7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844ef

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
Size

178KB
MD5

a7d5092da73585e1a8d64a9ce6b84ad0
SHA1

f1f8d3245cf5319eb11204d414cf46f4dff4aab9
SHA256

7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844ef
SHA512

196327aea9e7e00d9c4c5962d53a828cefa62a42cb8b1caebd46ea65db13ed4bfe1b8301f46a6f7716a59d22486551e2414623bb2c5d6eabc384d1a3dc4517bc
SSDEEP

3072:I7VNBmjq8Kmvn6rIVTYC7H2rAalUW4R6rv3p8WStxlQu2VCPw3:I7VzxYnWI6agAalr4UrPp8WStPQu28U

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2368	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe

Executes dropped EXE 1 IoCs

pid	Process
208	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3152	ping.exe
5032	ping.exe
2380	ping.exe
4800	ping.exe
584	ping.exe
8	ping.exe
3248	ping.exe
1548	ping.exe
4884	ping.exe
5064	ping.exe
2428	ping.exe
3388	ping.exe
3976	ping.exe
1132	ping.exe
3984	ping.exe
504	ping.exe
4432	ping.exe
4032	ping.exe
2912	ping.exe
4304	ping.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
3248	ping.exe
4032	ping.exe
2380	ping.exe
4884	ping.exe
3976	ping.exe
4432	ping.exe
1132	ping.exe
5064	ping.exe
504	ping.exe
8	ping.exe
3388	ping.exe
5032	ping.exe
4304	ping.exe
3152	ping.exe
584	ping.exe
1548	ping.exe
3984	ping.exe
4800	ping.exe
2428	ping.exe
2912	ping.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 4884	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	85
PID 3256 wrote to memory of 4884	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	85
PID 3256 wrote to memory of 4884	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	85
PID 3256 wrote to memory of 5064	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	95
PID 3256 wrote to memory of 5064	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	95
PID 3256 wrote to memory of 5064	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	95
PID 3256 wrote to memory of 504	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	100
PID 3256 wrote to memory of 504	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	100
PID 3256 wrote to memory of 504	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	100
PID 3256 wrote to memory of 2428	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	107
PID 3256 wrote to memory of 2428	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	107
PID 3256 wrote to memory of 2428	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	107
PID 3256 wrote to memory of 4432	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	110
PID 3256 wrote to memory of 4432	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	110
PID 3256 wrote to memory of 4432	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	110
PID 3256 wrote to memory of 3388	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	113
PID 3256 wrote to memory of 3388	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	113
PID 3256 wrote to memory of 3388	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	113
PID 3256 wrote to memory of 3976	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	116
PID 3256 wrote to memory of 3976	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	116
PID 3256 wrote to memory of 3976	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	116
PID 3256 wrote to memory of 1132	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	119
PID 3256 wrote to memory of 1132	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	119
PID 3256 wrote to memory of 1132	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	119
PID 3256 wrote to memory of 3248	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	124
PID 3256 wrote to memory of 3248	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	124
PID 3256 wrote to memory of 3248	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	124
PID 3256 wrote to memory of 4032	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	128
PID 3256 wrote to memory of 4032	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	128
PID 3256 wrote to memory of 4032	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	128
PID 3256 wrote to memory of 2368	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	132
PID 3256 wrote to memory of 2368	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	132
PID 3256 wrote to memory of 2368	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	132
PID 3256 wrote to memory of 3700	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	134
PID 3256 wrote to memory of 3700	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	134
PID 3256 wrote to memory of 3700	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	134
PID 3256 wrote to memory of 2912	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	135
PID 3256 wrote to memory of 2912	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	135
PID 3256 wrote to memory of 2912	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	135
PID 3256 wrote to memory of 4304	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	139
PID 3256 wrote to memory of 4304	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	139
PID 3256 wrote to memory of 4304	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	139
PID 3256 wrote to memory of 3152	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	142
PID 3256 wrote to memory of 3152	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	142
PID 3256 wrote to memory of 3152	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	142
PID 3256 wrote to memory of 5032	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	145
PID 3256 wrote to memory of 5032	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	145
PID 3256 wrote to memory of 5032	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	145
PID 3256 wrote to memory of 2380	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	148
PID 3256 wrote to memory of 2380	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	148
PID 3256 wrote to memory of 2380	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	148
PID 3256 wrote to memory of 584	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	151
PID 3256 wrote to memory of 584	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	151
PID 3256 wrote to memory of 584	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	151
PID 3256 wrote to memory of 1548	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	154
PID 3256 wrote to memory of 1548	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	154
PID 3256 wrote to memory of 1548	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	154
PID 3256 wrote to memory of 3984	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	157
PID 3256 wrote to memory of 3984	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	157
PID 3256 wrote to memory of 3984	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	157
PID 3256 wrote to memory of 8	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	161
PID 3256 wrote to memory of 8	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	161
PID 3256 wrote to memory of 8	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	161
PID 3256 wrote to memory of 4800	3256	7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe	164

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2368	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
"C:\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4884
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5064
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:504
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2428
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4432
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3388
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3976
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1132
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3248
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4032
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2368
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3700
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2912
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4304
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3152
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5032
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2380
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:584
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1548
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3984
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe
  "C:\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe"
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4176
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3564
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4248
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1180
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3572
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1588
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2476
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3004
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4352
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IntelCore\IntelCore.exe

Filesize
178KB

MD5
28637eeaa75479efe197ff593b82411f

SHA1
d88e000cdb9f98360afa13247c788d871fb48fcd

SHA256
8c635f420b3aaff0270900c5e11ee30e25f04fadb90b75c83d4e29b5e45f1d63

SHA512
06babd50674e96687d9a9ea0238da35ba1d45615eb42f3b3373babe3143137fb40e88424a19038a2beaed5e371d33eb24bae575f0d1d49e11ce5c73f6ccaa964

Download Submit
C:\Users\Admin\AppData\Local\Temp\7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844efN.exe

Filesize
178KB

MD5
a7d5092da73585e1a8d64a9ce6b84ad0

SHA1
f1f8d3245cf5319eb11204d414cf46f4dff4aab9

SHA256
7488edaaf157dccfc9a1e423ff1cdd88fff0c9a9fc88436f524767c0bf2844ef

SHA512
196327aea9e7e00d9c4c5962d53a828cefa62a42cb8b1caebd46ea65db13ed4bfe1b8301f46a6f7716a59d22486551e2414623bb2c5d6eabc384d1a3dc4517bc

Download Submit
memory/3256-0-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/3256-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3256-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3256-3-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/3256-4-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download