45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eec

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
Size

349KB
MD5

a3e1064ea4a191ba97368e7e176b9590
SHA1

dc8edb45c4f7c85ad885ba0e69ae7f332492f4f7
SHA256

45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eec
SHA512

7667265fe3162d41faa3781a51993a319447d1a0ae9ba1b2819debb8db676fa54a7edf5c97c1a4f4bdc43d7cf3e2f29a9c541e44906f5c1e0b3f1e4dc06262d6
SSDEEP

6144:FB1QKZaOpBjQepew/PjuGyFPr527Uf2u/jGw0qun597/QKjJ8zkjDpyAYpIA:FB1Q6rpr7MrswfLjGwW5xFdRyJpD

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
5020	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ping.exeping.exeREG.exeREG.exeREG.exeping.exeping.exeattrib.exeping.exeREG.exe45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exeping.exeping.exeREG.exeping.exeping.exeREG.exeREG.exeping.exeping.exeping.exeping.exeping.exeREG.exeping.exeping.exeREG.exeping.exeping.exeping.exeREG.exeREG.exeping.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	Process
4452	ping.exe
2148	ping.exe
3148	ping.exe
2596	ping.exe
4532	ping.exe
1572	ping.exe
644	ping.exe
2460	ping.exe
1488	ping.exe
4256	ping.exe
2016	ping.exe
4340	ping.exe
3272	ping.exe
2356	ping.exe
3040	ping.exe
3516	ping.exe
5076	ping.exe
5108	ping.exe
1900	ping.exe
4504	ping.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	Process
1900	ping.exe
3516	ping.exe
3148	ping.exe
2016	ping.exe
4532	ping.exe
4504	ping.exe
4452	ping.exe
3040	ping.exe
4340	ping.exe
644	ping.exe
4256	ping.exe
5076	ping.exe
3272	ping.exe
1572	ping.exe
2148	ping.exe
2596	ping.exe
5108	ping.exe
2356	ping.exe
2460	ping.exe
1488	ping.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe

pid	Process
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe

description	pid	Process
Token: SeDebugPrivilege	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe

description	pid	Process	procid_target
PID 4164 wrote to memory of 3272	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	93
PID 4164 wrote to memory of 3272	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	93
PID 4164 wrote to memory of 3272	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	93
PID 4164 wrote to memory of 1572	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	97
PID 4164 wrote to memory of 1572	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	97
PID 4164 wrote to memory of 1572	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	97
PID 4164 wrote to memory of 4452	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	99
PID 4164 wrote to memory of 4452	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	99
PID 4164 wrote to memory of 4452	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	99
PID 4164 wrote to memory of 2356	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	101
PID 4164 wrote to memory of 2356	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	101
PID 4164 wrote to memory of 2356	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	101
PID 4164 wrote to memory of 2148	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	103
PID 4164 wrote to memory of 2148	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	103
PID 4164 wrote to memory of 2148	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	103
PID 4164 wrote to memory of 644	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	105
PID 4164 wrote to memory of 644	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	105
PID 4164 wrote to memory of 644	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	105
PID 4164 wrote to memory of 3040	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	107
PID 4164 wrote to memory of 3040	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	107
PID 4164 wrote to memory of 3040	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	107
PID 4164 wrote to memory of 2460	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	109
PID 4164 wrote to memory of 2460	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	109
PID 4164 wrote to memory of 2460	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	109
PID 4164 wrote to memory of 1488	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	114
PID 4164 wrote to memory of 1488	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	114
PID 4164 wrote to memory of 1488	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	114
PID 4164 wrote to memory of 4256	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	117
PID 4164 wrote to memory of 4256	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	117
PID 4164 wrote to memory of 4256	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	117
PID 4164 wrote to memory of 4780	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	119
PID 4164 wrote to memory of 4780	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	119
PID 4164 wrote to memory of 4780	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	119
PID 4164 wrote to memory of 5020	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	120
PID 4164 wrote to memory of 5020	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	120
PID 4164 wrote to memory of 5020	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	120
PID 4164 wrote to memory of 3516	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	121
PID 4164 wrote to memory of 3516	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	121
PID 4164 wrote to memory of 3516	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	121
PID 4164 wrote to memory of 3148	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	124
PID 4164 wrote to memory of 3148	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	124
PID 4164 wrote to memory of 3148	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	124
PID 4164 wrote to memory of 2016	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	126
PID 4164 wrote to memory of 2016	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	126
PID 4164 wrote to memory of 2016	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	126
PID 4164 wrote to memory of 4340	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	128
PID 4164 wrote to memory of 4340	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	128
PID 4164 wrote to memory of 4340	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	128
PID 4164 wrote to memory of 2596	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	130
PID 4164 wrote to memory of 2596	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	130
PID 4164 wrote to memory of 2596	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	130
PID 4164 wrote to memory of 1900	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	132
PID 4164 wrote to memory of 1900	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	132
PID 4164 wrote to memory of 1900	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	132
PID 4164 wrote to memory of 5076	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	134
PID 4164 wrote to memory of 5076	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	134
PID 4164 wrote to memory of 5076	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	134
PID 4164 wrote to memory of 5108	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	136
PID 4164 wrote to memory of 5108	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	136
PID 4164 wrote to memory of 5108	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	136
PID 4164 wrote to memory of 4532	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	139
PID 4164 wrote to memory of 4532	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	139
PID 4164 wrote to memory of 4532	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	139
PID 4164 wrote to memory of 4504	4164	45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe	141

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
5020	attrib.exe

C:\Users\Admin\AppData\Local\Temp\45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
"C:\Users\Admin\AppData\Local\Temp\45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3272
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1572
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4452
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2356
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2148
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:644
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3040
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2460
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1488
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4256
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:4780
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\45ad9188b13e9e1c42739db3c1edacfed7f1dc77de7d7ca9cfd7d9a575197eecN.exe
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5020
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3516
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3148
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2016
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4340
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2596
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1900
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5076
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5108
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4532
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4504
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3788
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:452
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1040
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4856
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3852
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4464
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe

Filesize
349KB

MD5
3e9417641b475940fa3fea6e3cb55bc2

SHA1
5657854c1caa758ccbc5a1356de8ea57bd49f650

SHA256
8a1878af9e447ef36cc434ad98121dff9cb512eb1d2621119de9a28972df71c1

SHA512
23099fba88d943538c1cde46f5e8e1681c26bc53a62c15d21bf80de35b79ae0d9fb2179b776ba77a8db262293fd4c2d35080715f07fd638e3ac999535ba14069

Download Submit
memory/4164-0-0x0000000074842000-0x0000000074843000-memory.dmp

Filesize
4KB

Download
memory/4164-1-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/4164-2-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/4164-4-0x0000000074842000-0x0000000074843000-memory.dmp

Filesize
4KB

Download
memory/4164-5-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download