WMIC.exe Token: SeSystemEnvironmentPrivilege 2212 WMIC.exe Token: SeRemoteShutdownPrivilege 2212 WMIC.exe Token: SeUndockPrivilege 2212 WMIC.exe Token: SeManageVolumePrivilege 2212 WMIC.exe Token: 33 2212 WMIC.exe Token: 34 2212 WMIC.exe Token: 35 2212 WMIC.exe Token: 36 2212 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2388 Exela.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 224 wrote to memory of 2388 224 Exela.exe 84 PID 224 wrote to memory of 2388 224 Exela.exe 84 PID 2388 wrote to memory of 1288 2388 Exela.exe 87 PID 2388 wrote to memory of 1288 2388 Exela.exe 87 PID 2388 wrote to memory of 2640 2388 Exela.exe 89 PID 2388 wrote to memory of 2640 2388 Exela.exe 89 PID 2388 wrote to memory of 2144 2388 Exela.exe 90 PID 2388 wrote to memory of 2144 2388 Exela.exe 90 PID 2388 wrote to memory of 2892 2388 Exela.exe 92 PID 2388 wrote to memory of 2892 2388 Exela.exe 92 PID 2388 wrote to memory of 2824 2388 Exela.exe 93 PID 2388 wrote to memory of 2824 2388 Exela.exe 93 PID 2640 wrote to memory of 536 2640 cmd.exe 97 PID 2640 wrote to memory of 536 2640 cmd.exe 97 PID 2144 wrote to memory of 2212 2144 cmd.exe 98 PID 2144 wrote to memory of 2212 2144 cmd.exe 98 PID 2824 wrote to memory of 3604 2824 cmd.exe 99 PID 2824 wrote to memory of 3604 2824 cmd.exe 99 PID 2388 wrote to memory of 968 2388 Exela.exe 101 PID 2388 wrote to memory of 968 2388 Exela.exe 101 PID 968 wrote to memory of 2160 968 cmd.exe 103 PID 968 wrote to memory of 2160 968 cmd.exe 103 PID 2388 wrote to memory of 876 2388 Exela.exe 104 PID 2388 wrote to memory of 876 2388 Exela.exe 104 PID 2388 wrote to memory of 408 2388 Exela.exe 105 PID 2388 wrote to memory of 408 2388 Exela.exe 105 PID 876 wrote to memory of 4180 876 cmd.exe 108 PID 876 wrote to memory of 4180 876 cmd.exe 108 PID 408 wrote to memory of 5052 408 cmd.exe 109 PID 408 wrote to memory of 5052 408 cmd.exe 109 PID 2388 wrote to memory of 1156 2388 Exela.exe 110 PID 2388 wrote to memory of 1156 2388 Exela.exe 110 PID 1156 wrote to memory of 2176 1156 cmd.exe 114 PID 1156 wrote to memory of 2176 1156 cmd.exe 114 PID 2388 wrote to memory of 3868 2388 Exela.exe 115 PID 2388 wrote to memory of 3868 2388 Exela.exe 115 PID 2388 wrote to memory of 4440 2388 Exela.exe 117 PID 2388 wrote to memory of 4440 2388 Exela.exe 117 PID 3868 wrote to memory of 4160 3868 cmd.exe 119 PID 3868 wrote to memory of 4160 3868 cmd.exe 119 PID 4440 wrote to memory of 1216 4440 cmd.exe 120 PID 4440 wrote to memory of 1216 4440 cmd.exe 120 PID 2388 wrote to memory of 996 2388 Exela.exe 121 PID 2388 wrote to memory of 996 2388 Exela.exe 121 PID 2388 wrote to memory of 5000 2388 Exela.exe 122 PID 2388 wrote to memory of 5000 2388 Exela.exe 122 PID 2388 wrote to memory of 2752 2388 Exela.exe 123 PID 2388 wrote to memory of 2752 2388 Exela.exe 123 PID 2388 wrote to memory of 2044 2388 Exela.exe 124 PID 2388 wrote to memory of 2044 2388 Exela.exe 124 PID 2752 wrote to memory of 4736 2752 cmd.exe 129 PID 2752 wrote to memory of 4736 2752 cmd.exe 129 PID 996 wrote to memory of 2360 996 cmd.exe 130 PID 996 wrote to memory of 2360 996 cmd.exe 130 PID 5000 wrote to memory of 4596 5000 cmd.exe 131 PID 5000 wrote to memory of 4596 5000 cmd.exe 131 PID 2360 wrote to memory of 5004 2360 cmd.exe 132 PID 2360 wrote to memory of 5004 2360 cmd.exe 132 PID 2044 wrote to memory of 2676 2044 cmd.exe 133 PID 2044 wrote to memory of 2676 2044 cmd.exe 133 PID 4596 wrote to memory of 816 4596 cmd.exe 134 PID 4596 wrote to memory of 816 4596 cmd.exe 134 PID 2388 wrote to memory of 1936 2388 Exela.exe 135 PID 2388 wrote to memory of 1936 2388 Exela.exe 135 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2176 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Exela.exe"C:\Users\Admin\AppData\Local\Temp\Exela.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\Exela.exe"C:\Users\Admin\AppData\Local\Temp\Exela.exe"2⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:1288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"3⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get Manufacturer4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "gdb --version"3⤵PID:2892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"3⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get Manufacturer4⤵PID:2160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:4180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"4⤵
- Views/modifies file attributes
PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""3⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"4⤵PID:4160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:1216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"3⤵
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\system32\cmd.execmd.exe /c chcp4⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\chcp.comchcp5⤵PID:5004
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"3⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\system32\cmd.execmd.exe /c chcp4⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\system32\chcp.comchcp5⤵PID:816
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"3⤵PID:1936
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"3⤵PID:1908
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:2556
-
-
C:\Windows\system32\HOSTNAME.EXEhostname4⤵PID:1896
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername4⤵
- Collects information from the system
PID:4756
-
-
C:\Windows\system32\net.exenet user4⤵PID:760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user5⤵PID:1600
-
-
-
C:\Windows\system32\query.exequery user4⤵PID:2312
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"5⤵PID:3248
-
-
-
C:\Windows\system32\net.exenet localgroup4⤵PID:376
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup5⤵PID:3064
-
-
-
C:\Windows\system32\net.exenet localgroup administrators4⤵PID:2040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:4828
-
-
-
C:\Windows\system32\net.exenet user guest4⤵PID:408
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest5⤵PID:2108
-
-
-
C:\Windows\system32\net.exenet user administrator4⤵PID:1584
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator5⤵PID:372
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command4⤵PID:1248
-
-
C:\Windows\system32\tasklist.exetasklist /svc4⤵
- Enumerates processes with tasklist
PID:2156
-
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:4076
-
-
C:\Windows\system32\ROUTE.EXEroute print4⤵PID:3476
-
-
C:\Windows\system32\ARP.EXEarp -a4⤵PID:4956
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
PID:1648
-
-
C:\Windows\system32\sc.exesc query type= service state= all4⤵
- Launches sc.exe
PID:2064
-
-
C:\Windows\system32\netsh.exenetsh firewall show state4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1556
-
-
C:\Windows\system32\netsh.exenetsh firewall show config4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:4832
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:2360
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:2172
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21.0MB
MD578352c63f0742abb60ef2c4d3d6d5056
SHA1e546b7f2f3b8415af09130bb50bec5fb3d94a6fd
SHA256555193b4bf22d78d744acb28089caf091ca95bdd57653dd3ac267c71708dd001
SHA512e2e91829fc1ecc67d5e8512b9064a5423dc2f718db2644d2aa67c2d3a66fce22b4c6d0f6d50d4224fffc3c37761463df3779250856bffb04a32b1aa86f0a11e7
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
34KB
MD5ab7aea7bb7671b3f59609df0b629b42c
SHA17b1ae7eecdee0bf9e5cf623ab8d83ec1b40694ad
SHA256ee09c6b8c936fe1ca6b53db6e29e96f7b086beeb4665fb84c8097f59dd34a978
SHA5123090f8711c87fa79c92fdfbfd782a198f6d29837171e90d27e9d39ffae9a7e129269621e021844f75ccc8576bad3ebd2efffe662c7e49407bb6a0d9c46fa18e4
-
Filesize
274KB
MD59c5a11f077905cbd3dc42a233461b22e
SHA1adb51dd54404d9018238a05218ae8e293c514b80
SHA2565b56a8861637db3cde975d5f7c1a38616d7df89a34adeaa62f715bbf3e7889bb
SHA512cd52b809d621aeed2a7b4b4e843388cf222b793ca34d76f7b89f0cc587fb6592b4221b938b69a152bfb9e01baca134a34c1b382ecd56cb4a9dc1f434a32d4b19
-
Filesize
46KB
MD55de42dcdda26e4aa3d67feaea37d8e14
SHA11f76eba020b7699253609aaa4716740ab68212f0
SHA2561ebf1762129ffd0a1186b51741301e74309744b068f5c5e9f9a4292b7406b992
SHA51203d2c363335e91dfb653e08ae5b13a1bbce525f7d031514c62b756a92c4d0a259d4dd6a56a8fc291f0a14b4ffd20bad528fe587dfb80dc6f36f184dde821a4e5
-
Filesize
71KB
MD50d43a42cb44ecb9785ccc090a3de3d8f
SHA12f77cfa195cfe024d42e2ed287e2194685ec5d7d
SHA256fdaa50a83947ec292e1773043f077cddfefbb52e53d5575b175eab5987de3242
SHA5125968654a976699b4653d44912b34fc67a59d821d9e45f271d7d94b18b1a255c265f9e85460b570be04983b15268547a451e5385064616ab750b825b156c4643e
-
Filesize
56KB
MD501157576d82ed340222e0ff076d157f1
SHA16479423eb11d47287174a2484ad9529581de3420
SHA25636ac4f79c8d502f4dc7a6dd963a595b9df735e33f1b384159782180d71ca441a
SHA5122821cfb5ee1df2ff22b181a35d4525f60d25d1c049b04f5eddb4f61d66216456954483eccbce5363c5be4b5835a8fbafeebeec4b8846d05826d18621735ba656
-
Filesize
33KB
MD5b854bac8dc98fa9d95773e3e53a34d25
SHA1a500ed4b7c4ce15e9f172214119d3dc6d65bd917
SHA2569184904bee283ca3e5b57c62f3abea51379a4689267a2305f4baf0116385d2f4
SHA5120c245a38d949f3e8cf9b330fbaafcdfc26eecfbc0f08afeedbc3e78142263d88841a5f0e650807acc77d63c87d7e0ed918d9d1418eede67dbabb73a4ba2648a8
-
Filesize
84KB
MD55184313f1019787971f9794cf66a4d43
SHA10ff09555a726584edf1c87f9d5a52afd40c0ebbc
SHA256b8735ad1cbc4249d442ae54c0bca50def626fc642178d14e8be80c11ce081cd7
SHA512b8f187b5cf8d5148f6d501fe361da6545b267156d22dc57761cbf53c9345950c5f92f3ff3180f53d851076092014f7576a2436c0e1993c346b97ea013343d232
-
Filesize
30KB
MD5176f0247368a95c1f80657f4815f18b1
SHA17b4dc38c54f8acfc8c09aed83379052f5ca05feb
SHA2565d4de99ef2b2da52bb780adc4c6a3777e852f9adf48daf8fe12108ff3d4ff7c0
SHA5128f8818357fdf03880ba9b04acb613860874262c42e7352bba7734e6f42c11fa7ee9e16002da99428a1a02f5ba9fc7fd0e7d0f63cdddba95a4f1fb1805b32728f
-
Filesize
24KB
MD5c918ba828af3ff81deb38850f1c06ca1
SHA174531d22587f183237ab5418f5ece4c4bdbe2d0a
SHA2563437a4f24b25c527f6db9d883b1070639e396d25bbea7c9e60f0ceb102dfdec4
SHA51222d759f77fc4b3f4b4c542a1d67e3ef0c69bfdd2bf69d53feca709a26ed78de1320b90feec8225b44de612d95a6b71ec9400062dbd509e0099d5759fbdc1826e
-
Filesize
41KB
MD58fd42cb0e0ce00652b848ed97b3cce8a
SHA1c9e7cf4b274d4ed54063b038908846c09aea499b
SHA256f3990dc1a32db5508e599633d3568c4041899edaeacc44712c685bc559ff2cab
SHA51220aa93ae7bf2d4cca3777ec566f6e173db05f7f087e10e322fe977939f069e5cb62e96942c5ce0eb8461cd13a5017f265752ea807249b53fe90ce5f6802cbcd7
-
Filesize
48KB
MD503c9a8df0b71fb8a1dde39d8e13604e7
SHA119c7d73a8b4d92a486a702b7e61fd5bf881edfa1
SHA256d8252ae3cd3a8a3df7ec666e37dfb1bd033b9ea03d77f4943dde8d1060e83874
SHA512ab4aa9a6fc2e5c2041e54039a37ea2b81f03b68ab3996eecea7da66f298992537e95da6c83c57cb63a45ed6498b4c9fa007f11675322adc2aa24546842b3f10c
-
Filesize
60KB
MD5fb89150cbed66664ffe65ac8439cfb2d
SHA1f5cdbcbf77827e2a5afc03e2a26e9fa9dbce11eb
SHA25657ff22d8431ae1e74f7dfcb410f1f13deb347e5bc7d40f5eaf59eb58cf7e1019
SHA5123abb9a23e12731c8b7bab9a73c2564f11c9e3dd1a2eea1b53658bd7d93f4ba8ed63125fad419251a8217343d4c125c52170e018f7ab692a9abdee789c5305531
-
Filesize
21KB
MD5a491e321dcec51d082d3cd568101f551
SHA19fce893ee676b01265694c735dfe7591c1d9e0c0
SHA256feab661f17c839821ce0dc07d89bf714442ad2d3826e603afa1a1f05372c33c8
SHA512d8efe3091a39fe7b71f8837f154dbfbcda8a1bf187884c55a2d9488e7ab634db856b1c926f398ac509c79c314ce59e3cae5d47e048bbc7b6a5a213251b50a5b5
-
Filesize
26KB
MD524b04e53107114e2dc13f44774e31832
SHA101d1d62f47f0d18795c2ccf7ea660a9d20a760e2
SHA256aaebb74eee86318e3e40b13ae29b0cd2fb53a7b5963dc8ad47a5acf6b3ea9bf4
SHA5127fec582436b54148459dac4565b801a227831b04bb3f2da1fad6cfa340882009df82327c7992fa40e72635fc472bbc4d936c9c91935edeb0ca1dc13b3c3de2c8
-
Filesize
80KB
MD5fa4f8f1f441d4484676434f3259d2636
SHA13cc48b6fd3a9e095ad260db1e0b63089d2790974
SHA25630107fa8ac62ae46dd41b60f7aff883cfff7e61c225986bf942a332738b915fa
SHA512aefd22279ebc75d1b9c8af9176e69a935ba6257680fa4ad0c4662a83470b1e201a42e20776cc0bcb9e6981b7861d6805b1d2154237b42b759fcd0df3707c8e34
-
Filesize
24KB
MD550dea505ca281aa212ed274c4a6c8dee
SHA19c00ebb80f75016122f0e17d16b4e328930c97f2
SHA256cf37a3202197a4a51ad604ad054ca056daa23e86d8b4d731aeba76128bd463f2
SHA5120ff2345a05c8333eda7f68017ca0fb9979ebf2d73575bb9fe17979e86ce226d43bc8942ff5f217cd48afebec782963483c7c00e8de9ad70c377f026a1606afc1
-
Filesize
19KB
MD5d568b417c5f56eda3d369c1ec727cbed
SHA1eea5b25c417c87913ce0cd7a2d78e80ea658115c
SHA2566dfa4510da740660fc4f70a79a83b817e55cdb31dd8a393fe78db223ea7b20f3
SHA512d1749d01a2d64dc1a3182af9b840f4ddadb8f587c403f8a99963fa5a23621f695dc19f6531e1c182219e28d89e4e2f8f55e7b4b9f1f90d673c45302871cbd4df
-
Filesize
812KB
MD5df49d14d6d87d17ccb2232ed029d8510
SHA1ca56b190e4084b80b9d877b82fe7844bfb1582e5
SHA2566ac784b703838cd3ff725b2b694e9656d09075db7a42d5ea1616c7ab0198be30
SHA512d6dd9c42ce66381b9a2be1b72492ff8b71aee5be58d2d5e23d480f335330008ab512e462ce5826e6ab8d4ad480727a45039a2fa8dd7c3a37c09c9cf8864b29ff
-
Filesize
2.0MB
MD5b9f1c1de19b85486e36f7dfcfb5da708
SHA1939d97a69b46ec9b8cc34da2623b141a608b4c35
SHA256a502a97210240cd31bab64285a22050e409553de03b7cff981dd17c409d8829b
SHA512d7cb707837c113579d6130ae3bfb7dc066521efb6ae843d31b27306ae81ea435c5a20408bdb917025b56073dfdf5955198570585f8ab226f36ffe77edf6090d6
-
Filesize
36KB
MD5703c3909c2a463ae1a766e10c45c9e5a
SHA137a1db87e074e9cd9191b1b8d8cc60894adeaf73
SHA256e7f39b40ba621edfd0dceda41ccdead7c8e96dd1fa34035186db41d26ddee803
SHA5121c46832b1b7645e3720da6cca170516a38b9fe6a10657e3f5a905166b770c611416c563683ce540b33bc36d37c4a594231e0757458091e3ae9968da2ff029515
-
Filesize
1.1MB
MD59c2ffedb0ae90b3985e5cdbedd3363e9
SHA1a475fbe289a716e1fbe2eab97f76dbba1da322a9
SHA2567c9418ad6fb6d15acb7d340b7a6533f76337ad302a18e2b4e08d4ee37689913a
SHA51270d2635d42e24c7426cf5306ed010808f2222049915adb43ffc12c13259c8e7a9fee3a49e096d5ba2b6b733fef18574823d00df2e8d7fb1532e1d65d0c478008
-
Filesize
23KB
MD58e1d2a11b94e84eaa382d6a680d93f17
SHA107750d78022d387292525a7d8385687229795cf1
SHA256090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82
SHA512213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e
-
Filesize
203KB
MD587bb1a8526b475445b2d7fd298c57587
SHA1aaad18ea92b132ca74942fd5a9f4c901d02d9b09
SHA256c35a97d8f24ea84d1e39a8621b6b3027c9ac24885bdd37386c9fcaad1858419d
SHA512956bd8e9f35c917cbfb570fc633bb2df0d1c2686731fa7179f5e7cd8789e665dd6ff8443e712eafa4e3f8d8661f933cb5675aeb1a2efc195c3bb32211e6d2506
-
Filesize
20KB
MD5d282e94282a608185de94e591889e067
SHA17d510c2c89c9bd5546cee8475e801df555e620bc
SHA25684726536b40ff136c6d739d290d7660cd9514e787ab8cefbcbb7c3a8712b69aa
SHA512e413f7d88dd896d387af5c3cfe3943ba794925c70ffb5f523a200c890bf9ceb6e4da74abe0b1b07d5e7818628cd9bc1f45ebc4e9d1e4316dd4ae27ea5f5450d3
-
Filesize
63KB
MD5e0ca371cb1e69e13909bfbd2a7afc60e
SHA1955c31d85770ae78e929161d6b73a54065187f9e
SHA256abb50921ef463263acd7e9be19862089045074ea332421d82e765c5f2163e78a
SHA512dd5a980ba72e4e7be81b927d140e408ad06c7be51b4f509737faee5514e85a42d47518213da1c3e77c25f9bd2eb2109fca173d73d710ff57e6a88a2ff971d0b4
-
Filesize
1.4MB
MD5c37c30d5cae995bffccc0da265f585ad
SHA1635668cc5979b81116e0773ab668b1321a91f1c4
SHA2560b0fc0295c3dbde7021a8224c0c3c842857b416cbccc386b3fce68e442831efe
SHA512cdaac867ad82eee964a44c41fa8b726b227d10e95e89842dfec8cf29fea71ad53f535e5cb4249af62fbc343ca699795919ba18efde786048fdc9fa74b1fd3d8e
-
Filesize
24KB
MD595d036555ab54da526acb5420d54848f
SHA13c96a901a428e9dae904001eedc270045c043382
SHA25608031745dc12a3c96349a3f94f04a7756bd8b7e5eb9b9ce6ce77aca82194f9b7
SHA512a603ad7ea9c2182e46d92db347b34db6974d9e8db8c53c5cd1ad34262771acd137605cc6303ea81745d3a548126fd0e677e402168f3468b7316e745ef5cfb8be
-
Filesize
606KB
MD5c59f0b781b3ef33cf7caba7017b5f6f1
SHA1ac5c99d8c2cb4ab43bc81526ecde6cef63c41540
SHA2561c7502d800a0b7f884de8fba2e39c59102c828f6b2d4e1152f1edef70d30c880
SHA512fd6d22aff8470fa2c516f669d37495b977c32ca4325f37990860e6133781397f6525547c8ae0230bbb9d658d89f9904d6a744232a2ee2f5dd58671ce07d4bef6
-
Filesize
288KB
MD55e0ed31e6ca1ad3d9b055c2684e7c029
SHA1896a2155855531793ee7d753ce980ba434463982
SHA2560fc3b411684836f4731e08fadaaa59f198dbb2b576a267def19eea33b29e51c5
SHA51202a6bb34d750ea95f6b52562729dc30aad9bef332cb04f98b0fbe45f76510766c0ffc0dca5356136c1738116543645743c0aca44251bdaae226a3e2c59a58ac8
-
Filesize
40KB
MD550dee02b7fe56be5b7ae5bd09faa41ef
SHA169123e3aabd7070a551e44336f9ed83d96d333f8
SHA25691067e48b7dff282a92995afaffff637f8a3b1164d05a25aea0393d5366c6b52
SHA5127a67c23513a695b2fc527df264564ee08d29d98f0d99ff0700d1c54fbca0c519fa224fc2b5ff696cf016da9001e41842d35afb4fb4c06acf9e9aff08ca2d7dd6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82