7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
Size

349KB
MD5

353ca44d703c5912307a6e548909096b
SHA1

76a9724fc7cc628fb0f0606c6d29ea586042b769
SHA256

7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969
SHA512

5e143858f25aff8d5767e94c2a6f38fce961da8ac0f08f2cb60139cc07615ce783e64914906601cd05eeedb7258cc7cf6ae723b6d39717de352a4f3faae6a5ff
SSDEEP

6144:FB1QKZaOpBjQepew/PjuGyFPr527Uf2u/jGw0qun597/QKjJ8zkjDpyAYpIk:FB1Q6rpr7MrswfLjGwW5xFdRyJpd

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4352 attrib.exe

pid	process
4352	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ping.exeping.exeREG.exe7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exeping.exeping.exeping.exeREG.exeREG.exeping.exeping.exeattrib.exeREG.exeREG.exeREG.exeREG.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeREG.exeREG.exeREG.exeping.exeping.exeREG.exeping.exeping.exeREG.exeREG.exeping.exeREG.exeREG.exeREG.exeping.exeREG.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
2896	ping.exe
3684	ping.exe
4980	ping.exe
1176	ping.exe
3176	ping.exe
5076	ping.exe
2600	ping.exe
2724	ping.exe
4180	ping.exe
3008	ping.exe
4768	ping.exe
1916	ping.exe
4264	ping.exe
4884	ping.exe
4356	ping.exe
4988	ping.exe
3800	ping.exe
1012	ping.exe
1904	ping.exe
4516	ping.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
5076	ping.exe
4180	ping.exe
4980	ping.exe
1176	ping.exe
4356	ping.exe
1904	ping.exe
3008	ping.exe
1012	ping.exe
2896	ping.exe
4264	ping.exe
3684	ping.exe
2600	ping.exe
4768	ping.exe
1916	ping.exe
4884	ping.exe
3176	ping.exe
4516	ping.exe
4988	ping.exe
3800	ping.exe
2724	ping.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe

pid	process
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe

description pid process

Token: SeDebugPrivilege 4076 7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe

description	pid	process
Token: SeDebugPrivilege	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe

description	pid	process	target process
PID 4076 wrote to memory of 1916	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 1916	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 1916	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 1012	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 1012	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 1012	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 1176	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 1176	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 1176	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 2896	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 2896	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 2896	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4264	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4264	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4264	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4884	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4884	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4884	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3176	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3176	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3176	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4356	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4356	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4356	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3684	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3684	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3684	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 1904	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 1904	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 1904	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 5056	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	RegAsm.exe
PID 4076 wrote to memory of 5056	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	RegAsm.exe
PID 4076 wrote to memory of 5056	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	RegAsm.exe
PID 4076 wrote to memory of 4352	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	attrib.exe
PID 4076 wrote to memory of 4352	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	attrib.exe
PID 4076 wrote to memory of 4352	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	attrib.exe
PID 4076 wrote to memory of 4516	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4516	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4516	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 5076	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 5076	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 5076	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4988	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4988	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4988	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3800	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3800	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3800	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 2600	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 2600	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 2600	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 2724	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 2724	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 2724	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4180	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4180	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4180	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3008	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3008	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 3008	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4768	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4768	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4768	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe
PID 4076 wrote to memory of 4980	4076	7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe	ping.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4352 attrib.exe

pid	process
4352	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
"C:\Users\Admin\AppData\Local\Temp\7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1916
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1012
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1176
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2896
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4264
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4884
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3176
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4356
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3684
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:5056
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\7e1ba998c313492e21f222b6fb48dc816e961a190f87b098a2d8592e1daa0969.exe
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4352
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4516
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5076
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4988
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3800
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2600
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2724
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4180
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3008
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4768
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4980
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5072
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4928
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1500
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3328
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1504
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4960
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3644
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4736
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3144
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4656
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3512
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3732
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe

Filesize
349KB

MD5
b9c7fd2b8ea05bbcd2c9200fe33f23db

SHA1
62b6602bce90749fd1e3f8d1585e3af90691aba6

SHA256
d1ba41f3c0f3036b54c0c880b4f3c5e05a8a40af1ff94e8e14a96aa2b47d6aee

SHA512
b5f8650ccdc9d9552253533c54a0c2e9eb665428c9e8b8e9fd5b9f8e26c1a58ff8837c30e1a2c794b5b185e137585066718f191a83236bcc95e382ae837d738b

Download Submit
memory/4076-0-0x0000000074872000-0x0000000074873000-memory.dmp

Filesize
4KB

Download
memory/4076-1-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4076-2-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4076-4-0x0000000074872000-0x0000000074873000-memory.dmp

Filesize
4KB

Download
memory/4076-5-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download