ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722

Analysis

max time kernel
116s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
Size

349KB
MD5

5d929e7b06a574cd700704e8b9884e40
SHA1

048e54ea2a706db940cae495b643585fa3b4407d
SHA256

ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722
SHA512

de2b5b3f11c9b1a316e8aa132022adb0e165e379d06120ee404207c962bb0eeb985115417c1b08e6633f6813aaf5d7710a1351c9e221d1ac40738cc100db6b93
SSDEEP

6144:FB1QKZaOpBjQepew/PjuGyFPr527Uf2u/jGw0qun597/QKjJ8zkjDpyAYpIc:FB1Q6rpr7MrswfLjGwW5xFdRyJpX

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2960	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

REG.exeping.exeping.exeping.exeREG.exeREG.exeREG.exeping.exeREG.exeping.exeattrib.exeping.exeREG.exeREG.exeba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exeping.exeREG.exeping.exeREG.exeping.exeping.exeping.exeping.exeping.exeping.exeREG.exeREG.exeping.exeping.exeping.exeping.exeping.exeping.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	Process
4552	ping.exe
3504	ping.exe
884	ping.exe
1236	ping.exe
3708	ping.exe
4960	ping.exe
556	ping.exe
3908	ping.exe
4524	ping.exe
5100	ping.exe
3968	ping.exe
4408	ping.exe
4312	ping.exe
1296	ping.exe
2160	ping.exe
464	ping.exe
2700	ping.exe
1396	ping.exe
2244	ping.exe
1508	ping.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	Process
3968	ping.exe
884	ping.exe
1236	ping.exe
464	ping.exe
2700	ping.exe
1296	ping.exe
3908	ping.exe
4524	ping.exe
1396	ping.exe
4552	ping.exe
2160	ping.exe
4960	ping.exe
4408	ping.exe
556	ping.exe
4312	ping.exe
5100	ping.exe
2244	ping.exe
3504	ping.exe
3708	ping.exe
1508	ping.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe

pid	Process
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe

description	pid	Process
Token: SeDebugPrivilege	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe

description	pid	Process	procid_target
PID 3384 wrote to memory of 3968	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	85
PID 3384 wrote to memory of 3968	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	85
PID 3384 wrote to memory of 3968	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	85
PID 3384 wrote to memory of 3908	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	87
PID 3384 wrote to memory of 3908	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	87
PID 3384 wrote to memory of 3908	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	87
PID 3384 wrote to memory of 3504	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	93
PID 3384 wrote to memory of 3504	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	93
PID 3384 wrote to memory of 3504	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	93
PID 3384 wrote to memory of 2160	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	96
PID 3384 wrote to memory of 2160	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	96
PID 3384 wrote to memory of 2160	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	96
PID 3384 wrote to memory of 4524	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	100
PID 3384 wrote to memory of 4524	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	100
PID 3384 wrote to memory of 4524	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	100
PID 3384 wrote to memory of 884	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	102
PID 3384 wrote to memory of 884	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	102
PID 3384 wrote to memory of 884	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	102
PID 3384 wrote to memory of 1236	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	104
PID 3384 wrote to memory of 1236	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	104
PID 3384 wrote to memory of 1236	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	104
PID 3384 wrote to memory of 3708	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	106
PID 3384 wrote to memory of 3708	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	106
PID 3384 wrote to memory of 3708	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	106
PID 3384 wrote to memory of 4960	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	109
PID 3384 wrote to memory of 4960	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	109
PID 3384 wrote to memory of 4960	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	109
PID 3384 wrote to memory of 4408	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	112
PID 3384 wrote to memory of 4408	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	112
PID 3384 wrote to memory of 4408	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	112
PID 3384 wrote to memory of 2664	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	114
PID 3384 wrote to memory of 2664	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	114
PID 3384 wrote to memory of 2664	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	114
PID 3384 wrote to memory of 2960	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	115
PID 3384 wrote to memory of 2960	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	115
PID 3384 wrote to memory of 2960	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	115
PID 3384 wrote to memory of 464	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	117
PID 3384 wrote to memory of 464	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	117
PID 3384 wrote to memory of 464	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	117
PID 3384 wrote to memory of 2700	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	119
PID 3384 wrote to memory of 2700	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	119
PID 3384 wrote to memory of 2700	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	119
PID 3384 wrote to memory of 556	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	121
PID 3384 wrote to memory of 556	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	121
PID 3384 wrote to memory of 556	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	121
PID 3384 wrote to memory of 4312	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	123
PID 3384 wrote to memory of 4312	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	123
PID 3384 wrote to memory of 4312	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	123
PID 3384 wrote to memory of 1396	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	125
PID 3384 wrote to memory of 1396	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	125
PID 3384 wrote to memory of 1396	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	125
PID 3384 wrote to memory of 5100	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	127
PID 3384 wrote to memory of 5100	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	127
PID 3384 wrote to memory of 5100	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	127
PID 3384 wrote to memory of 2244	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	129
PID 3384 wrote to memory of 2244	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	129
PID 3384 wrote to memory of 2244	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	129
PID 3384 wrote to memory of 1508	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	131
PID 3384 wrote to memory of 1508	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	131
PID 3384 wrote to memory of 1508	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	131
PID 3384 wrote to memory of 4552	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	133
PID 3384 wrote to memory of 4552	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	133
PID 3384 wrote to memory of 4552	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	133
PID 3384 wrote to memory of 1296	3384	ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe	135

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2960	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
"C:\Users\Admin\AppData\Local\Temp\ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3968
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3908
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3504
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2160
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4524
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:884
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1236
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3708
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4960
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4408
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:2664
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\ba24b8530032ea9cd892adb890ba9e5e44b098232760cc83cd477af49c568722N.exe
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2960
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:464
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2700
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:556
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4312
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1396
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5100
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2244
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1508
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4552
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1296
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1612
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4808
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4064
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1284
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1216
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1656
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3312
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2504
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe

Filesize
349KB

MD5
de2545bf1578205589b2d69e0f41257a

SHA1
f6f357e071c5b1809756ecb39ff250727bd256e9

SHA256
ab60f36ce7b6d1f86e8c1c609ea9d7ac6b1015996c8019e8664f107e32a09c9c

SHA512
a690b105b72be7043afe9890390b6d3760883952389916c8c949ce72e3f59b1c9cd5106dfbee4b59fe7d60fd80032df600cb17ab6c3ea4acb7fcc5eeac914559

Download Submit
memory/3384-0-0x0000000074AC2000-0x0000000074AC3000-memory.dmp

Filesize
4KB

Download
memory/3384-1-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/3384-2-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/3384-4-0x0000000074AC2000-0x0000000074AC3000-memory.dmp

Filesize
4KB

Download
memory/3384-5-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download