Analysis
-
max time kernel
122s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
Resource
win10v2004-20240802-en
General
-
Target
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
-
Size
11.2MB
-
MD5
4fa734db8e9f7ce5ecd217b34ecc6969
-
SHA1
fbfc15ded2ebd130c92d812c26dc052561f7ff83
-
SHA256
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
-
SHA512
76ffd5839721ba668762c4458fd8da8fa8edc656c232e5957c253acc67c599846b89bc9acda1ec8dc5b07d229e143d3deca415c528ba4c04bf9264670f74f48a
-
SSDEEP
196608:FfhVx6cyJczra+6msUjFD8rXPLJy5rRUlXmBPzLMAoUsJBK7iskeDqQ7poZ:FfrABJq2+6mnD8b9y9RU8zLMAoUsJBKK
Malware Config
Signatures
-
SectopRAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1496-194-0x0000000000400000-0x00000000004C6000-memory.dmp family_sectoprat behavioral1/memory/1496-193-0x0000000000400000-0x00000000004C6000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 4 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpAutoIt3.exeAutoIt3.exepid Process 2008 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 2228 AutoIt3.exe 1532 AutoIt3.exe -
Loads dropped DLL 6 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpcmd.exepid Process 1352 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 2008 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 2380 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 2484 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AutoIt3.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" AutoIt3.exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid Process 3032 tasklist.exe 2324 tasklist.exe 2900 tasklist.exe 2232 tasklist.exe 2012 tasklist.exe 1704 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AutoIt3.exedescription pid Process procid_target PID 1532 set thread context of 1496 1532 AutoIt3.exe 66 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpAutoIt3.execmd.exeMSBuild.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpPING.EXEAutoIt3.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid Process 2484 cmd.exe 2396 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AutoIt3.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpMSBuild.exepid Process 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 1496 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exeMSBuild.exedescription pid Process Token: SeDebugPrivilege 2900 tasklist.exe Token: SeDebugPrivilege 2232 tasklist.exe Token: SeDebugPrivilege 2012 tasklist.exe Token: SeDebugPrivilege 1704 tasklist.exe Token: SeDebugPrivilege 3032 tasklist.exe Token: SeDebugPrivilege 2324 tasklist.exe Token: SeDebugPrivilege 1496 MSBuild.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmppid Process 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid Process 1496 MSBuild.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpcmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 1352 wrote to memory of 2008 1352 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 30 PID 1352 wrote to memory of 2008 1352 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 30 PID 1352 wrote to memory of 2008 1352 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 30 PID 1352 wrote to memory of 2008 1352 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 30 PID 1352 wrote to memory of 2008 1352 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 30 PID 1352 wrote to memory of 2008 1352 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 30 PID 1352 wrote to memory of 2008 1352 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 30 PID 2008 wrote to memory of 2380 2008 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 31 PID 2008 wrote to memory of 2380 2008 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 31 PID 2008 wrote to memory of 2380 2008 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 31 PID 2008 wrote to memory of 2380 2008 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 31 PID 2380 wrote to memory of 2164 2380 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 32 PID 2380 wrote to memory of 2164 2380 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 32 PID 2380 wrote to memory of 2164 2380 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 32 PID 2380 wrote to memory of 2164 2380 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 32 PID 2380 wrote to memory of 2164 2380 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 32 PID 2380 wrote to memory of 2164 2380 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 32 PID 2380 wrote to memory of 2164 2380 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 32 PID 2164 wrote to memory of 1196 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 33 PID 2164 wrote to memory of 1196 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 33 PID 2164 wrote to memory of 1196 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 33 PID 2164 wrote to memory of 1196 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 33 PID 1196 wrote to memory of 2900 1196 cmd.exe 35 PID 1196 wrote to memory of 2900 1196 cmd.exe 35 PID 1196 wrote to memory of 2900 1196 cmd.exe 35 PID 1196 wrote to memory of 2920 1196 cmd.exe 36 PID 1196 wrote to memory of 2920 1196 cmd.exe 36 PID 1196 wrote to memory of 2920 1196 cmd.exe 36 PID 2164 wrote to memory of 2700 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 38 PID 2164 wrote to memory of 2700 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 38 PID 2164 wrote to memory of 2700 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 38 PID 2164 wrote to memory of 2700 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 38 PID 2700 wrote to memory of 2232 2700 cmd.exe 40 PID 2700 wrote to memory of 2232 2700 cmd.exe 40 PID 2700 wrote to memory of 2232 2700 cmd.exe 40 PID 2700 wrote to memory of 2836 2700 cmd.exe 41 PID 2700 wrote to memory of 2836 2700 cmd.exe 41 PID 2700 wrote to memory of 2836 2700 cmd.exe 41 PID 2164 wrote to memory of 1768 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 42 PID 2164 wrote to memory of 1768 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 42 PID 2164 wrote to memory of 1768 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 42 PID 2164 wrote to memory of 1768 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 42 PID 1768 wrote to memory of 2012 1768 cmd.exe 44 PID 1768 wrote to memory of 2012 1768 cmd.exe 44 PID 1768 wrote to memory of 2012 1768 cmd.exe 44 PID 1768 wrote to memory of 1712 1768 cmd.exe 45 PID 1768 wrote to memory of 1712 1768 cmd.exe 45 PID 1768 wrote to memory of 1712 1768 cmd.exe 45 PID 2164 wrote to memory of 2316 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 46 PID 2164 wrote to memory of 2316 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 46 PID 2164 wrote to memory of 2316 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 46 PID 2164 wrote to memory of 2316 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 46 PID 2316 wrote to memory of 1704 2316 cmd.exe 48 PID 2316 wrote to memory of 1704 2316 cmd.exe 48 PID 2316 wrote to memory of 1704 2316 cmd.exe 48 PID 2316 wrote to memory of 2080 2316 cmd.exe 49 PID 2316 wrote to memory of 2080 2316 cmd.exe 49 PID 2316 wrote to memory of 2080 2316 cmd.exe 49 PID 2164 wrote to memory of 564 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 50 PID 2164 wrote to memory of 564 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 50 PID 2164 wrote to memory of 564 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 50 PID 2164 wrote to memory of 564 2164 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 50 PID 564 wrote to memory of 3032 564 cmd.exe 52 PID 564 wrote to memory of 3032 564 cmd.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\is-2OES6.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp"C:\Users\Admin\AppData\Local\Temp\is-2OES6.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$40026,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\is-N37AA.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp"C:\Users\Admin\AppData\Local\Temp\is-N37AA.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$301D2,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"6⤵PID:2920
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"6⤵PID:2836
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"6⤵PID:1712
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"6⤵PID:2080
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"6⤵PID:480
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"5⤵PID:1556
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"6⤵PID:832
-
-
-
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\Gg2Ofncpo.a3x && del C:\ProgramData\\Gg2Ofncpo.a3x6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2484 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2396
-
-
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exeAutoIt3.exe C:\ProgramData\\Gg2Ofncpo.a3x7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵PID:2420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵PID:1192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
940KB
MD50bc6d1c595e440233c6daa45813657a0
SHA13a04c1fcd93642fe7b0ad47d67c29344ebddc9a3
SHA2561841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac
SHA5120fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f
-
Filesize
62KB
MD5647d824a19511783d1a011f8b775c1d4
SHA146b0213afa55d27a688e9729ac120d4574318cb5
SHA2568674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b
SHA512ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f
-
\Users\Admin\AppData\Local\Temp\is-2OES6.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
Filesize3.1MB
MD581636f80b1e7c0b8f946c8ff0081436a
SHA19e7b01f8324e089b925cb9050ce74cd099c58370
SHA256ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35
SHA51267432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634