exelastealer | a58e4b94e989320460df69f9b16f413fcb10c24e5fbf203a2cf302edb03a4e4a

Analysis

max time kernel
134s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86-64_build_4355/setup_x86-64_build_4355.exe
Size

24.3MB
MD5

28ff0cac1b7a4225c599b7366f5afb42
SHA1

89562ab281aecd486f4d07e5cd6f1cb823459521
SHA256

f6affa968b207a553f4825db54f148a2697c7a786eac16f83df8997a5ea85044
SHA512

a88a332f72e38386eaf9c689df65f4762a1f9c67cab9a63f94beb199d9c04543ff16f522b2ebe180600b78f2fb3d0f49808349ab5dcaa3d5ef5153651c12c95d
SSDEEP

393216:VwUKAUS7TtyXxSUTxnZ17LYLye4ik0opiCmZ:G/eyXzgLyXiOpI

Score

10^/10

exelastealer defense_evasion evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1844	netsh.exe
3128	netsh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
39	discord.com
40	discord.com
41	discord.com
81	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2116	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4900	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2284	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4872	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
4684	tasklist.exe
2984	tasklist.exe
2160	tasklist.exe
1016	tasklist.exe
2564	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3440	NETSTAT.EXE
392	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3984	systeminfo.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
3224	taskkill.exe
4312	taskkill.exe
4420	taskkill.exe
3560	taskkill.exe
64	taskkill.exe
4388	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2584	powershell.exe
2584	powershell.exe
2584	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1348	WMIC.exe
Token: SeSecurityPrivilege	1348	WMIC.exe
Token: SeTakeOwnershipPrivilege	1348	WMIC.exe
Token: SeLoadDriverPrivilege	1348	WMIC.exe
Token: SeSystemProfilePrivilege	1348	WMIC.exe
Token: SeSystemtimePrivilege	1348	WMIC.exe
Token: SeProfSingleProcessPrivilege	1348	WMIC.exe
Token: SeIncBasePriorityPrivilege	1348	WMIC.exe
Token: SeCreatePagefilePrivilege	1348	WMIC.exe
Token: SeBackupPrivilege	1348	WMIC.exe
Token: SeRestorePrivilege	1348	WMIC.exe
Token: SeShutdownPrivilege	1348	WMIC.exe
Token: SeDebugPrivilege	1348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1348	WMIC.exe
Token: SeRemoteShutdownPrivilege	1348	WMIC.exe
Token: SeUndockPrivilege	1348	WMIC.exe
Token: SeManageVolumePrivilege	1348	WMIC.exe
Token: 33	1348	WMIC.exe
Token: 34	1348	WMIC.exe
Token: 35	1348	WMIC.exe
Token: 36	1348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe
Token: SeDebugPrivilege	4684	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 3712	3228	setup_x86-64_build_4355.exe	91
PID 3228 wrote to memory of 3712	3228	setup_x86-64_build_4355.exe	91
PID 3228 wrote to memory of 2484	3228	setup_x86-64_build_4355.exe	94
PID 3228 wrote to memory of 2484	3228	setup_x86-64_build_4355.exe	94
PID 3228 wrote to memory of 1480	3228	setup_x86-64_build_4355.exe	95
PID 3228 wrote to memory of 1480	3228	setup_x86-64_build_4355.exe	95
PID 3228 wrote to memory of 2372	3228	setup_x86-64_build_4355.exe	96
PID 3228 wrote to memory of 2372	3228	setup_x86-64_build_4355.exe	96
PID 3228 wrote to memory of 3312	3228	setup_x86-64_build_4355.exe	97
PID 3228 wrote to memory of 3312	3228	setup_x86-64_build_4355.exe	97
PID 2484 wrote to memory of 4872	2484	cmd.exe	102
PID 2484 wrote to memory of 4872	2484	cmd.exe	102
PID 1480 wrote to memory of 1348	1480	cmd.exe	103
PID 1480 wrote to memory of 1348	1480	cmd.exe	103
PID 3312 wrote to memory of 4684	3312	cmd.exe	104
PID 3312 wrote to memory of 4684	3312	cmd.exe	104
PID 3228 wrote to memory of 3440	3228	setup_x86-64_build_4355.exe	106
PID 3228 wrote to memory of 3440	3228	setup_x86-64_build_4355.exe	106
PID 3440 wrote to memory of 2564	3440	cmd.exe	108
PID 3440 wrote to memory of 2564	3440	cmd.exe	108
PID 3228 wrote to memory of 2772	3228	setup_x86-64_build_4355.exe	109
PID 3228 wrote to memory of 2772	3228	setup_x86-64_build_4355.exe	109
PID 3228 wrote to memory of 3708	3228	setup_x86-64_build_4355.exe	110
PID 3228 wrote to memory of 3708	3228	setup_x86-64_build_4355.exe	110
PID 3708 wrote to memory of 2984	3708	cmd.exe	113
PID 3708 wrote to memory of 2984	3708	cmd.exe	113
PID 2772 wrote to memory of 1572	2772	cmd.exe	114
PID 2772 wrote to memory of 1572	2772	cmd.exe	114
PID 3228 wrote to memory of 2116	3228	setup_x86-64_build_4355.exe	117
PID 3228 wrote to memory of 2116	3228	setup_x86-64_build_4355.exe	117
PID 2116 wrote to memory of 1212	2116	cmd.exe	119
PID 2116 wrote to memory of 1212	2116	cmd.exe	119
PID 3228 wrote to memory of 3460	3228	setup_x86-64_build_4355.exe	120
PID 3228 wrote to memory of 3460	3228	setup_x86-64_build_4355.exe	120
PID 3460 wrote to memory of 2160	3460	cmd.exe	122
PID 3460 wrote to memory of 2160	3460	cmd.exe	122
PID 3228 wrote to memory of 312	3228	setup_x86-64_build_4355.exe	123
PID 3228 wrote to memory of 312	3228	setup_x86-64_build_4355.exe	123
PID 312 wrote to memory of 4312	312	cmd.exe	125
PID 312 wrote to memory of 4312	312	cmd.exe	125
PID 3228 wrote to memory of 2432	3228	setup_x86-64_build_4355.exe	127
PID 3228 wrote to memory of 2432	3228	setup_x86-64_build_4355.exe	127
PID 2432 wrote to memory of 4420	2432	cmd.exe	129
PID 2432 wrote to memory of 4420	2432	cmd.exe	129
PID 3228 wrote to memory of 3932	3228	setup_x86-64_build_4355.exe	130
PID 3228 wrote to memory of 3932	3228	setup_x86-64_build_4355.exe	130
PID 3932 wrote to memory of 3560	3932	cmd.exe	132
PID 3932 wrote to memory of 3560	3932	cmd.exe	132
PID 3228 wrote to memory of 1972	3228	setup_x86-64_build_4355.exe	133
PID 3228 wrote to memory of 1972	3228	setup_x86-64_build_4355.exe	133
PID 1972 wrote to memory of 64	1972	cmd.exe	135
PID 1972 wrote to memory of 64	1972	cmd.exe	135
PID 3228 wrote to memory of 2224	3228	setup_x86-64_build_4355.exe	136
PID 3228 wrote to memory of 2224	3228	setup_x86-64_build_4355.exe	136
PID 2224 wrote to memory of 4388	2224	cmd.exe	138
PID 2224 wrote to memory of 4388	2224	cmd.exe	138
PID 3228 wrote to memory of 2720	3228	setup_x86-64_build_4355.exe	139
PID 3228 wrote to memory of 2720	3228	setup_x86-64_build_4355.exe	139
PID 2720 wrote to memory of 3224	2720	cmd.exe	141
PID 2720 wrote to memory of 3224	2720	cmd.exe	141
PID 3228 wrote to memory of 4016	3228	setup_x86-64_build_4355.exe	142
PID 3228 wrote to memory of 4016	3228	setup_x86-64_build_4355.exe	142
PID 3228 wrote to memory of 2820	3228	setup_x86-64_build_4355.exe	143
PID 3228 wrote to memory of 2820	3228	setup_x86-64_build_4355.exe	143

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1212	attrib.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86-64_build_4355\setup_x86-64_build_4355.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86-64_build_4355\setup_x86-64_build_4355.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get Manufacturer
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "gdb --version"
  2⤵
  PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_ComputerSystem get Manufacturer
    3⤵
    PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
    3⤵
    - Views/modifies file attributes
    PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "taskkill /F /PID 960"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 960
    3⤵
    - Kills process with taskkill
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "taskkill /F /PID 876"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 876
    3⤵
    - Kills process with taskkill
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3436"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 3436
    3⤵
    - Kills process with taskkill
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3520"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 3520
    3⤵
    - Kills process with taskkill
    PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4792"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 4792
    3⤵
    - Kills process with taskkill
    PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3376"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 3376
    3⤵
    - Kills process with taskkill
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
  2⤵
  PID:4016
- - C:\Windows\system32\cmd.exe
    cmd.exe /c chcp
    3⤵
    PID:4376
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
  2⤵
  PID:2820
- - C:\Windows\system32\cmd.exe
    cmd.exe /c chcp
    3⤵
    PID:184
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
  2⤵
  PID:4688
- - C:\Windows\system32\tasklist.exe
    tasklist /FO LIST
    3⤵
    - Enumerates processes with tasklist
    PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
  2⤵
  PID:680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
  2⤵
  PID:312
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
  2⤵
  PID:1564
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:3984
- - C:\Windows\system32\HOSTNAME.EXE
    hostname
    3⤵
    PID:3100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get caption,description,providername
    3⤵
    - Collects information from the system
    PID:2284
- - C:\Windows\system32\net.exe
    net user
    3⤵
    PID:4400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:4680
- - C:\Windows\system32\query.exe
    query user
    3⤵
    PID:3436
  - - C:\Windows\system32\quser.exe
      "C:\Windows\system32\quser.exe"
      4⤵
      PID:4412
- - C:\Windows\system32\net.exe
    net localgroup
    3⤵
    PID:2076
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:2500
- - C:\Windows\system32\net.exe
    net localgroup administrators
    3⤵
    PID:3520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:836
- - C:\Windows\system32\net.exe
    net user guest
    3⤵
    PID:3080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user guest
      4⤵
      PID:3424
- - C:\Windows\system32\net.exe
    net user administrator
    3⤵
    PID:3932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user administrator
      4⤵
      PID:4776
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic startup get caption,command
    3⤵
    PID:2752
- - C:\Windows\system32\tasklist.exe
    tasklist /svc
    3⤵
    - Enumerates processes with tasklist
    PID:2564
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:392
- - C:\Windows\system32\ROUTE.EXE
    route print
    3⤵
    PID:4936
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:2400
- - C:\Windows\system32\NETSTAT.EXE
    netstat -ano
    3⤵
    - Gathers network information
    PID:3440
- - C:\Windows\system32\sc.exe
    sc query type= service state= all
    3⤵
    - Launches sc.exe
    PID:4900
- - C:\Windows\system32\netsh.exe
    netsh firewall show state
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1844
- - C:\Windows\system32\netsh.exe
    netsh firewall show config
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
  2⤵
  PID:4080
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
  2⤵
  PID:2412
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4328,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=3796 /prefetch:8
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe

Filesize
24.3MB

MD5
28ff0cac1b7a4225c599b7366f5afb42

SHA1
89562ab281aecd486f4d07e5cd6f1cb823459521

SHA256
f6affa968b207a553f4825db54f148a2697c7a786eac16f83df8997a5ea85044

SHA512
a88a332f72e38386eaf9c689df65f4762a1f9c67cab9a63f94beb199d9c04543ff16f522b2ebe180600b78f2fb3d0f49808349ab5dcaa3d5ef5153651c12c95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3qt13tzr.b05.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2584-68-0x000001DEEC940000-0x000001DEEC962000-memory.dmp

Filesize
136KB

Download