povertystealer | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
67s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

povertystealer xenorat defense_evasion discovery evasion persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

beastsband.com

Mutex

x3n0

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

Detect Poverty Stealer Payload 5 IoCs

resource	yara_rule
behavioral6/memory/1316-24-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral6/memory/1316-27-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral6/memory/1316-29-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral6/memory/1316-31-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral6/memory/1316-57-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral6/memory/1876-64-0x0000000008770000-0x000000000886A000-memory.dmp	family_xenorat
behavioral6/memory/1876-101-0x00000000090C0000-0x00000000090CC000-memory.dmp	family_xenorat

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UqhRb9F.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UqhRb9F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UqhRb9F.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 5 IoCs

pid	Process
1876	UqhRb9F.exe
5112	Tq4a1Bz.exe
1316	Tq4a1Bz.exe
792	wKQeiIr.exe
4604	fHR9z2C.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	UqhRb9F.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1876	UqhRb9F.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5112 set thread context of 1316	5112	Tq4a1Bz.exe	94

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UqhRb9F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tq4a1Bz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tq4a1Bz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wKQeiIr.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\8540.vbs"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\4982.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\6074.vbs"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\ms-settings\Shell	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe
1876	UqhRb9F.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	New Text Document mod.exe
Token: SeDebugPrivilege	1876	UqhRb9F.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1876	UqhRb9F.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1876	1604	New Text Document mod.exe	91
PID 1604 wrote to memory of 1876	1604	New Text Document mod.exe	91
PID 1604 wrote to memory of 1876	1604	New Text Document mod.exe	91
PID 1604 wrote to memory of 5112	1604	New Text Document mod.exe	92
PID 1604 wrote to memory of 5112	1604	New Text Document mod.exe	92
PID 1604 wrote to memory of 5112	1604	New Text Document mod.exe	92
PID 5112 wrote to memory of 1316	5112	Tq4a1Bz.exe	94
PID 5112 wrote to memory of 1316	5112	Tq4a1Bz.exe	94
PID 5112 wrote to memory of 1316	5112	Tq4a1Bz.exe	94
PID 5112 wrote to memory of 1316	5112	Tq4a1Bz.exe	94
PID 5112 wrote to memory of 1316	5112	Tq4a1Bz.exe	94
PID 5112 wrote to memory of 1316	5112	Tq4a1Bz.exe	94
PID 5112 wrote to memory of 1316	5112	Tq4a1Bz.exe	94
PID 5112 wrote to memory of 1316	5112	Tq4a1Bz.exe	94
PID 5112 wrote to memory of 1316	5112	Tq4a1Bz.exe	94
PID 1604 wrote to memory of 792	1604	New Text Document mod.exe	95
PID 1604 wrote to memory of 792	1604	New Text Document mod.exe	95
PID 1604 wrote to memory of 792	1604	New Text Document mod.exe	95
PID 1604 wrote to memory of 4604	1604	New Text Document mod.exe	98
PID 1604 wrote to memory of 4604	1604	New Text Document mod.exe	98
PID 4604 wrote to memory of 1624	4604	fHR9z2C.exe	102
PID 4604 wrote to memory of 1624	4604	fHR9z2C.exe	102
PID 1624 wrote to memory of 4988	1624	cmd.exe	104
PID 1624 wrote to memory of 4988	1624	cmd.exe	104
PID 4604 wrote to memory of 1796	4604	fHR9z2C.exe	106
PID 4604 wrote to memory of 1796	4604	fHR9z2C.exe	106
PID 1796 wrote to memory of 1312	1796	cmd.exe	108
PID 1796 wrote to memory of 1312	1796	cmd.exe	108
PID 1796 wrote to memory of 3004	1796	cmd.exe	109
PID 1796 wrote to memory of 3004	1796	cmd.exe	109
PID 4604 wrote to memory of 1340	4604	fHR9z2C.exe	110
PID 4604 wrote to memory of 1340	4604	fHR9z2C.exe	110
PID 1340 wrote to memory of 2924	1340	cmd.exe	112
PID 1340 wrote to memory of 2924	1340	cmd.exe	112
PID 2924 wrote to memory of 3688	2924	ComputerDefaults.exe	113
PID 2924 wrote to memory of 3688	2924	ComputerDefaults.exe	113
PID 3688 wrote to memory of 4360	3688	wscript.exe	114
PID 3688 wrote to memory of 4360	3688	wscript.exe	114
PID 4604 wrote to memory of 4584	4604	fHR9z2C.exe	116
PID 4604 wrote to memory of 4584	4604	fHR9z2C.exe	116
PID 4604 wrote to memory of 3488	4604	fHR9z2C.exe	118
PID 4604 wrote to memory of 3488	4604	fHR9z2C.exe	118
PID 3488 wrote to memory of 5108	3488	cmd.exe	120
PID 3488 wrote to memory of 5108	3488	cmd.exe	120
PID 4604 wrote to memory of 1932	4604	fHR9z2C.exe	121
PID 4604 wrote to memory of 1932	4604	fHR9z2C.exe	121
PID 1932 wrote to memory of 2464	1932	cmd.exe	123
PID 1932 wrote to memory of 2464	1932	cmd.exe	123
PID 4604 wrote to memory of 8	4604	fHR9z2C.exe	124
PID 4604 wrote to memory of 8	4604	fHR9z2C.exe	124
PID 8 wrote to memory of 2504	8	cmd.exe	126
PID 8 wrote to memory of 2504	8	cmd.exe	126
PID 8 wrote to memory of 624	8	cmd.exe	127
PID 8 wrote to memory of 624	8	cmd.exe	127
PID 4604 wrote to memory of 1512	4604	fHR9z2C.exe	128
PID 4604 wrote to memory of 1512	4604	fHR9z2C.exe	128
PID 1512 wrote to memory of 2356	1512	cmd.exe	130
PID 1512 wrote to memory of 2356	1512	cmd.exe	130
PID 2356 wrote to memory of 2304	2356	ComputerDefaults.exe	131
PID 2356 wrote to memory of 2304	2356	ComputerDefaults.exe	131
PID 2304 wrote to memory of 1212	2304	wscript.exe	132
PID 2304 wrote to memory of 1212	2304	wscript.exe	132
PID 4604 wrote to memory of 3728	4604	fHR9z2C.exe	134
PID 4604 wrote to memory of 3728	4604	fHR9z2C.exe	134

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
  "C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1316
- C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:792
- C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:4988
- - C:\Windows\system32\cmd.exe
    /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8540.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8540.vbs" /f
      4⤵
      Modifies registry class
      PID:1312
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:3004
- - C:\Windows\system32\cmd.exe
    /c start /B ComputerDefaults.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\system32\ComputerDefaults.exe
      ComputerDefaults.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\8540.vbs
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3688
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:4360
- - C:\Windows\system32\cmd.exe
    /c del /f C:\Users\Admin\AppData\Local\Temp\8540.vbs
    3⤵
    PID:4584
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Modifies registry class
      PID:5108
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:2464
- - C:\Windows\system32\cmd.exe
    /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4982.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4982.vbs" /f
      4⤵
      Modifies registry class
      PID:2504
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:624
- - C:\Windows\system32\cmd.exe
    /c start /B ComputerDefaults.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\system32\ComputerDefaults.exe
      ComputerDefaults.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\4982.vbs
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1212
- - C:\Windows\system32\cmd.exe
    /c del /f C:\Users\Admin\AppData\Local\Temp\4982.vbs
    3⤵
    PID:3728
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:2964
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Modifies registry class
      PID:2552
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:2816
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:2448
- - C:\Windows\system32\cmd.exe
    /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6074.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    PID:4676
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6074.vbs" /f
      4⤵
      Modifies registry class
      PID:1948
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:3464
- - C:\Windows\system32\cmd.exe
    /c start /B ComputerDefaults.exe
    3⤵
    PID:2004
  - - C:\Windows\system32\ComputerDefaults.exe
      ComputerDefaults.exe
      4⤵
      PID:1600
    - - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\6074.vbs
        5⤵
        Checks computer location settings
        
        PID:1340
      - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3284
- - C:\Windows\system32\cmd.exe
    /c del /f C:\Users\Admin\AppData\Local\Temp\6074.vbs
    3⤵
    PID:1556
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:4288
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Modifies registry class
      PID:1984
- C:\Users\Admin\AppData\Local\Temp\a\filer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\filer.exe"
  2⤵
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4982.vbs

Filesize
114B

MD5
34b33b5a437e20d03d79b62a797dfe99

SHA1
9b57b598a7e9d66157a05a44bc7c097bf5486e6c

SHA256
f920f526773c0565072fcfd250319c9dd53b9197d448b9d29307598e0fa004e1

SHA512
757be8161af2eb4af36772e2e0d912e0967540cb42ef6ef8cd85f28edb478756c99d9e7a6fef04b16e6bf63a3dc9ddb9c2adf490e8d9ae2ca0e3e9b76ef6fa6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6074.vbs

Filesize
117B

MD5
bb8cfb89bce8af7384447115a115fb23

SHA1
6a0e728f4953128db9db52474ae5608ecee9c9c3

SHA256
d812291a41eddd5eac04972e66feffc44c1ee2c249d708bb282144823a6e8485

SHA512
d69901ba3cebd1fe8ed8e3d613e16a6cfbead827a9493a7edd8c62fb2915a550450ff4f47f00a8c66880ea10cd4029bceac4518d1951c19fb7ad9d7505007553

Download Submit
C:\Users\Admin\AppData\Local\Temp\8540.vbs

Filesize
125B

MD5
8b4ed5c47fdddbeba260ef11cfca88c6

SHA1
868f11f8ed78ebe871f9da182d053f349834b017

SHA256
170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5

SHA512
87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe

Filesize
185KB

MD5
9c433a245d7737ca7fa17490e460f14e

SHA1
31e6388f4e45a97a97ac0f34c26a9858ef8dcdb9

SHA256
0b6604d2e6086f7322c634ab925bdc381fe720a2a12f254e5b63b42f89b680f7

SHA512
edaf8ff778db40dfcacd7c8cb5cef598dc7c13ebfb6b4f8e828c0697b24115f637ac510c945d31b1c4873d39fca7d8be7b03ba6dc64e665def6bf2d058a00c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe

Filesize
1.7MB

MD5
cfbd38c30f1100b5213c9dd008b6e883

SHA1
03da6d72c9d92bea2b2e5c4a8538f0a3628fbe73

SHA256
25350f356b356c9ab48ebfcca67cad970d1a213f8716a1d006d339a38f0f7cc5

SHA512
a7d3bce28d0443dbe671394bd6c720f0fba28cf18ee0a5c3bfe547c3ffaebb9431ebe40749de1eb460b03696a401c167d76de99e9769e33ca62a3bf8302a5b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe

Filesize
254KB

MD5
892d97db961fa0d6481aa27c21e86a69

SHA1
1f5b0f6c77f5f7815421444acf2bdd456da67403

SHA256
c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719

SHA512
7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\filer.exe

Filesize
10.1MB

MD5
6543901753c73d70d039b793a4eb11f9

SHA1
e3b483ddf13c97a2088f38de32df96c73d883cc4

SHA256
4411e1640670d9cc0ff1b6e0e4ed7edad47c1528ccb4837ecbd5c42fe6e48222

SHA512
aa2d775669bce8b1ac3c27fd7b39ffc1fd737820a3bc2c43d144ce7d3ccda571281fb595d998bcaf9033ea03b9c794c2b2a8f870019f2f08d78c550717b86ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe

Filesize
243KB

MD5
b73ecb016b35d5b7acb91125924525e5

SHA1
37fe45c0a85900d869a41f996dd19949f78c4ec4

SHA256
b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d

SHA512
0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d

Download Submit
memory/792-45-0x0000000035850000-0x0000000035860000-memory.dmp

Filesize
64KB

Download
memory/1316-24-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1316-27-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1316-28-0x0000000000910000-0x0000000000942000-memory.dmp

Filesize
200KB

Download
memory/1316-29-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1316-31-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1316-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1604-56-0x00007FFCC2290000-0x00007FFCC2D51000-memory.dmp

Filesize
10.8MB

Download
memory/1604-2-0x00007FFCC2290000-0x00007FFCC2D51000-memory.dmp

Filesize
10.8MB

Download
memory/1604-1-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/1604-0-0x00007FFCC2293000-0x00007FFCC2295000-memory.dmp

Filesize
8KB

Download
memory/1604-32-0x00007FFCC2293000-0x00007FFCC2295000-memory.dmp

Filesize
8KB

Download
memory/1876-80-0x0000000008E30000-0x00000000090B0000-memory.dmp

Filesize
2.5MB

Download
memory/1876-70-0x0000000008CA0000-0x0000000008CBE000-memory.dmp

Filesize
120KB

Download
memory/1876-61-0x0000000000BD0000-0x0000000001030000-memory.dmp

Filesize
4.4MB

Download
memory/1876-64-0x0000000008770000-0x000000000886A000-memory.dmp

Filesize
1000KB

Download
memory/1876-65-0x0000000008A40000-0x0000000008C02000-memory.dmp

Filesize
1.8MB

Download
memory/1876-66-0x00000000088C0000-0x0000000008910000-memory.dmp

Filesize
320KB

Download
memory/1876-67-0x0000000008990000-0x0000000008A06000-memory.dmp

Filesize
472KB

Download
memory/1876-68-0x0000000009140000-0x000000000966C000-memory.dmp

Filesize
5.2MB

Download
memory/1876-13-0x0000000000BD0000-0x0000000001030000-memory.dmp

Filesize
4.4MB

Download
memory/1876-46-0x0000000000BD0000-0x0000000001030000-memory.dmp

Filesize
4.4MB

Download
memory/1876-72-0x0000000008D90000-0x0000000008E2C000-memory.dmp

Filesize
624KB

Download
memory/1876-47-0x0000000000BD0000-0x0000000001030000-memory.dmp

Filesize
4.4MB

Download
memory/1876-101-0x00000000090C0000-0x00000000090CC000-memory.dmp

Filesize
48KB

Download
memory/1876-102-0x0000000009E60000-0x000000000A404000-memory.dmp

Filesize
5.6MB

Download
memory/1876-103-0x00000000099C0000-0x0000000009A52000-memory.dmp

Filesize
584KB

Download
memory/1876-104-0x0000000009990000-0x000000000999A000-memory.dmp

Filesize
40KB

Download
memory/1876-59-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/5112-23-0x0000000000933000-0x0000000000934000-memory.dmp

Filesize
4KB

Download