ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc

Analysis

max time kernel
115s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
Size

178KB
MD5

02184b64e5bf2458841e640b4401ed0e
SHA1

4ab573a80d6f315b61b3b0fe9bcc5ba3aed68703
SHA256

ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc
SHA512

90c4c10cbb7483c36bc7512320f0d4c088f69efb2a1d043c08e54683e89a9f8a70194cd7b2a78881d3ef2c1c47863c587b39a584272ba4f5753a26873609d90c
SSDEEP

3072:I7VNBmjq8Kmvn6rIVTYC7H2rAalUW4R6rv3p8WStxlQu2VCPwM:I7VzxYnWI6agAalr4UrPp8WStPQu28b

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2352	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe

Executes dropped EXE 1 IoCs

pid	Process
2636	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelCore = "C:\\ProgramData\\IntelCore\\IntelCore.exe"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4380	ping.exe
5024	ping.exe
2392	ping.exe
1028	ping.exe
2092	ping.exe
2556	ping.exe
4828	ping.exe
4140	ping.exe
2820	ping.exe
3928	ping.exe
4948	ping.exe
4492	ping.exe
2836	ping.exe
2176	ping.exe
1884	ping.exe
4620	ping.exe
3220	ping.exe
860	ping.exe
4932	ping.exe
4120	ping.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
2176	ping.exe
1028	ping.exe
860	ping.exe
4932	ping.exe
2836	ping.exe
3928	ping.exe
2556	ping.exe
3220	ping.exe
2820	ping.exe
4948	ping.exe
4120	ping.exe
1884	ping.exe
2092	ping.exe
4620	ping.exe
4828	ping.exe
5024	ping.exe
2392	ping.exe
4380	ping.exe
4140	ping.exe
4492	ping.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 4948	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	83
PID 4336 wrote to memory of 4948	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	83
PID 4336 wrote to memory of 4948	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	83
PID 4336 wrote to memory of 4120	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	86
PID 4336 wrote to memory of 4120	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	86
PID 4336 wrote to memory of 4120	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	86
PID 4336 wrote to memory of 1884	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	98
PID 4336 wrote to memory of 1884	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	98
PID 4336 wrote to memory of 1884	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	98
PID 4336 wrote to memory of 2092	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	105
PID 4336 wrote to memory of 2092	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	105
PID 4336 wrote to memory of 2092	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	105
PID 4336 wrote to memory of 4620	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	108
PID 4336 wrote to memory of 4620	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	108
PID 4336 wrote to memory of 4620	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	108
PID 4336 wrote to memory of 2556	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	114
PID 4336 wrote to memory of 2556	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	114
PID 4336 wrote to memory of 2556	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	114
PID 4336 wrote to memory of 2176	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	117
PID 4336 wrote to memory of 2176	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	117
PID 4336 wrote to memory of 2176	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	117
PID 4336 wrote to memory of 3220	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	120
PID 4336 wrote to memory of 3220	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	120
PID 4336 wrote to memory of 3220	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	120
PID 4336 wrote to memory of 4828	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	123
PID 4336 wrote to memory of 4828	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	123
PID 4336 wrote to memory of 4828	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	123
PID 4336 wrote to memory of 1028	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	126
PID 4336 wrote to memory of 1028	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	126
PID 4336 wrote to memory of 1028	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	126
PID 4336 wrote to memory of 2352	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	129
PID 4336 wrote to memory of 2352	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	129
PID 4336 wrote to memory of 2352	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	129
PID 4336 wrote to memory of 4244	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	131
PID 4336 wrote to memory of 4244	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	131
PID 4336 wrote to memory of 4244	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	131
PID 4336 wrote to memory of 860	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	132
PID 4336 wrote to memory of 860	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	132
PID 4336 wrote to memory of 860	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	132
PID 4336 wrote to memory of 4380	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	136
PID 4336 wrote to memory of 4380	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	136
PID 4336 wrote to memory of 4380	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	136
PID 4336 wrote to memory of 5024	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	139
PID 4336 wrote to memory of 5024	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	139
PID 4336 wrote to memory of 5024	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	139
PID 4336 wrote to memory of 4932	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	142
PID 4336 wrote to memory of 4932	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	142
PID 4336 wrote to memory of 4932	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	142
PID 4336 wrote to memory of 4140	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	145
PID 4336 wrote to memory of 4140	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	145
PID 4336 wrote to memory of 4140	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	145
PID 4336 wrote to memory of 4492	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	148
PID 4336 wrote to memory of 4492	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	148
PID 4336 wrote to memory of 4492	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	148
PID 4336 wrote to memory of 2392	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	151
PID 4336 wrote to memory of 2392	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	151
PID 4336 wrote to memory of 2392	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	151
PID 4336 wrote to memory of 2836	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	154
PID 4336 wrote to memory of 2836	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	154
PID 4336 wrote to memory of 2836	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	154
PID 4336 wrote to memory of 2820	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	157
PID 4336 wrote to memory of 2820	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	157
PID 4336 wrote to memory of 2820	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	157
PID 4336 wrote to memory of 3928	4336	ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe	160

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2352	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
"C:\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4948
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4120
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1884
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2092
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4620
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2556
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2176
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3220
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4828
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1028
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2352
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4244
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:860
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4380
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5024
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4932
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4140
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4492
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2392
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2836
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2820
- C:\Windows\SysWOW64\ping.exe
  C:\Windows\System32\ping.exe google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3928
- C:\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe
  "C:\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "IntelCore" /t REG_SZ /F /D "C:\ProgramData\IntelCore\IntelCore.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IntelCore\IntelCore.exe

Filesize
178KB

MD5
d567155cd120d429042cabbbe086681f

SHA1
33974f6fbad398c4c4b248f4dd158b5d4ba346e6

SHA256
5cf03390fdbcca84743228e136b7cce6b1fcb4715864f7694007dbbd7b6b54cb

SHA512
335517bcf674b1b226d7cfe7f0a7079c44f789538ab95d96818c8c78beb84cdeaa7b65066659804cd6e0e260bf1689eb50290e5e61c2eb57baa6be92c2daa767

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc.exe

Filesize
178KB

MD5
02184b64e5bf2458841e640b4401ed0e

SHA1
4ab573a80d6f315b61b3b0fe9bcc5ba3aed68703

SHA256
ea0debd4751243fe714b3fac95f7c62eb1c1dccd481ce8bd1eb2c789eeabf8dc

SHA512
90c4c10cbb7483c36bc7512320f0d4c088f69efb2a1d043c08e54683e89a9f8a70194cd7b2a78881d3ef2c1c47863c587b39a584272ba4f5753a26873609d90c

Download Submit
memory/4336-0-0x0000000074D72000-0x0000000074D73000-memory.dmp

Filesize
4KB

Download
memory/4336-1-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4336-2-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4336-3-0x0000000074D72000-0x0000000074D73000-memory.dmp

Filesize
4KB

Download
memory/4336-4-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4336-5-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download