Analysis
-
max time kernel
115s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 06:05
Static task
static1
Behavioral task
behavioral1
Sample
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe
Resource
win10v2004-20240802-en
General
-
Target
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe
-
Size
349KB
-
MD5
9948b43635e6aef192081145dc4ee700
-
SHA1
e46bd672e312bdac044d48a33cdf04f06edcc1fc
-
SHA256
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309d
-
SHA512
55c7841f84c508e09731e4dc05e05db76ca20564ee88825b0a80c6025fe242d5ed58a1a235e0a1371ae469b1a12777f456ace6aeb7673b46f3544f0612991636
-
SSDEEP
6144:FB1QKZaOpBjQepew/PjuGyFPr527Uf2u/jGw0qun597/QKjJ8zkjDpyAYpIm:FB1Q6rpr7MrswfLjGwW5xFdRyJph
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe -
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ping.exeping.exeping.exeREG.exeREG.exeREG.exeping.exeREG.exeREG.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeattrib.exeping.exeREG.exeping.exeping.exeping.exeREG.exeREG.exeping.exeb2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exeping.exeREG.exeping.exeping.exeREG.exeREG.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exepid Process 1380 ping.exe 864 ping.exe 5068 ping.exe 2360 ping.exe 1204 ping.exe 5000 ping.exe 1800 ping.exe 3332 ping.exe 2352 ping.exe 4380 ping.exe 2720 ping.exe 3260 ping.exe 4084 ping.exe 4800 ping.exe 2000 ping.exe 4180 ping.exe 2040 ping.exe 2804 ping.exe 4312 ping.exe 3772 ping.exe -
Runs ping.exe 1 TTPs 20 IoCs
Processes:
ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exepid Process 864 ping.exe 1204 ping.exe 4084 ping.exe 4800 ping.exe 5000 ping.exe 2804 ping.exe 4180 ping.exe 4312 ping.exe 2352 ping.exe 2360 ping.exe 2720 ping.exe 3260 ping.exe 1800 ping.exe 2000 ping.exe 1380 ping.exe 2040 ping.exe 4380 ping.exe 5068 ping.exe 3772 ping.exe 3332 ping.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exepid Process 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exedescription pid Process Token: SeDebugPrivilege 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exedescription pid Process procid_target PID 716 wrote to memory of 3332 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 86 PID 716 wrote to memory of 3332 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 86 PID 716 wrote to memory of 3332 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 86 PID 716 wrote to memory of 1380 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 89 PID 716 wrote to memory of 1380 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 89 PID 716 wrote to memory of 1380 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 89 PID 716 wrote to memory of 2352 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 93 PID 716 wrote to memory of 2352 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 93 PID 716 wrote to memory of 2352 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 93 PID 716 wrote to memory of 2040 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 95 PID 716 wrote to memory of 2040 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 95 PID 716 wrote to memory of 2040 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 95 PID 716 wrote to memory of 2360 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 97 PID 716 wrote to memory of 2360 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 97 PID 716 wrote to memory of 2360 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 97 PID 716 wrote to memory of 4380 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 99 PID 716 wrote to memory of 4380 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 99 PID 716 wrote to memory of 4380 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 99 PID 716 wrote to memory of 2720 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 101 PID 716 wrote to memory of 2720 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 101 PID 716 wrote to memory of 2720 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 101 PID 716 wrote to memory of 2804 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 103 PID 716 wrote to memory of 2804 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 103 PID 716 wrote to memory of 2804 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 103 PID 716 wrote to memory of 864 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 106 PID 716 wrote to memory of 864 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 106 PID 716 wrote to memory of 864 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 106 PID 716 wrote to memory of 1204 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 109 PID 716 wrote to memory of 1204 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 109 PID 716 wrote to memory of 1204 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 109 PID 716 wrote to memory of 1852 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 PID 716 wrote to memory of 1852 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 PID 716 wrote to memory of 1852 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 PID 716 wrote to memory of 4044 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 112 PID 716 wrote to memory of 4044 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 112 PID 716 wrote to memory of 4044 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 112 PID 716 wrote to memory of 3260 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 113 PID 716 wrote to memory of 3260 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 113 PID 716 wrote to memory of 3260 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 113 PID 716 wrote to memory of 4084 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 116 PID 716 wrote to memory of 4084 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 116 PID 716 wrote to memory of 4084 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 116 PID 716 wrote to memory of 4800 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 118 PID 716 wrote to memory of 4800 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 118 PID 716 wrote to memory of 4800 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 118 PID 716 wrote to memory of 5000 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 120 PID 716 wrote to memory of 5000 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 120 PID 716 wrote to memory of 5000 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 120 PID 716 wrote to memory of 1800 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 122 PID 716 wrote to memory of 1800 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 122 PID 716 wrote to memory of 1800 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 122 PID 716 wrote to memory of 4312 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 124 PID 716 wrote to memory of 4312 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 124 PID 716 wrote to memory of 4312 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 124 PID 716 wrote to memory of 2000 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 126 PID 716 wrote to memory of 2000 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 126 PID 716 wrote to memory of 2000 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 126 PID 716 wrote to memory of 5068 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 128 PID 716 wrote to memory of 5068 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 128 PID 716 wrote to memory of 5068 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 128 PID 716 wrote to memory of 4180 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 130 PID 716 wrote to memory of 4180 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 130 PID 716 wrote to memory of 4180 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 130 PID 716 wrote to memory of 3772 716 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 132 -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe"C:\Users\Admin\AppData\Local\Temp\b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3332
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1380
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2352
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2040
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2360
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4380
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2720
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2804
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:864
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1204
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:1852
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe2⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4044
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3260
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4084
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4800
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5000
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1800
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4312
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2000
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5068
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4180
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3772
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4624
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3872
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3660
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3960
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1056
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3080
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1272
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3200
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3580
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1676
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
349KB
MD5f15f6e0abdb54879ba7347e9ecd48cce
SHA1e1c0e0245a94f349e4882a7da811beba004e70de
SHA256a839e2a46929627d14fd0b4bea961fb2c66027b1670d265fd9ecd2945e61a70f
SHA512ad9494c2b9b946a26abd45541ce47ca84a26ba4be6d02ef5e2b2608b74e90f11e3c8077947a943ef70d8fc6c748eef32bb98745ec635eaa6405fcfe9d8286f4d