Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 14:24
Static task
static1
Behavioral task
behavioral1
Sample
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe
Resource
win7-20240903-en
General
-
Target
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe
-
Size
349KB
-
MD5
9948b43635e6aef192081145dc4ee700
-
SHA1
e46bd672e312bdac044d48a33cdf04f06edcc1fc
-
SHA256
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309d
-
SHA512
55c7841f84c508e09731e4dc05e05db76ca20564ee88825b0a80c6025fe242d5ed58a1a235e0a1371ae469b1a12777f456ace6aeb7673b46f3544f0612991636
-
SSDEEP
6144:FB1QKZaOpBjQepew/PjuGyFPr527Uf2u/jGw0qun597/QKjJ8zkjDpyAYpIm:FB1Q6rpr7MrswfLjGwW5xFdRyJph
Malware Config
Extracted
nanocore
1.2.2.2
bemery2.no-ip.biz:57628
127.0.0.1:57628
997af15f-5576-4030-975c-eb3264fb6789
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-04-23T21:31:33.540664436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
57628
-
default_group
grace
-
enable_debug_mode
true
-
gc_threshold
1.048576e+08
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+09
-
mutex
997af15f-5576-4030-975c-eb3264fb6789
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
bemery2.no-ip.biz
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.2
-
wan_timeout
8000
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe -
Adds Run key to start application 2 TTPs 18 IoCs
Processes:
REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeRegAsm.exeREG.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Subsystem = "C:\\Program Files (x86)\\WAN Subsystem\\wanss.exe" RegAsm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe -
Processes:
RegAsm.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exedescription pid Process procid_target PID 4560 set thread context of 4308 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc Process File created C:\Program Files (x86)\WAN Subsystem\wanss.exe RegAsm.exe File opened for modification C:\Program Files (x86)\WAN Subsystem\wanss.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 40 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
REG.exeREG.exeREG.exeattrib.exeping.exeRegAsm.exeping.exeping.exeREG.exeREG.exeb2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exeREG.exeREG.exeREG.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeREG.exeREG.exeping.exeping.exeping.exeREG.exeREG.exeping.exeping.exeping.exeping.exeREG.exeREG.exeping.exeREG.exeREG.exeREG.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exepid Process 2108 ping.exe 3024 ping.exe 3612 ping.exe 3120 ping.exe 4808 ping.exe 1576 ping.exe 2916 ping.exe 4620 ping.exe 832 ping.exe 4212 ping.exe 976 ping.exe 2904 ping.exe 4924 ping.exe 1192 ping.exe 1176 ping.exe 3932 ping.exe 2524 ping.exe 220 ping.exe 3352 ping.exe 1124 ping.exe -
Runs ping.exe 1 TTPs 20 IoCs
Processes:
ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exepid Process 220 ping.exe 976 ping.exe 2108 ping.exe 1176 ping.exe 1192 ping.exe 4808 ping.exe 1576 ping.exe 2916 ping.exe 4620 ping.exe 4924 ping.exe 3612 ping.exe 3120 ping.exe 2524 ping.exe 3024 ping.exe 1124 ping.exe 3932 ping.exe 4212 ping.exe 2904 ping.exe 3352 ping.exe 832 ping.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
RegAsm.exeb2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exepid Process 4308 RegAsm.exe 4308 RegAsm.exe 4308 RegAsm.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid Process 4308 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exeRegAsm.exedescription pid Process Token: SeDebugPrivilege 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe Token: SeDebugPrivilege 4308 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exedescription pid Process procid_target PID 4560 wrote to memory of 2904 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 82 PID 4560 wrote to memory of 2904 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 82 PID 4560 wrote to memory of 2904 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 82 PID 4560 wrote to memory of 4620 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 88 PID 4560 wrote to memory of 4620 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 88 PID 4560 wrote to memory of 4620 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 88 PID 4560 wrote to memory of 3024 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 91 PID 4560 wrote to memory of 3024 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 91 PID 4560 wrote to memory of 3024 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 91 PID 4560 wrote to memory of 4924 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 95 PID 4560 wrote to memory of 4924 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 95 PID 4560 wrote to memory of 4924 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 95 PID 4560 wrote to memory of 220 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 97 PID 4560 wrote to memory of 220 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 97 PID 4560 wrote to memory of 220 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 97 PID 4560 wrote to memory of 3352 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 99 PID 4560 wrote to memory of 3352 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 99 PID 4560 wrote to memory of 3352 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 99 PID 4560 wrote to memory of 1124 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 101 PID 4560 wrote to memory of 1124 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 101 PID 4560 wrote to memory of 1124 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 101 PID 4560 wrote to memory of 832 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 103 PID 4560 wrote to memory of 832 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 103 PID 4560 wrote to memory of 832 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 103 PID 4560 wrote to memory of 3612 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 107 PID 4560 wrote to memory of 3612 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 107 PID 4560 wrote to memory of 3612 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 107 PID 4560 wrote to memory of 4212 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 109 PID 4560 wrote to memory of 4212 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 109 PID 4560 wrote to memory of 4212 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 109 PID 4560 wrote to memory of 4308 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 PID 4560 wrote to memory of 4308 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 PID 4560 wrote to memory of 4308 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 PID 4560 wrote to memory of 4308 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 PID 4560 wrote to memory of 4308 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 PID 4560 wrote to memory of 4308 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 PID 4560 wrote to memory of 4308 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 PID 4560 wrote to memory of 4308 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 111 PID 4560 wrote to memory of 4156 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 112 PID 4560 wrote to memory of 4156 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 112 PID 4560 wrote to memory of 4156 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 112 PID 4560 wrote to memory of 1176 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 114 PID 4560 wrote to memory of 1176 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 114 PID 4560 wrote to memory of 1176 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 114 PID 4560 wrote to memory of 3932 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 116 PID 4560 wrote to memory of 3932 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 116 PID 4560 wrote to memory of 3932 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 116 PID 4560 wrote to memory of 1192 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 118 PID 4560 wrote to memory of 1192 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 118 PID 4560 wrote to memory of 1192 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 118 PID 4560 wrote to memory of 4808 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 120 PID 4560 wrote to memory of 4808 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 120 PID 4560 wrote to memory of 4808 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 120 PID 4560 wrote to memory of 3120 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 122 PID 4560 wrote to memory of 3120 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 122 PID 4560 wrote to memory of 3120 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 122 PID 4560 wrote to memory of 976 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 124 PID 4560 wrote to memory of 976 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 124 PID 4560 wrote to memory of 976 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 124 PID 4560 wrote to memory of 2524 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 126 PID 4560 wrote to memory of 2524 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 126 PID 4560 wrote to memory of 2524 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 126 PID 4560 wrote to memory of 2108 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 128 PID 4560 wrote to memory of 2108 4560 b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe 128 -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe"C:\Users\Admin\AppData\Local\Temp\b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2904
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4620
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3024
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4924
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:220
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3352
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1124
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:832
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3612
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4212
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\b2a8964598e1c2170d1c854432a35821826e18a67264e72011c0bc4b0161309dN.exe2⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4156
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1176
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3932
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1192
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4808
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3120
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:976
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2524
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2108
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1576
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2916
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3288
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1312
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4216
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2592
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:392
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4552
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1832
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3204
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:480
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1344
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:408
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:704
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:388
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
349KB
MD5bc602feba48e4ba76984db466b92e147
SHA12b2f7948d2b5238369b472ac847386c51c0f6630
SHA256fc505f0beca1c8e379e925360d6902113db821870a59582ed22c8faf19a226e4
SHA5120d65e31bbf6983a9919099dd23495c484ad0c3a568e9d7d7f37567b5534b5d4f2cf15cb2fad184bfdeffd8ee3ce14fc14660533c95de2bf2ccb133a8ffa56175