ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
Size

349KB
MD5

a285d4e1a31b64a3dced24e941a79aa0
SHA1

780cef49a6992e54a2c4f19cc0d986343f15f23d
SHA256

ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736
SHA512

6e5edce26f097b1de811fc8a8319e003bd64d5c84d6c48830245d1ed8948ee023ee45c2754d21a5a30685be73d4be6b4d6270091b6e4e14f134a6eda5c79f668
SSDEEP

6144:FB1QKZaOpBjQepew/PjuGyFPr527Uf2u/jGw0qun597/QKjJ8zkjDpyAYpIm:FB1Q6rpr7MrswfLjGwW5xFdRyJpB

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
1860	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ping.exeping.exeREG.exeREG.exeping.exeping.exeattrib.exeREG.exeping.exeping.exeping.exeping.exeea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exeping.exeping.exeping.exeping.exeREG.exeping.exeREG.exeREG.exeping.exeping.exeREG.exeREG.exeping.exeping.exeping.exeREG.exeREG.exeREG.exeREG.exeping.exeping.exeREG.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	Process
648	ping.exe
4460	ping.exe
2452	ping.exe
1072	ping.exe
4992	ping.exe
512	ping.exe
1568	ping.exe
2544	ping.exe
1684	ping.exe
4336	ping.exe
1176	ping.exe
1480	ping.exe
4716	ping.exe
4228	ping.exe
1872	ping.exe
1212	ping.exe
4304	ping.exe
1792	ping.exe
3460	ping.exe
3172	ping.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	Process
1176	ping.exe
1480	ping.exe
1568	ping.exe
3172	ping.exe
4304	ping.exe
1872	ping.exe
4460	ping.exe
1212	ping.exe
1684	ping.exe
1072	ping.exe
3460	ping.exe
4336	ping.exe
1792	ping.exe
2452	ping.exe
4992	ping.exe
4228	ping.exe
4716	ping.exe
2544	ping.exe
648	ping.exe
512	ping.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe

pid	Process
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe

description	pid	Process
Token: SeDebugPrivilege	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe

description	pid	Process	procid_target
PID 2412 wrote to memory of 1212	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	94
PID 2412 wrote to memory of 1212	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	94
PID 2412 wrote to memory of 1212	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	94
PID 2412 wrote to memory of 4228	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	99
PID 2412 wrote to memory of 4228	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	99
PID 2412 wrote to memory of 4228	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	99
PID 2412 wrote to memory of 4716	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	104
PID 2412 wrote to memory of 4716	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	104
PID 2412 wrote to memory of 4716	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	104
PID 2412 wrote to memory of 2544	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	107
PID 2412 wrote to memory of 2544	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	107
PID 2412 wrote to memory of 2544	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	107
PID 2412 wrote to memory of 3172	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	110
PID 2412 wrote to memory of 3172	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	110
PID 2412 wrote to memory of 3172	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	110
PID 2412 wrote to memory of 4304	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	115
PID 2412 wrote to memory of 4304	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	115
PID 2412 wrote to memory of 4304	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	115
PID 2412 wrote to memory of 1684	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	118
PID 2412 wrote to memory of 1684	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	118
PID 2412 wrote to memory of 1684	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	118
PID 2412 wrote to memory of 648	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	123
PID 2412 wrote to memory of 648	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	123
PID 2412 wrote to memory of 648	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	123
PID 2412 wrote to memory of 4336	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	126
PID 2412 wrote to memory of 4336	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	126
PID 2412 wrote to memory of 4336	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	126
PID 2412 wrote to memory of 1176	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	129
PID 2412 wrote to memory of 1176	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	129
PID 2412 wrote to memory of 1176	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	129
PID 2412 wrote to memory of 1108	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	132
PID 2412 wrote to memory of 1108	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	132
PID 2412 wrote to memory of 1108	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	132
PID 2412 wrote to memory of 1860	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	133
PID 2412 wrote to memory of 1860	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	133
PID 2412 wrote to memory of 1860	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	133
PID 2412 wrote to memory of 1792	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	134
PID 2412 wrote to memory of 1792	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	134
PID 2412 wrote to memory of 1792	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	134
PID 2412 wrote to memory of 1480	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	138
PID 2412 wrote to memory of 1480	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	138
PID 2412 wrote to memory of 1480	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	138
PID 2412 wrote to memory of 1872	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	142
PID 2412 wrote to memory of 1872	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	142
PID 2412 wrote to memory of 1872	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	142
PID 2412 wrote to memory of 4460	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	146
PID 2412 wrote to memory of 4460	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	146
PID 2412 wrote to memory of 4460	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	146
PID 2412 wrote to memory of 2452	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	149
PID 2412 wrote to memory of 2452	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	149
PID 2412 wrote to memory of 2452	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	149
PID 2412 wrote to memory of 1072	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	152
PID 2412 wrote to memory of 1072	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	152
PID 2412 wrote to memory of 1072	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	152
PID 2412 wrote to memory of 3460	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	155
PID 2412 wrote to memory of 3460	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	155
PID 2412 wrote to memory of 3460	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	155
PID 2412 wrote to memory of 4992	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	158
PID 2412 wrote to memory of 4992	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	158
PID 2412 wrote to memory of 4992	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	158
PID 2412 wrote to memory of 512	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	161
PID 2412 wrote to memory of 512	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	161
PID 2412 wrote to memory of 512	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	161
PID 2412 wrote to memory of 1568	2412	ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe	164

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
1860	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
"C:\Users\Admin\AppData\Local\Temp\ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1212
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4228
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4716
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2544
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3172
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4304
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1684
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:648
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4336
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1108
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\ea257eb429b659ce0f0038db2bc0da5bc69b995a2c01415130df9929101f8736N.exe
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1860
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1792
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1480
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1872
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4460
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2452
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1072
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3460
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4992
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:512
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1568
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2228
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3968
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4188
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4856
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4012
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:744
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3472
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4980
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4480
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3620
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe

Filesize
349KB

MD5
17518c53ffede528ac83a8eb6339cae4

SHA1
b391c7573e790a9853baf95173ec4513b2ac5528

SHA256
77ce6443e5520257e8e5e25c9de22eb45b1f64892608d7c4ffeb6f466ec2dcb7

SHA512
57f88a8ed57a1f8cf7a5f5e536cca696969868ae1b4fd2bd2e44042962c5b7faeff15ff08f1a54ceb4cfa235597ff8e8938e1932b24b6dcbd9f7c39ad298d08d

Download Submit
memory/2412-0-0x00000000754F2000-0x00000000754F3000-memory.dmp

Filesize
4KB

Download
memory/2412-1-0x00000000754F0000-0x0000000075AA1000-memory.dmp

Filesize
5.7MB

Download
memory/2412-2-0x00000000754F0000-0x0000000075AA1000-memory.dmp

Filesize
5.7MB

Download
memory/2412-4-0x00000000754F2000-0x00000000754F3000-memory.dmp

Filesize
4KB

Download
memory/2412-5-0x00000000754F0000-0x0000000075AA1000-memory.dmp

Filesize
5.7MB

Download