Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 05:22
Static task
static1
Behavioral task
behavioral1
Sample
e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe
Resource
win7-20240903-en
General
-
Target
e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe
-
Size
6.9MB
-
MD5
7782313610d52eefec33d75a5035806f
-
SHA1
a577a87906dc22cd92ca8a1c51fc28d1ec7d7637
-
SHA256
e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb
-
SHA512
463da44fd72660166a3c350afba8867419948d0e1f761ac9e76e2b4c9c4f25d1d2ae098766d3c70794fe74a618534992ed2b80f0a71707652bf9efea50eb9586
-
SSDEEP
98304:rIyVIyQWQtZ/K0tGOFWVRuLftCTzLapI9:tXQWyZ/K0ttYVAATzcI9
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 2 IoCs
pid Process 3136 UpdatAuto.exe 4432 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Option.bat UpdatAuto.exe File opened for modification C:\Windows\SysWOW64\UpdatAuto.exe UpdatAuto.exe File created C:\Windows\SysWOW64\Option.bat e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Windows\SysWOW64\UpdatAuto.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe UpdatAuto.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe UpdatAuto.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe UpdatAuto.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe UpdatAuto.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe UpdatAuto.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe UpdatAuto.exe File opened for modification C:\Program Files\dotnet\dotnet.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe UpdatAuto.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe UpdatAuto.exe File opened for modification C:\Program Files\7-Zip\7z.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\dotnet\dotnet.exe UpdatAuto.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe UpdatAuto.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe UpdatAuto.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3372 sc.exe 4968 sc.exe 3620 sc.exe 2560 sc.exe 960 sc.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdatAuto.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 3136 UpdatAuto.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1512 wrote to memory of 4664 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 84 PID 1512 wrote to memory of 4664 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 84 PID 1512 wrote to memory of 4664 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 84 PID 1512 wrote to memory of 3136 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 89 PID 1512 wrote to memory of 3136 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 89 PID 1512 wrote to memory of 3136 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 89 PID 3136 wrote to memory of 3352 3136 UpdatAuto.exe 90 PID 3136 wrote to memory of 3352 3136 UpdatAuto.exe 90 PID 3136 wrote to memory of 3352 3136 UpdatAuto.exe 90 PID 1512 wrote to memory of 4432 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 96 PID 1512 wrote to memory of 4432 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 96 PID 1512 wrote to memory of 2372 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 100 PID 1512 wrote to memory of 2372 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 100 PID 1512 wrote to memory of 2372 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 100 PID 1512 wrote to memory of 4116 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 101 PID 1512 wrote to memory of 4116 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 101 PID 1512 wrote to memory of 4116 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 101 PID 1512 wrote to memory of 4568 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 102 PID 1512 wrote to memory of 4568 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 102 PID 1512 wrote to memory of 4568 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 102 PID 1512 wrote to memory of 1832 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 103 PID 1512 wrote to memory of 1832 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 103 PID 1512 wrote to memory of 1832 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 103 PID 1512 wrote to memory of 2416 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 104 PID 1512 wrote to memory of 2416 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 104 PID 1512 wrote to memory of 2416 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 104 PID 1512 wrote to memory of 5080 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 105 PID 1512 wrote to memory of 5080 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 105 PID 1512 wrote to memory of 5080 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 105 PID 1512 wrote to memory of 2424 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 107 PID 1512 wrote to memory of 2424 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 107 PID 1512 wrote to memory of 2424 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 107 PID 1512 wrote to memory of 3620 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 108 PID 1512 wrote to memory of 3620 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 108 PID 1512 wrote to memory of 3620 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 108 PID 1512 wrote to memory of 4968 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 109 PID 1512 wrote to memory of 4968 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 109 PID 1512 wrote to memory of 4968 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 109 PID 1512 wrote to memory of 3372 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 110 PID 1512 wrote to memory of 3372 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 110 PID 1512 wrote to memory of 3372 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 110 PID 1512 wrote to memory of 960 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 112 PID 1512 wrote to memory of 960 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 112 PID 1512 wrote to memory of 960 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 112 PID 1512 wrote to memory of 2560 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 113 PID 1512 wrote to memory of 2560 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 113 PID 1512 wrote to memory of 2560 1512 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe 113 PID 4116 wrote to memory of 5108 4116 cmd.exe 124 PID 4116 wrote to memory of 5108 4116 cmd.exe 124 PID 4116 wrote to memory of 5108 4116 cmd.exe 124 PID 5108 wrote to memory of 3764 5108 net.exe 125 PID 5108 wrote to memory of 3764 5108 net.exe 125 PID 5108 wrote to memory of 3764 5108 net.exe 125 PID 2372 wrote to memory of 1604 2372 cmd.exe 126 PID 2372 wrote to memory of 1604 2372 cmd.exe 126 PID 2372 wrote to memory of 1604 2372 cmd.exe 126 PID 4568 wrote to memory of 1996 4568 cmd.exe 127 PID 4568 wrote to memory of 1996 4568 cmd.exe 127 PID 4568 wrote to memory of 1996 4568 cmd.exe 127 PID 1604 wrote to memory of 1960 1604 net.exe 128 PID 1604 wrote to memory of 1960 1604 net.exe 128 PID 1604 wrote to memory of 1960 1604 net.exe 128 PID 2424 wrote to memory of 2696 2424 cmd.exe 129 PID 2424 wrote to memory of 2696 2424 cmd.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe"C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat2⤵
- System Location Discovery: System Language Discovery
PID:4664
-
-
C:\Windows\SysWOW64\UpdatAuto.exeC:\Windows\system32\UpdatAuto.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat3⤵
- System Location Discovery: System Language Discovery
PID:3352
-
-
-
C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exee163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe2⤵
- Executes dropped EXE
PID:4432
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop sharedaccess2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\net.exenet stop sharedaccess3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess4⤵
- System Location Discovery: System Language Discovery
PID:1960
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
PID:3764
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop wscsvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\net.exenet stop wscsvc3⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc4⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop srservice2⤵
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\net.exenet stop srservice3⤵
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice4⤵
- System Location Discovery: System Language Discovery
PID:2340
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net start TlntSvr2⤵
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\net.exenet start TlntSvr3⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TlntSvr4⤵
- System Location Discovery: System Language Discovery
PID:4456
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net user helpassistant 1234562⤵
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\net.exenet user helpassistant 1234563⤵
- System Location Discovery: System Language Discovery
PID:616 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user helpassistant 1234564⤵
- System Location Discovery: System Language Discovery
PID:2428
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net localgroup administrators helpassistant /add2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\net.exenet localgroup administrators helpassistant /add3⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators helpassistant /add4⤵
- System Location Discovery: System Language Discovery
PID:1184
-
-
-
-
C:\Windows\SysWOW64\sc.exesc config srservice start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3620
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4968
-
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3372
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:960
-
-
C:\Windows\SysWOW64\sc.exesc config srservice start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2560
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.8MB
MD5a795016933a1d8bbf00bb0723c615899
SHA16ab1545bca8f7c457c78d6598adda038a07780f4
SHA256a1e8fab09c50885be3506fecfa95e7adf226794357d3f41d5a57a8aa576f0f0d
SHA512f78ab2bde02404606d5c2905a02032dce50f662b51fbccc7d21072909ff471532c656bc15ca36079624123b5060a9d9bde0a2060254e2bd88f078a6aa0c9c0e7
-
Filesize
6.2MB
MD5475a755f0a3d639e8ae670eb881b9083
SHA1965cfd9574116fc600ec7345e3f410c1536729b4
SHA2565c5e43343405973a96cbccd1755870c3c792399f7c833cb184db3b6a80e52562
SHA5123ab92fcf5c668be373b9ccef11db2080776371b86b8f1f8ca9f4aefa3d4bf9a0198313f867b0842e762d2daf4ece58a4e15c34169d15db898f6cdc51bf059a2a
-
Filesize
6.0MB
MD5e9055643aeaabb09f3a86c401c4be633
SHA110a7c4e942aa17518ede94b677d038e25c069fde
SHA256b888381b111b8f2e15709481c85cd2e9d6ff3b83cf5284a0ef55d7460e9b6b86
SHA5122e8cb5c1d922d13d1f8a9d6c193cb98349f0dd7e580b3d307f50f9d5cbd81d1118539e9b93a1d8d97a474d16cae0c4373a01866260eae35ad59692cbdaadad6c
-
Filesize
5.3MB
MD5c8a418ea7bb8e581ec3b3b704e391f6a
SHA14cc9f089d75de54d10d6ec2714b7c80ba1c9891a
SHA256c9798728c1ed0e072387a16faeb51c82b902d995c2e663b7d9d221c1bd85f01a
SHA512ad70fc1848b97458a032fcfef5da0b890c2dcdbff5582598bbaeb0182c6236b95596ba556821a9f053c2e6c21e5293f4ce35f8a21a2ab2ac77e368225bbdf197
-
Filesize
9.3MB
MD5d4f419c44ad12acaf8e56c24ad777867
SHA193e47833ad56907c49add4b96621910bd13b6a2a
SHA256a4cfc04dfe16cdca43573c311b554b2d4987fb8b47f62837a755b8ed1e1a3710
SHA5121e6c3ce8a09b7ffabb6f97e2be15569898d3923a69eacc6b902c8395b74677e551e67f2ad616b518b176fe6e5c93cd22ec33514e4d64662b8ebbbb5a2ac39e65
-
Filesize
9.3MB
MD584fbbeb9857aba5a13d1ec9c3db00c3c
SHA1bf13c3a8d87678d30cd0ce1f888c95b7bc93db37
SHA256f6e3bd1008a83a6ff8d5e3a95a55c0850c25bd81e2c7d7f7bec827cdf9c80807
SHA512c6ac2e34785555053eee98dd1f8a22b98572fa23cf1c893d642412ec0080dec949c659964153e3962f7ad236858c96ce50e82b368a37e0f1b31b0ef0d543ada9
-
Filesize
6.6MB
MD5e509c4d9f90ca520bfe2fd795d749ab5
SHA11f4b9202b5eb665a676f577caba80f330c85a78c
SHA25654a76d1cc8ba3332f1fe28851c6f5a9bdfa435cdc734867c7f07d88f021a1096
SHA512162307f50d9f83e5bc22822a5b4810244068e3ce7499b3d0da17748a4a2ea4b073c1c93381b257b4077cc79f10e64ee18e452ab96bae4429bcaca1601bbb2a4c
-
Filesize
6.9MB
MD5da62d56f263feafb5c0ae1ffbd370a9d
SHA116ebdbfcc7aacb27366ba36d70249deca859f24a
SHA256b230098400f02fe9b3e15188ed45341605fb7e867abac4d3250d20d453c9d1ab
SHA5126bf70924bb18b97a756528de54eade73ca82840ec37946ce5288bfd31f9ce957590fcf16b5cbed6acadb91f4e94ea8417c36f36e4e3fd16d37173266db97f50b
-
Filesize
6.5MB
MD5399d1dfed8a41fe1a042aee513190997
SHA1a4e3a29679cfb50445a9b308ccc4d501f399f223
SHA2560c13c03070685a913b075b3f2f066c387648c66f234b9c622edb1da664522952
SHA512714c68620707e5a66defbe8aafbd65b92de8fa66b9ecc6cf3225e9d2b2542356d3808ee955aeb960c3e713645098762d6f2bd93e11844cf733101e754d805a47
-
Filesize
7.9MB
MD5585cacff0a53a0231c5d0142da40edee
SHA1c7e43c559919761f2aa1684a366188a9b1cea24f
SHA2565d1095603edbf1708230fe647b342c612a9923e5137782a58b9492de6c6fdb0b
SHA51233c260ce70fc6282e1ccd540fb40c2d9194a68d92620b5377925811f4e8cb0f69e8ffc29cd968580b48a9728932e1d42a05fd5792c49b8fca69cd1d269095548
-
Filesize
6.3MB
MD549fcb5a5ede67f57de00a528f99b7324
SHA1b5bd977715407afdb61b22cf45439b7f5429b213
SHA2565a58243e4ca111674cf1e5e8072078cabd000d1b0445a1d6f86bdc7a83456ea2
SHA51295d2bfa3d477434270b555a2870d5cb1c2171983b1f4fe1b475c91f0f9b41f093287d79e582f834d5e58fedf60f0ec9e8fc4af0004d11d804d26ee1f1ea48580
-
Filesize
5.3MB
MD5de352ba8507fa217660d0545004eebbd
SHA156e426afd940d12983342fded56e869308584189
SHA256cf7ab07b2d128dab543fba132befd0cbdc8e997324303cdee0ac678f2cdc556d
SHA512642f6f749963d02a9c0d1b6285f927a084cbc05ab16bdafeb5e60ee27fbe5e7b1543637df8829c133be2b46abea2cd9e52685a06df53727d67b684301d5886e7
-
Filesize
5.3MB
MD554c688a6fe6402a2c2caa2d8fcc29ecb
SHA10fe300f1376ec5cea2022748e57160db02927bf7
SHA256a267468b4024c8485029c53b14c003b1108617926aea0766e4f0106ec1133c15
SHA5120a9aa07736afc89c45955c1a8639eb015a882deb969222150ae4f0d632e150437b04138ddb5b6e945812191220e9c2b90a173c88516ea35e622a972a76172640
-
Filesize
5.3MB
MD525107ae34d56d4b864f0ba919a2789ef
SHA113d9627cf42245346afee1d78d9f1fde453ecc94
SHA2560bd51e96004bc8255f661b7c4a243755e80e3cf0795ba02ae433ba0ae7a8049c
SHA51262eed4f351d73e8b088b312514060b4157a48b56133c1980013210395eba1091f3e637efcc31bd3f7a95a854254a19acc90c3eb41a491cd4193cb0a08cd99263
-
Filesize
5.4MB
MD5a89ed355b9782221c59dc7fc780d5281
SHA18cde182c627a9d18da7cf9e65b5949060784b8c5
SHA2569ea7a2b1410709d964a115b211b9ae5af1c630256a589f4735b1159aca7b4644
SHA512093efc248e2322aa765d879e17404289cd24fc5ec429552ea3137608c2aebc05949f66ee9456e9f1552f10a96b125fee2a5fe317f0e16ff03057deb559a53149
-
Filesize
5.3MB
MD57199936940f71e16fbb13eae7141885a
SHA1d2f94d26f6f4043e01529f434bcdf42154d70e32
SHA25644490fa8da25ff12e003e191c69518ddc47942437b40b95f91be70c8de335238
SHA5121d3e2c13d9b230c0ef5e059398fc662f5972d5c575bf9ecfe2adeee567a1bbb1741c1907960a8922ebc996f84c2488a40eef2c40d643e8a1425938c4018cea7e
-
Filesize
5.4MB
MD58156436bda5efc4dd5e1c3ade5fe1aaa
SHA16f8ebf701228e5caf3fe97a0de028cc1cb949a1b
SHA256a252eff5cb50044719d4884af91fcac02a718db58d995e1dc15756f4e2d2f9fb
SHA512f4238c53e249781dde5853f65cd88d6a6d0720e0b734957a6e177ab3f5141b53f9600ac95d9a928ab457f1842184dccbb95bafd6b0551eda579328cf87446264
-
Filesize
5.4MB
MD55e4b5634d61d255f2d73bae224b7581d
SHA14f56711971357b79792bad41ccdb17c1a8d06afd
SHA256761cfde8e566cc40790f0453cdb558e5c518d1af47fe949ad6a99bb923c9128e
SHA512cffed36fdeaaf8e2a3ae4f126ee4a4950e580be2cac5f48a80d6281337d705ca61bfbae21fc8558084d08b9a15a71e1c766ff9008fbc0d0a6ebe7ff31ea2267f
-
C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe
Filesize1.6MB
MD572d5165e0744f25f33618830f5fff579
SHA1a4138dc2ff4eb6e62ce3b7d0891931062bd63de7
SHA256814cc0aa61ca1827c3c38a4619b974db6c7325c41cb1facd6aec57fd97c54fc8
SHA51259a2cd04cfc3c329d0e198e32c91ec2911e5d24caf1f1afbfe1dde52700d9e89f82c289b9deed1d819f6265e897f3f5e75ba45cab05b0b0570245fadc39d1cb9
-
Filesize
53B
MD51d04abf39e9df55eed1d04430cc21eb8
SHA1b8292861dfd4e046eb9625e1571cc08c26094d41
SHA2560bc485263cf8a962e64db0b88f156f2a9af1b81ecfdb1cf9111d497e85df70f3
SHA512a2cccc03dadecf6a298b274a6735675aeec1cc280f84432498e9df31aa4a543d2557a2fd06bac4fc8778a774b30bbd31f91c1d0d3ace480b6217654c8d63a7d0
-
Filesize
5.3MB
MD5c71e745a2d45cb7353c7f527c97c9115
SHA115499d15a6ecbd60ab2723c9b61e5e5afc84048c
SHA256eaf3e2e75aa573c24dfc588b5cc697b1288c826b12f8435d87fabb8a47312906
SHA512517964a4654f8103330fdb514220eddef69efdfdcc39f70c44f4dd5af1a34175eeaeaf3e1d6224141063a1603a3bdd1e88977c29e6726ecf34ccb4f16bdd93c2
-
Filesize
5.3MB
MD5b9afc36fb0ac8d3bacba53bb71263a34
SHA17678441eff0b2e72eb5c75e09b6db71dc7b75dc6
SHA256972a05945fdf3039e853ce87e2ba16d5d056dafe79054a9d7809535e5e4b755c
SHA512e954f829c89ff48735d10f5090fdc4c8d1defacaa86a8383fb2f1333a9133322a60629c53697827c3abe62c2cddf4a63f73dda379c55b9d46a8f4fcdeee71cc7
-
Filesize
5.3MB
MD559187a80135691566d466f1931497d15
SHA1091a09a079794ff22a76d0f0298e8de4ac427f6b
SHA256d25140e442f21fa74d0dc07470de52e259642e66ed7dbf6dcd136a254a2ea3af
SHA51237c401648d9b84faca7aaf207be9fdb0ac3c206d19e6d304b463285f3c7a0d0cb53de9b1ed242b6a52d2f41b1e8803caba86fbcb2750c59d6895aa028a69f1eb
-
Filesize
5.3MB
MD579a9c1874edbf4eb7e2e2d1570582aed
SHA1e3c3d1cccfe09f6e6b19a49b06e9360dc71222ac
SHA256a68cf144441f67216d1a58d1480ba41d87109c4e67235dfab5b1ae9dbc7fe386
SHA512753168f037439359ed6d3d3c86b53155ee607f356f1b2cdb4131f95350a7192a6db52883e0aaaf6987534755d3a1166b1fc0321c3d1d51d244c8590c5a8d52fe
-
Filesize
5.3MB
MD586cf0d50d0f2057e609edffafad2fe83
SHA16278efc66dfd2a1c470d184a78469782a4056b8e
SHA256dc60229c74a6f976f88d5d77f20ede4fe9a2739784d434b92b9855de39b78b2c
SHA5124c473206b13fb430bf87d97cad928bcc2616aec1f04091482186c4e3a0c6823b70460961650260bf7fbb3b1de87b543da1075869e583ca31da701883cd30a6f2
-
Filesize
5.3MB
MD594262b3bcb689743ec40f352b8318476
SHA1430f3e532f4f2d372f7bb61913d229f23ed07811
SHA256860e8c2cc8aebbcfa9443e092aeb74f60d8ea67bd9f02de7684a7a7a1d01864f
SHA512e90d94c11ac58dac3a4a9f8c4774b6f247b9c30f8ee67d1f716db8331e85c053370fd7954c094a071f6bd76b4f562ed894878d68ee45c81051ea1fb840043ea8
-
Filesize
5.3MB
MD5b53efdf3b2ef2a2f4edb0ab63e26cc8f
SHA1f194971a4224ed929a72addbd5fb30a384ded153
SHA256cf523f76171ade9111ba55dd3a552c7b8cb09340c4170beb2e36b7ae5391b4ac
SHA5128896d58b507389c0f12dc059ddc8dfb1d23dfb69a60311978b4fb80608b12a5e1480d8cedd68a040ac3483de4511b6bb332afa2b5a0997ad75c8cf65161c5422
-
Filesize
5.3MB
MD5b558c6a61dcdf21caf95665f286af3b4
SHA18a1f5e78d23000d026cb25e8850af89e80c08733
SHA2563cb03b1307de92272de4a9812b566312e0c936226d1a00f475c677765144d3b5
SHA5124aae14c92724e7183c2c4f78bb7861d0db39a3adc02b62a863a6eb77542c91597c09b40a367d19edf37a5872597cfc555082e1a6b24934fdda009ce3dcd95189
-
Filesize
5.3MB
MD5d0d26f542bd552e9f219e25b25b4b4df
SHA16d19348480e92a31619233df3eefe31d78cd0be9
SHA2561efe1ce877fe39e0c5c56ecef572a86c1bdadd6a1cd1a515d94bd45fdd8efb8e
SHA51263f5805f3dfc2d3c1f32d020174d311f632f9bdcc52d006d585456c2995091dc57a58da5dfb26da8c7038d112d2f523ff142e3de7092fa01fae6cf0c4a1c4ec9
-
Filesize
5.3MB
MD53afff3b6c2b6139a24184d05fb4916fb
SHA1d05785d9b6dd21a7025512ebeb48fd9957218475
SHA256dc06f2d5574037e20e946cd55bb6fa3c83b94afb0278b27937ab1c02edfcad46
SHA51283c12d2c81aad3fd906b9858d7197b101a7a69bd785287c4b08077fb881debeb33b0bd50af6de63b1e1768bc5e0df09f3a5eafde2260104f9f25799fc1c8577c
-
Filesize
5.3MB
MD5b835cea5d0100a77d466f66774bcd561
SHA12b14e493947a239eeecbb657215d4de97d610975
SHA25630e568425d70e4daabdfe869fa23e5c1afcd973d5697b8456bdfc8a14b23c1fb
SHA512d6e0be7ad2037eebb4cf1836983384e6589c03fc95e00d5c430c3e1f99595ef474c4403db4557864a0ce0f4c391a4ea083f82abd2514c3c5ed4dfae5dab6520e