netwire | 73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3

Analysis

max time kernel
118s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
Size

178KB
MD5

ba7842cb913de2aa30b8699a1f8f32d0
SHA1

a2b2625d1bd2b0fd00ea5671856295bd9085bc10
SHA256

73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3
SHA512

2860348364518430b49cffd42f98ecd74c9926940b942c635c1f6fa83440a344c678c2c72d185c41acb53e2bbfe5c4e8878f40de4f22ae3a31b3e8846344c50d
SSDEEP

3072:I7VNBmjq8Kmvn6rIVTYC7H2rAalUW4R6rv3p8WStxlQu2VCPwV:I7VzxYnWI6agAalr4UrPp8WStPQu28I

Score

10^/10

netwire botnet discovery evasion persistence rat stealer

Malware Config

Extracted

Family

netwire

wallou.publicvm.com:3365

mediafire.duckdns.org:3365

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
DLL2
keylogger_dir
%AppData%\System\
lock_executable
true
mutex
KgpcGWmM
offline_keylogger
true
password
Reborn
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2368-6-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2368-12-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3088	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe

Executes dropped EXE 1 IoCs

pid	Process
2368	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 940 set thread context of 2368	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	167

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4528	ping.exe
3840	ping.exe
1492	ping.exe
3148	ping.exe
912	ping.exe
3928	ping.exe
4564	ping.exe
1816	ping.exe
2980	ping.exe
1336	ping.exe
4944	ping.exe
4560	ping.exe
1676	ping.exe
2200	ping.exe
4352	ping.exe
2268	ping.exe
4788	ping.exe
4192	ping.exe
4728	ping.exe
1328	ping.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
912	ping.exe
4560	ping.exe
1816	ping.exe
3148	ping.exe
1336	ping.exe
4944	ping.exe
2268	ping.exe
3928	ping.exe
1676	ping.exe
1328	ping.exe
1492	ping.exe
4728	ping.exe
4192	ping.exe
4528	ping.exe
4352	ping.exe
3840	ping.exe
2980	ping.exe
4788	ping.exe
4564	ping.exe
2200	ping.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1336	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	86
PID 940 wrote to memory of 1336	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	86
PID 940 wrote to memory of 1336	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	86
PID 940 wrote to memory of 4944	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	96
PID 940 wrote to memory of 4944	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	96
PID 940 wrote to memory of 4944	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	96
PID 940 wrote to memory of 912	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	101
PID 940 wrote to memory of 912	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	101
PID 940 wrote to memory of 912	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	101
PID 940 wrote to memory of 2268	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	108
PID 940 wrote to memory of 2268	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	108
PID 940 wrote to memory of 2268	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	108
PID 940 wrote to memory of 3928	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	111
PID 940 wrote to memory of 3928	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	111
PID 940 wrote to memory of 3928	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	111
PID 940 wrote to memory of 4788	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	114
PID 940 wrote to memory of 4788	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	114
PID 940 wrote to memory of 4788	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	114
PID 940 wrote to memory of 4560	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	117
PID 940 wrote to memory of 4560	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	117
PID 940 wrote to memory of 4560	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	117
PID 940 wrote to memory of 4564	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	120
PID 940 wrote to memory of 4564	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	120
PID 940 wrote to memory of 4564	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	120
PID 940 wrote to memory of 1816	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	123
PID 940 wrote to memory of 1816	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	123
PID 940 wrote to memory of 1816	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	123
PID 940 wrote to memory of 4728	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	126
PID 940 wrote to memory of 4728	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	126
PID 940 wrote to memory of 4728	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	126
PID 940 wrote to memory of 3088	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	132
PID 940 wrote to memory of 3088	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	132
PID 940 wrote to memory of 3088	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	132
PID 940 wrote to memory of 5116	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	134
PID 940 wrote to memory of 5116	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	134
PID 940 wrote to memory of 5116	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	134
PID 940 wrote to memory of 4192	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	135
PID 940 wrote to memory of 4192	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	135
PID 940 wrote to memory of 4192	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	135
PID 940 wrote to memory of 1676	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	139
PID 940 wrote to memory of 1676	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	139
PID 940 wrote to memory of 1676	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	139
PID 940 wrote to memory of 2200	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	142
PID 940 wrote to memory of 2200	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	142
PID 940 wrote to memory of 2200	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	142
PID 940 wrote to memory of 1328	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	146
PID 940 wrote to memory of 1328	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	146
PID 940 wrote to memory of 1328	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	146
PID 940 wrote to memory of 4528	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	149
PID 940 wrote to memory of 4528	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	149
PID 940 wrote to memory of 4528	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	149
PID 940 wrote to memory of 4352	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	152
PID 940 wrote to memory of 4352	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	152
PID 940 wrote to memory of 4352	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	152
PID 940 wrote to memory of 3840	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	155
PID 940 wrote to memory of 3840	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	155
PID 940 wrote to memory of 3840	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	155
PID 940 wrote to memory of 1492	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	158
PID 940 wrote to memory of 1492	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	158
PID 940 wrote to memory of 1492	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	158
PID 940 wrote to memory of 3148	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	161
PID 940 wrote to memory of 3148	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	161
PID 940 wrote to memory of 3148	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	161
PID 940 wrote to memory of 2980	940	73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe	164

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3088	attrib.exe

C:\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
"C:\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1336
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4944
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:912
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2268
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3928
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4788
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4560
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4564
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1816
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4728
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3088
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5116
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4192
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1676
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2200
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1328
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4528
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4352
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3840
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1492
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3148
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe
  "C:\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5040
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4752
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4104
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IntelCore\IntelCore.exe

Filesize
178KB

MD5
a23b4d5819d2e869f7d58c08c6ba69d2

SHA1
7110fcd23168eb5c818ff8f509d2cbbcd7bea19e

SHA256
78cf452e6c87ea68b0bf7eb448d06067b5ffd6d5631b0bc47f0da399247a09ef

SHA512
9488016a9e2071207d04135b74ba21a262730d826b555b787fcca054db359b5e0c09e4b4bcba9ce379b308348d82492c7e355e6eb9e9256ffc5cb1836159a57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3N.exe

Filesize
178KB

MD5
ba7842cb913de2aa30b8699a1f8f32d0

SHA1
a2b2625d1bd2b0fd00ea5671856295bd9085bc10

SHA256
73a93786fa6ce81d1d23389abfda250ea816514764d2fcc28e4837ad85fc1ba3

SHA512
2860348364518430b49cffd42f98ecd74c9926940b942c635c1f6fa83440a344c678c2c72d185c41acb53e2bbfe5c4e8878f40de4f22ae3a31b3e8846344c50d

Download Submit
memory/940-0-0x00000000748B2000-0x00000000748B3000-memory.dmp

Filesize
4KB

Download
memory/940-1-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/940-2-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/940-3-0x00000000748B2000-0x00000000748B3000-memory.dmp

Filesize
4KB

Download
memory/940-4-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2368-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2368-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download