netwire | 7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844ef

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
Size

178KB
MD5

a7d5092da73585e1a8d64a9ce6b84ad0
SHA1

f1f8d3245cf5319eb11204d414cf46f4dff4aab9
SHA256

7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844ef
SHA512

196327aea9e7e00d9c4c5962d53a828cefa62a42cb8b1caebd46ea65db13ed4bfe1b8301f46a6f7716a59d22486551e2414623bb2c5d6eabc384d1a3dc4517bc
SSDEEP

3072:I7VNBmjq8Kmvn6rIVTYC7H2rAalUW4R6rv3p8WStxlQu2VCPw3:I7VzxYnWI6agAalr4UrPp8WStPQu28U

Score

10^/10

netwire botnet discovery evasion persistence rat stealer

Malware Config

Extracted

Family

netwire

wallou.publicvm.com:3365

mediafire.duckdns.org:3365

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
DLL2
keylogger_dir
%AppData%\System\
lock_executable
true
mutex
KgpcGWmM
offline_keylogger
true
password
Reborn
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2632-15-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2632-12-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2632-18-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1976	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe

Loads dropped DLL 1 IoCs

pid	Process
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 2632	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1004	ping.exe
2536	ping.exe
2112	ping.exe
540	ping.exe
2512	ping.exe
2100	ping.exe
2872	ping.exe
2876	ping.exe
2352	ping.exe
2796	ping.exe
2552	ping.exe
1400	ping.exe
1928	ping.exe
2528	ping.exe
1108	ping.exe
2072	ping.exe
2152	ping.exe
3016	ping.exe
2588	ping.exe
2384	ping.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
2100	ping.exe
1004	ping.exe
2112	ping.exe
540	ping.exe
2512	ping.exe
2552	ping.exe
2072	ping.exe
3016	ping.exe
2588	ping.exe
2536	ping.exe
2528	ping.exe
2152	ping.exe
2796	ping.exe
2872	ping.exe
1400	ping.exe
2876	ping.exe
2384	ping.exe
1928	ping.exe
2352	ping.exe
1108	ping.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2796	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	30
PID 2400 wrote to memory of 2796	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	30
PID 2400 wrote to memory of 2796	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	30
PID 2400 wrote to memory of 2796	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	30
PID 2400 wrote to memory of 2100	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	32
PID 2400 wrote to memory of 2100	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	32
PID 2400 wrote to memory of 2100	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	32
PID 2400 wrote to memory of 2100	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	32
PID 2400 wrote to memory of 2872	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	34
PID 2400 wrote to memory of 2872	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	34
PID 2400 wrote to memory of 2872	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	34
PID 2400 wrote to memory of 2872	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	34
PID 2400 wrote to memory of 2552	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	36
PID 2400 wrote to memory of 2552	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	36
PID 2400 wrote to memory of 2552	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	36
PID 2400 wrote to memory of 2552	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	36
PID 2400 wrote to memory of 3016	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	38
PID 2400 wrote to memory of 3016	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	38
PID 2400 wrote to memory of 3016	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	38
PID 2400 wrote to memory of 3016	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	38
PID 2400 wrote to memory of 1400	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	40
PID 2400 wrote to memory of 1400	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	40
PID 2400 wrote to memory of 1400	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	40
PID 2400 wrote to memory of 1400	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	40
PID 2400 wrote to memory of 2876	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	42
PID 2400 wrote to memory of 2876	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	42
PID 2400 wrote to memory of 2876	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	42
PID 2400 wrote to memory of 2876	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	42
PID 2400 wrote to memory of 2588	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	44
PID 2400 wrote to memory of 2588	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	44
PID 2400 wrote to memory of 2588	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	44
PID 2400 wrote to memory of 2588	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	44
PID 2400 wrote to memory of 2384	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	46
PID 2400 wrote to memory of 2384	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	46
PID 2400 wrote to memory of 2384	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	46
PID 2400 wrote to memory of 2384	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	46
PID 2400 wrote to memory of 1004	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	48
PID 2400 wrote to memory of 1004	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	48
PID 2400 wrote to memory of 1004	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	48
PID 2400 wrote to memory of 1004	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	48
PID 2400 wrote to memory of 1976	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	50
PID 2400 wrote to memory of 1976	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	50
PID 2400 wrote to memory of 1976	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	50
PID 2400 wrote to memory of 1976	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	50
PID 2400 wrote to memory of 2348	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	52
PID 2400 wrote to memory of 2348	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	52
PID 2400 wrote to memory of 2348	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	52
PID 2400 wrote to memory of 2348	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	52
PID 2400 wrote to memory of 2536	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	53
PID 2400 wrote to memory of 2536	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	53
PID 2400 wrote to memory of 2536	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	53
PID 2400 wrote to memory of 2536	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	53
PID 2400 wrote to memory of 1928	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	56
PID 2400 wrote to memory of 1928	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	56
PID 2400 wrote to memory of 1928	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	56
PID 2400 wrote to memory of 1928	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	56
PID 2400 wrote to memory of 2528	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	58
PID 2400 wrote to memory of 2528	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	58
PID 2400 wrote to memory of 2528	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	58
PID 2400 wrote to memory of 2528	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	58
PID 2400 wrote to memory of 2112	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	60
PID 2400 wrote to memory of 2112	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	60
PID 2400 wrote to memory of 2112	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	60
PID 2400 wrote to memory of 2112	2400	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	60

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1976	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
"C:\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2796
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2100
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2872
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2552
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3016
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1400
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2876
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2588
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2384
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1004
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1976
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2536
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1928
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2528
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2112
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2352
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1108
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:540
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2072
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2512
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
  "C:\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:812
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2976
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2596
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2560
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3032
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IntelCore\IntelCore.exe

Filesize
178KB

MD5
6cd62ad9e1ee77f07ca66b2b62c0ca6e

SHA1
a6c56929ecebc7b9b5d1b6b9b9be017bd5090381

SHA256
5b56065fc6af397beb3c7dbf421024f6178505e4e9550638622c673dfd6d618f

SHA512
64ca283a063e4870734d01c55c721130b89969f9385e2664ae45022f47741c753d9fc8344f89053ed4961fc33dcbffdc5c87c0c440424ddced3c2eccca35f953

Download Submit
\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe

Filesize
178KB

MD5
a7d5092da73585e1a8d64a9ce6b84ad0

SHA1
f1f8d3245cf5319eb11204d414cf46f4dff4aab9

SHA256
7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844ef

SHA512
196327aea9e7e00d9c4c5962d53a828cefa62a42cb8b1caebd46ea65db13ed4bfe1b8301f46a6f7716a59d22486551e2414623bb2c5d6eabc384d1a3dc4517bc

Download Submit
memory/2400-0-0x0000000074601000-0x0000000074602000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2400-2-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2400-3-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2632-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2632-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2632-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2632-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2632-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download