26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e

Resubmissions

21/09/2024, 16:08

240921-tll8rs1fpl 8

21/09/2024, 12:32

240921-pqwksasflp 7

Analysis

max time kernel
24s
max time network
43s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21/09/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sena.exe
Size

1.7MB
MD5

c87016453266c49b5c7b0d7abaf6801f
SHA1

0230da2215ae2f918d52bf5c6a80fb3e09356395
SHA256

26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e
SHA512

cbae59449af7e35c5b5bd068f75a6bd58c88500af6971057f72c83565f11052a9d3a517d98cb59c6f4e2f7576e73e58d981cb6f7e3a1f6b5f33bd842a699265f
SSDEEP

24576:2nsJ39LyjbJkQFMhmC+6GD9qEoScovLgGCJv+gy4xwpdvGzk+kKufpFr:2nsHyjtk2MYC5GD8UcoDTCBtxCdeQ+y

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3800	._cache_Sena.exe
3380	Synaptics.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
3380	Synaptics.exe
1136	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Sena.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sena.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5020	EXCEL.EXE
5020	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3800	._cache_Sena.exe
3800	._cache_Sena.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
1136	._cache_Synaptics.exe
3800	._cache_Sena.exe
3800	._cache_Sena.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	._cache_Synaptics.exe
Token: SeIncreaseQuotaPrivilege	3164	WMIC.exe
Token: SeSecurityPrivilege	3164	WMIC.exe
Token: SeTakeOwnershipPrivilege	3164	WMIC.exe
Token: SeLoadDriverPrivilege	3164	WMIC.exe
Token: SeSystemProfilePrivilege	3164	WMIC.exe
Token: SeSystemtimePrivilege	3164	WMIC.exe
Token: SeProfSingleProcessPrivilege	3164	WMIC.exe
Token: SeIncBasePriorityPrivilege	3164	WMIC.exe
Token: SeCreatePagefilePrivilege	3164	WMIC.exe
Token: SeBackupPrivilege	3164	WMIC.exe
Token: SeRestorePrivilege	3164	WMIC.exe
Token: SeShutdownPrivilege	3164	WMIC.exe
Token: SeDebugPrivilege	3164	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3164	WMIC.exe
Token: SeRemoteShutdownPrivilege	3164	WMIC.exe
Token: SeUndockPrivilege	3164	WMIC.exe
Token: SeManageVolumePrivilege	3164	WMIC.exe
Token: 33	3164	WMIC.exe
Token: 34	3164	WMIC.exe
Token: 35	3164	WMIC.exe
Token: 36	3164	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3164	WMIC.exe
Token: SeSecurityPrivilege	3164	WMIC.exe
Token: SeTakeOwnershipPrivilege	3164	WMIC.exe
Token: SeLoadDriverPrivilege	3164	WMIC.exe
Token: SeSystemProfilePrivilege	3164	WMIC.exe
Token: SeSystemtimePrivilege	3164	WMIC.exe
Token: SeProfSingleProcessPrivilege	3164	WMIC.exe
Token: SeIncBasePriorityPrivilege	3164	WMIC.exe
Token: SeCreatePagefilePrivilege	3164	WMIC.exe
Token: SeBackupPrivilege	3164	WMIC.exe
Token: SeRestorePrivilege	3164	WMIC.exe
Token: SeShutdownPrivilege	3164	WMIC.exe
Token: SeDebugPrivilege	3164	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3164	WMIC.exe
Token: SeRemoteShutdownPrivilege	3164	WMIC.exe
Token: SeUndockPrivilege	3164	WMIC.exe
Token: SeManageVolumePrivilege	3164	WMIC.exe
Token: 33	3164	WMIC.exe
Token: 34	3164	WMIC.exe
Token: 35	3164	WMIC.exe
Token: 36	3164	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2080	WMIC.exe
Token: SeSecurityPrivilege	2080	WMIC.exe
Token: SeTakeOwnershipPrivilege	2080	WMIC.exe
Token: SeLoadDriverPrivilege	2080	WMIC.exe
Token: SeSystemProfilePrivilege	2080	WMIC.exe
Token: SeSystemtimePrivilege	2080	WMIC.exe
Token: SeProfSingleProcessPrivilege	2080	WMIC.exe
Token: SeIncBasePriorityPrivilege	2080	WMIC.exe
Token: SeCreatePagefilePrivilege	2080	WMIC.exe
Token: SeBackupPrivilege	2080	WMIC.exe
Token: SeRestorePrivilege	2080	WMIC.exe
Token: SeShutdownPrivilege	2080	WMIC.exe
Token: SeDebugPrivilege	2080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2080	WMIC.exe
Token: SeRemoteShutdownPrivilege	2080	WMIC.exe
Token: SeUndockPrivilege	2080	WMIC.exe
Token: SeManageVolumePrivilege	2080	WMIC.exe
Token: 33	2080	WMIC.exe
Token: 34	2080	WMIC.exe
Token: 35	2080	WMIC.exe
Token: 36	2080	WMIC.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE
5020	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 3800	3208	Sena.exe	81
PID 3208 wrote to memory of 3800	3208	Sena.exe	81
PID 3208 wrote to memory of 3800	3208	Sena.exe	81
PID 3208 wrote to memory of 3380	3208	Sena.exe	83
PID 3208 wrote to memory of 3380	3208	Sena.exe	83
PID 3208 wrote to memory of 3380	3208	Sena.exe	83
PID 3380 wrote to memory of 1136	3380	Synaptics.exe	84
PID 3380 wrote to memory of 1136	3380	Synaptics.exe	84
PID 3380 wrote to memory of 1136	3380	Synaptics.exe	84
PID 1136 wrote to memory of 2140	1136	._cache_Synaptics.exe	87
PID 1136 wrote to memory of 2140	1136	._cache_Synaptics.exe	87
PID 1136 wrote to memory of 2140	1136	._cache_Synaptics.exe	87
PID 2140 wrote to memory of 3716	2140	cmd.exe	89
PID 2140 wrote to memory of 3716	2140	cmd.exe	89
PID 2140 wrote to memory of 3716	2140	cmd.exe	89
PID 3716 wrote to memory of 3164	3716	cmd.exe	90
PID 3716 wrote to memory of 3164	3716	cmd.exe	90
PID 3716 wrote to memory of 3164	3716	cmd.exe	90
PID 3716 wrote to memory of 2136	3716	cmd.exe	91
PID 3716 wrote to memory of 2136	3716	cmd.exe	91
PID 3716 wrote to memory of 2136	3716	cmd.exe	91
PID 2140 wrote to memory of 2772	2140	cmd.exe	92
PID 2140 wrote to memory of 2772	2140	cmd.exe	92
PID 2140 wrote to memory of 2772	2140	cmd.exe	92
PID 2140 wrote to memory of 856	2140	cmd.exe	93
PID 2140 wrote to memory of 856	2140	cmd.exe	93
PID 2140 wrote to memory of 856	2140	cmd.exe	93
PID 2140 wrote to memory of 1272	2140	cmd.exe	94
PID 2140 wrote to memory of 1272	2140	cmd.exe	94
PID 2140 wrote to memory of 1272	2140	cmd.exe	94
PID 2140 wrote to memory of 888	2140	cmd.exe	95
PID 2140 wrote to memory of 888	2140	cmd.exe	95
PID 2140 wrote to memory of 888	2140	cmd.exe	95
PID 2140 wrote to memory of 1348	2140	cmd.exe	96
PID 2140 wrote to memory of 1348	2140	cmd.exe	96
PID 2140 wrote to memory of 1348	2140	cmd.exe	96
PID 1348 wrote to memory of 2080	1348	cmd.exe	97
PID 1348 wrote to memory of 2080	1348	cmd.exe	97
PID 1348 wrote to memory of 2080	1348	cmd.exe	97
PID 1348 wrote to memory of 3060	1348	cmd.exe	98
PID 1348 wrote to memory of 3060	1348	cmd.exe	98
PID 1348 wrote to memory of 3060	1348	cmd.exe	98
PID 2140 wrote to memory of 3744	2140	cmd.exe	99
PID 2140 wrote to memory of 3744	2140	cmd.exe	99
PID 2140 wrote to memory of 3744	2140	cmd.exe	99
PID 3208 wrote to memory of 3800	3208	Sena.exe	81
PID 3208 wrote to memory of 3800	3208	Sena.exe	81
PID 3208 wrote to memory of 3800	3208	Sena.exe	81
PID 3208 wrote to memory of 3380	3208	Sena.exe	83
PID 3208 wrote to memory of 3380	3208	Sena.exe	83
PID 3208 wrote to memory of 3380	3208	Sena.exe	83
PID 3380 wrote to memory of 1136	3380	Synaptics.exe	84
PID 3380 wrote to memory of 1136	3380	Synaptics.exe	84
PID 3380 wrote to memory of 1136	3380	Synaptics.exe	84
PID 1136 wrote to memory of 2140	1136	._cache_Synaptics.exe	87
PID 1136 wrote to memory of 2140	1136	._cache_Synaptics.exe	87
PID 1136 wrote to memory of 2140	1136	._cache_Synaptics.exe	87
PID 2140 wrote to memory of 3716	2140	cmd.exe	89
PID 2140 wrote to memory of 3716	2140	cmd.exe	89
PID 2140 wrote to memory of 3716	2140	cmd.exe	89
PID 3716 wrote to memory of 3164	3716	cmd.exe	90
PID 3716 wrote to memory of 3164	3716	cmd.exe	90
PID 3716 wrote to memory of 3164	3716	cmd.exe	90
PID 3716 wrote to memory of 2136	3716	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\Sena.exe
"C:\Users\Admin\AppData\Local\Temp\Sena.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3800
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Sena\bin\mac_changer.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr [0-9]
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d EA5A8B1F4B59 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr [0-9]
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
        5⤵
        
        PID:3744
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
        5⤵
        
        PID:3536
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
        5⤵
        
        PID:784
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
        5⤵
        
        PID:4164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
        5⤵
        
        PID:3012
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
        6⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface set interface name="Ethernet" disable
        5⤵
        
        PID:4912

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
c87016453266c49b5c7b0d7abaf6801f

SHA1
0230da2215ae2f918d52bf5c6a80fb3e09356395

SHA256
26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e

SHA512
cbae59449af7e35c5b5bd068f75a6bd58c88500af6971057f72c83565f11052a9d3a517d98cb59c6f4e2f7576e73e58d981cb6f7e3a1f6b5f33bd842a699265f

Download Submit
C:\Users\Admin\AppData\Local\Sena\bin\mac_changer.bat

Filesize
2KB

MD5
86630f471a1c7f40e8494347f9ab8249

SHA1
10a2139adfb884f01799de89bf9b9ccb2a8bb460

SHA256
c15faade0e71acd4abcb60a7e9f3f002a46d3d47bd294f7b12d811c871d1292c

SHA512
666fe7866c2bedc78aad081bddf7e4dc8a9038b173527dc9464dd9c0776314a8c3e1ec7f4d0f34aff0d946b94ed1178a5c665d79173d1bfe0a0a611f6af65369

Download Submit
C:\Users\Admin\AppData\Local\Sena\system_info.txt

Filesize
59B

MD5
f32b790385debbbff3d69a8834ca4b81

SHA1
f6d0fa5da7762d95932caf88d4afcab48af8859d

SHA256
5695e86be4f8676dc6bfe66c9db9ae692c86afbd60e62c7ed1d4cd5741d51713

SHA512
67ef44c8504ddc1d5bcd1677e5ee1d7948092da0ec53a108b3713c38d9b25a28007c4d93699fde1e513555184ffb467e1e12b0759400ca63ce81c31fb17055b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe

Filesize
1.0MB

MD5
9872c633ef83d043cfca1609c7668719

SHA1
116579be25c526f3fb21620263467717e52db237

SHA256
553cfbf1aec44f3baf003f3a095e9638d4c3ec4aa387e07cf64ff69601353306

SHA512
93bc495d230f8198e573275c037db8b3487ef8cf1ae7029a01998018f4694e2a793bc9bc73e776e171870f0ac1ebbaf3a917ec8da5be235586569989dd0be0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ED75E00

Filesize
22KB

MD5
f685236a59b09426eb8eedd047aa5e1c

SHA1
cbc4d5c7234392eabf1b2efe90a60979eccc9676

SHA256
4a377da757e91706efb041ea763269ec66208eb108120c2fe890b6205b8e78c8

SHA512
78acc8ab41f450d35ad909221bdd9dec62b09192a2d8443012157282c92a55caecf2771ca1977a0040528cc3d81ae72b1598e0192bd3f24ebc6ca93608fc17b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TTHnxnvM.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/3208-0-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3208-129-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3208-129-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3208-0-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3380-254-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3380-253-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3380-131-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3380-131-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3380-254-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/3380-253-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3800-252-0x000000007216E000-0x000000007216F000-memory.dmp

Filesize
4KB

Download
memory/3800-255-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3800-204-0x0000000006B20000-0x0000000006B86000-memory.dmp

Filesize
408KB

Download
memory/3800-203-0x0000000006410000-0x000000000641E000-memory.dmp

Filesize
56KB

Download
memory/3800-201-0x0000000006040000-0x0000000006048000-memory.dmp

Filesize
32KB

Download
memory/3800-183-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3800-182-0x00000000073D0000-0x00000000075CA000-memory.dmp

Filesize
2.0MB

Download
memory/3800-201-0x0000000006040000-0x0000000006048000-memory.dmp

Filesize
32KB

Download
memory/3800-204-0x0000000006B20000-0x0000000006B86000-memory.dmp

Filesize
408KB

Download
memory/3800-202-0x0000000006440000-0x0000000006478000-memory.dmp

Filesize
224KB

Download
memory/3800-203-0x0000000006410000-0x000000000641E000-memory.dmp

Filesize
56KB

Download
memory/3800-252-0x000000007216E000-0x000000007216F000-memory.dmp

Filesize
4KB

Download
memory/3800-130-0x0000000000370000-0x000000000047A000-memory.dmp

Filesize
1.0MB

Download
memory/3800-118-0x000000007216E000-0x000000007216F000-memory.dmp

Filesize
4KB

Download
memory/3800-118-0x000000007216E000-0x000000007216F000-memory.dmp

Filesize
4KB

Download
memory/3800-130-0x0000000000370000-0x000000000047A000-memory.dmp

Filesize
1.0MB

Download
memory/3800-255-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3800-182-0x00000000073D0000-0x00000000075CA000-memory.dmp

Filesize
2.0MB

Download
memory/3800-183-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3800-202-0x0000000006440000-0x0000000006478000-memory.dmp

Filesize
224KB

Download
memory/5020-198-0x00007FFF4C1B0000-0x00007FFF4C1C0000-memory.dmp

Filesize
64KB

Download
memory/5020-197-0x00007FFF4C1B0000-0x00007FFF4C1C0000-memory.dmp

Filesize
64KB

Download
memory/5020-198-0x00007FFF4C1B0000-0x00007FFF4C1C0000-memory.dmp

Filesize
64KB

Download
memory/5020-195-0x00007FFF4C1B0000-0x00007FFF4C1C0000-memory.dmp

Filesize
64KB

Download
memory/5020-199-0x00007FFF49EA0000-0x00007FFF49EB0000-memory.dmp

Filesize
64KB

Download
memory/5020-200-0x00007FFF49EA0000-0x00007FFF49EB0000-memory.dmp

Filesize
64KB

Download
memory/5020-196-0x00007FFF4C1B0000-0x00007FFF4C1C0000-memory.dmp

Filesize
64KB

Download
memory/5020-194-0x00007FFF4C1B0000-0x00007FFF4C1C0000-memory.dmp

Filesize
64KB

Download
memory/5020-200-0x00007FFF49EA0000-0x00007FFF49EB0000-memory.dmp

Filesize
64KB

Download
memory/5020-199-0x00007FFF49EA0000-0x00007FFF49EB0000-memory.dmp

Filesize
64KB

Download
memory/5020-195-0x00007FFF4C1B0000-0x00007FFF4C1C0000-memory.dmp

Filesize
64KB

Download
memory/5020-197-0x00007FFF4C1B0000-0x00007FFF4C1C0000-memory.dmp

Filesize
64KB

Download
memory/5020-196-0x00007FFF4C1B0000-0x00007FFF4C1C0000-memory.dmp

Filesize
64KB

Download
memory/5020-194-0x00007FFF4C1B0000-0x00007FFF4C1C0000-memory.dmp

Filesize
64KB

Download