netwire | ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
Size

178KB
MD5

02184b64e5bf2458841e640b4401ed0e
SHA1

4ab573a80d6f315b61b3b0fe9bcc5ba3aed68703
SHA256

ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc
SHA512

90c4c10cbb7483c36bc7512320f0d4c088f69efb2a1d043c08e54683e89a9f8a70194cd7b2a78881d3ef2c1c47863c587b39a584272ba4f5753a26873609d90c
SSDEEP

3072:I7VNBmjq8Kmvn6rIVTYC7H2rAalUW4R6rv3p8WStxlQu2VCPwM:I7VzxYnWI6agAalr4UrPp8WStPQu28b

Score

10^/10

netwire botnet discovery evasion persistence rat stealer

Malware Config

Extracted

Family

netwire

wallou.publicvm.com:3365

mediafire.duckdns.org:3365

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
DLL2
keylogger_dir
%AppData%\System\
lock_executable
true
mutex
KgpcGWmM
offline_keylogger
true
password
Reborn
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2168-15-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2168-12-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2168-18-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2264	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2168	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe

Loads dropped DLL 1 IoCs

pid	Process
2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 2168	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	75

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2452	ping.exe
1744	ping.exe
2376	ping.exe
904	ping.exe
692	ping.exe
1432	ping.exe
2992	ping.exe
2544	ping.exe
1052	ping.exe
1724	ping.exe
960	ping.exe
1740	ping.exe
2236	ping.exe
2996	ping.exe
2908	ping.exe
2696	ping.exe
2476	ping.exe
2620	ping.exe
2792	ping.exe
2940	ping.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
2992	ping.exe
2908	ping.exe
1740	ping.exe
2792	ping.exe
2696	ping.exe
2476	ping.exe
1052	ping.exe
904	ping.exe
2544	ping.exe
1724	ping.exe
1432	ping.exe
2940	ping.exe
2452	ping.exe
2996	ping.exe
2620	ping.exe
960	ping.exe
1744	ping.exe
2376	ping.exe
2236	ping.exe
692	ping.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2792	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	31
PID 2136 wrote to memory of 2792	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	31
PID 2136 wrote to memory of 2792	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	31
PID 2136 wrote to memory of 2792	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	31
PID 2136 wrote to memory of 1432	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	33
PID 2136 wrote to memory of 1432	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	33
PID 2136 wrote to memory of 1432	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	33
PID 2136 wrote to memory of 1432	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	33
PID 2136 wrote to memory of 2992	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	35
PID 2136 wrote to memory of 2992	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	35
PID 2136 wrote to memory of 2992	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	35
PID 2136 wrote to memory of 2992	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	35
PID 2136 wrote to memory of 2940	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	37
PID 2136 wrote to memory of 2940	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	37
PID 2136 wrote to memory of 2940	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	37
PID 2136 wrote to memory of 2940	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	37
PID 2136 wrote to memory of 2696	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	39
PID 2136 wrote to memory of 2696	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	39
PID 2136 wrote to memory of 2696	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	39
PID 2136 wrote to memory of 2696	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	39
PID 2136 wrote to memory of 2476	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	41
PID 2136 wrote to memory of 2476	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	41
PID 2136 wrote to memory of 2476	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	41
PID 2136 wrote to memory of 2476	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	41
PID 2136 wrote to memory of 2452	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	43
PID 2136 wrote to memory of 2452	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	43
PID 2136 wrote to memory of 2452	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	43
PID 2136 wrote to memory of 2452	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	43
PID 2136 wrote to memory of 2996	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	45
PID 2136 wrote to memory of 2996	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	45
PID 2136 wrote to memory of 2996	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	45
PID 2136 wrote to memory of 2996	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	45
PID 2136 wrote to memory of 2908	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	47
PID 2136 wrote to memory of 2908	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	47
PID 2136 wrote to memory of 2908	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	47
PID 2136 wrote to memory of 2908	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	47
PID 2136 wrote to memory of 2620	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	49
PID 2136 wrote to memory of 2620	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	49
PID 2136 wrote to memory of 2620	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	49
PID 2136 wrote to memory of 2620	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	49
PID 2136 wrote to memory of 2264	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	51
PID 2136 wrote to memory of 2264	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	51
PID 2136 wrote to memory of 2264	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	51
PID 2136 wrote to memory of 2264	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	51
PID 2136 wrote to memory of 820	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	53
PID 2136 wrote to memory of 820	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	53
PID 2136 wrote to memory of 820	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	53
PID 2136 wrote to memory of 820	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	53
PID 2136 wrote to memory of 1744	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	54
PID 2136 wrote to memory of 1744	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	54
PID 2136 wrote to memory of 1744	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	54
PID 2136 wrote to memory of 1744	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	54
PID 2136 wrote to memory of 1052	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	57
PID 2136 wrote to memory of 1052	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	57
PID 2136 wrote to memory of 1052	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	57
PID 2136 wrote to memory of 1052	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	57
PID 2136 wrote to memory of 2376	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	59
PID 2136 wrote to memory of 2376	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	59
PID 2136 wrote to memory of 2376	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	59
PID 2136 wrote to memory of 2376	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	59
PID 2136 wrote to memory of 960	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	61
PID 2136 wrote to memory of 960	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	61
PID 2136 wrote to memory of 960	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	61
PID 2136 wrote to memory of 960	2136	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	61

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2264	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
"C:\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2792
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1432
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2992
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2940
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2696
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2476
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2452
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2996
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2908
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2620
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2264
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:820
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1744
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1052
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2376
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:960
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1740
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:904
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2236
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1724
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:692
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
  "C:\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IntelCore\IntelCore.exe

Filesize
178KB

MD5
db225a7536c9ba9971db187b31dbee44

SHA1
99a12e49f642a0369a34725546b4581ceec4ab63

SHA256
e62b55d771307ebe3e7e2594e0d9e4fd695b310729e9ad54f60891c2d109cb0b

SHA512
a8fa96c6c99c967b1d26a2268a65a836b16e30a0d4ee1a2c67b887ff93dd6dd0628d38ea9e7b068d73a5f1f87f56c1062be7efdb7d7c62bbd0f25d8e97164e0d

Download Submit
\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe

Filesize
178KB

MD5
02184b64e5bf2458841e640b4401ed0e

SHA1
4ab573a80d6f315b61b3b0fe9bcc5ba3aed68703

SHA256
ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc

SHA512
90c4c10cbb7483c36bc7512320f0d4c088f69efb2a1d043c08e54683e89a9f8a70194cd7b2a78881d3ef2c1c47863c587b39a584272ba4f5753a26873609d90c

Download Submit
memory/2136-0-0x0000000074781000-0x0000000074782000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-2-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-3-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2168-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2168-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download