73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
Size

178KB
MD5

ba7842cb913de2aa30b8699a1f8f32d0
SHA1

a2b2625d1bd2b0fd00ea5671856295bd9085bc10
SHA256

73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3
SHA512

2860348364518430b49cffd42f98ecd74c9926940b942c635c1f6fa83440a344c678c2c72d185c41acb53e2bbfe5c4e8878f40de4f22ae3a31b3e8846344c50d
SSDEEP

3072:I7VNBmjq8Kmvn6rIVTYC7H2rAalUW4R6rv3p8WStxlQu2VCPwV:I7VzxYnWI6agAalr4UrPp8WStPQu28I

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1984	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2108	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe

Loads dropped DLL 1 IoCs

pid	Process
2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2384	ping.exe
2984	ping.exe
2700	ping.exe
1320	ping.exe
1528	ping.exe
924	ping.exe
1896	ping.exe
2460	ping.exe
3044	ping.exe
2940	ping.exe
2664	ping.exe
2596	ping.exe
1724	ping.exe
2424	ping.exe
1368	ping.exe
2736	ping.exe
2340	ping.exe
2172	ping.exe
2924	ping.exe
2456	ping.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
2596	ping.exe
1724	ping.exe
2940	ping.exe
2172	ping.exe
924	ping.exe
2460	ping.exe
2736	ping.exe
2700	ping.exe
1896	ping.exe
2424	ping.exe
2924	ping.exe
2384	ping.exe
2984	ping.exe
1320	ping.exe
2664	ping.exe
2456	ping.exe
2340	ping.exe
1368	ping.exe
3044	ping.exe
1528	ping.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1368	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	30
PID 2064 wrote to memory of 1368	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	30
PID 2064 wrote to memory of 1368	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	30
PID 2064 wrote to memory of 1368	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	30
PID 2064 wrote to memory of 2384	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	32
PID 2064 wrote to memory of 2384	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	32
PID 2064 wrote to memory of 2384	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	32
PID 2064 wrote to memory of 2384	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	32
PID 2064 wrote to memory of 2460	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	35
PID 2064 wrote to memory of 2460	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	35
PID 2064 wrote to memory of 2460	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	35
PID 2064 wrote to memory of 2460	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	35
PID 2064 wrote to memory of 2984	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	37
PID 2064 wrote to memory of 2984	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	37
PID 2064 wrote to memory of 2984	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	37
PID 2064 wrote to memory of 2984	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	37
PID 2064 wrote to memory of 3044	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	39
PID 2064 wrote to memory of 3044	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	39
PID 2064 wrote to memory of 3044	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	39
PID 2064 wrote to memory of 3044	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	39
PID 2064 wrote to memory of 2736	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	41
PID 2064 wrote to memory of 2736	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	41
PID 2064 wrote to memory of 2736	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	41
PID 2064 wrote to memory of 2736	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	41
PID 2064 wrote to memory of 2700	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	43
PID 2064 wrote to memory of 2700	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	43
PID 2064 wrote to memory of 2700	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	43
PID 2064 wrote to memory of 2700	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	43
PID 2064 wrote to memory of 2596	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	45
PID 2064 wrote to memory of 2596	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	45
PID 2064 wrote to memory of 2596	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	45
PID 2064 wrote to memory of 2596	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	45
PID 2064 wrote to memory of 1724	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	47
PID 2064 wrote to memory of 1724	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	47
PID 2064 wrote to memory of 1724	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	47
PID 2064 wrote to memory of 1724	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	47
PID 2064 wrote to memory of 2940	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	49
PID 2064 wrote to memory of 2940	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	49
PID 2064 wrote to memory of 2940	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	49
PID 2064 wrote to memory of 2940	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	49
PID 2064 wrote to memory of 1984	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	51
PID 2064 wrote to memory of 1984	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	51
PID 2064 wrote to memory of 1984	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	51
PID 2064 wrote to memory of 1984	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	51
PID 2064 wrote to memory of 2764	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	53
PID 2064 wrote to memory of 2764	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	53
PID 2064 wrote to memory of 2764	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	53
PID 2064 wrote to memory of 2764	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	53
PID 2064 wrote to memory of 1320	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	54
PID 2064 wrote to memory of 1320	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	54
PID 2064 wrote to memory of 1320	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	54
PID 2064 wrote to memory of 1320	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	54
PID 2064 wrote to memory of 1528	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	57
PID 2064 wrote to memory of 1528	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	57
PID 2064 wrote to memory of 1528	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	57
PID 2064 wrote to memory of 1528	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	57
PID 2064 wrote to memory of 2340	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	59
PID 2064 wrote to memory of 2340	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	59
PID 2064 wrote to memory of 2340	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	59
PID 2064 wrote to memory of 2340	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	59
PID 2064 wrote to memory of 2172	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	61
PID 2064 wrote to memory of 2172	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	61
PID 2064 wrote to memory of 2172	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	61
PID 2064 wrote to memory of 2172	2064	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	61

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1984	attrib.exe

C:\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
"C:\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1368
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2384
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2460
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2984
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3044
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2736
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2700
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2596
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1724
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2940
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1984
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1320
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1528
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2340
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2172
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:924
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2924
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1896
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2664
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2424
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
  "C:\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:888
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1504
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IntelCore\IntelCore.exe

Filesize
178KB

MD5
7634baed6ced24da30846c9937a0eee4

SHA1
69c23c2d39e1973cad2b6108a7a1a43c427cc5b8

SHA256
fab14b2706d554b30620c9ab058ebe04c6b5d48bb7ad84eef07667e9c7b1c6f8

SHA512
8071c756f4da94076488234d289f59a6f9ff051394d1d2842a7d77e977d7a5fb53658dd9e2d11f9db77b13806ddff4e0b062d148177ceed329a9e56d4c92be2e

Download Submit
\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe

Filesize
178KB

MD5
ba7842cb913de2aa30b8699a1f8f32d0

SHA1
a2b2625d1bd2b0fd00ea5671856295bd9085bc10

SHA256
73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3

SHA512
2860348364518430b49cffd42f98ecd74c9926940b942c635c1f6fa83440a344c678c2c72d185c41acb53e2bbfe5c4e8878f40de4f22ae3a31b3e8846344c50d

Download Submit
memory/2064-0-0x0000000074171000-0x0000000074172000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2064-2-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2064-3-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download