Analysis
-
max time kernel
60s -
max time network
62s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
-
submitted
31-01-2025 15:30
General
-
Target
aquatic/loader.exe
-
Size
5.2MB
-
MD5
c136329a989aad9543c913f9197a01fe
-
SHA1
0b3bdab50947cf330243938c9ccb3e685c43457b
-
SHA256
9b802ef1b1e58a521a45dbd45c48c75c5b7f9ac53b273d6d2cf868c1f6d46885
-
SHA512
fa7a7efa10b4da760b7d281aa235fa4bb4ce28d12796f28632fd653ae184a6f09bc796c18ba1aa3253f713af0334d97f040dc762a8a1d25352dc7308d49b8590
-
SSDEEP
98304:fKYhdZRJ8os9WXz/DsEAE4SfTQ3+5wJCn9cK4KwrUWxeNVSreDGknLjiSXBI:CYhdo0D/D1J8+mM9Y/gNIsGkLj
Malware Config
Extracted
xworm
5.0
testarosa.duckdns.org:7110
5ZpeoOe6AtQfr6wU
-
Install_directory
%AppData%
-
install_file
Ondrive.exe
Signatures
-
Detect Umbral payload 2 IoCs
-
Detect Xworm Payload 2 IoCs
-
Njrat family
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 4 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 29 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Detects videocard installed 1 TTPs 4 IoCs
Uses WMIC.exe to determine videocard installed.
-
Runs ping.exe 1 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aquatic\loader.exe"C:\Users\Admin\AppData\Local\Temp\aquatic\loader.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"3⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid7⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 27⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY7⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption7⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory7⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid7⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name7⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause7⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"9⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"10⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid11⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"11⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'11⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 211⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY11⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY11⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption11⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory11⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid11⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER11⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name11⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause11⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"11⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"12⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"13⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"14⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"15⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"17⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"18⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"19⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"20⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"20⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"21⤵
- Drops file in Drivers directory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid22⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"22⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'22⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 222⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY22⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY22⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption22⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory22⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid22⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER22⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name22⤵
- Detects videocard installed
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"21⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"21⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"22⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"22⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"23⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"23⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"24⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"24⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"25⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"25⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"25⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Ondrive.exe"C:\Users\Admin\AppData\Roaming\Ondrive.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD5c03c52b5629516eb3271791af4a68fda
SHA121e3c5aa9d016632d558439b36749c14a54438a3
SHA25652561d8d593a3fc07353a74c4e59650770e998ae08c1b168ba31f0456ba5d2b1
SHA512186c267ae7079f9b0c9852daec79aea8ff4746309f2dd9ec3dbc50ebb0146bea2e566621a01fe6f4580f187850271b854bd8e5f20bb2715970386ac85326f0cb
-
Filesize
1KB
MD5dcbdf62e96e679168e99bb26c3f28d37
SHA1b4dd47ce9094a450cd6e03a2f1d61ea4c8b85208
SHA256c44d43f12dedac8a011cf40417f28b4d7e0d961ac4503829f01891ce7212fa35
SHA512679b07b35c90abdb029a202bb14c424d2497d1b8e99396d369629a066a3978e77c6257148a22c48abcbcb6370c722673d0cbb3d1fd33880fa32107d5a20869b3
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD560b3262c3163ee3d466199160b9ed07d
SHA1994ece4ea4e61de0be2fdd580f87e3415f9e1ff6
SHA256e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb
SHA512081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af
-
Filesize
948B
MD5a9ab4419e3986b8e240c9478cc52eb51
SHA17e1b1b31bc47b9d4dccea76e6511d3632cb0395e
SHA25687c993fd034df762cdf24506c046959e98985d38697b234f7ca092db49671846
SHA5128f3d3ac39795b11719f40d3eb9a574576c8a5e6b837a1f3d63f7996faaf728e02ec5e26f4bed71ab850c9fa9272ec94fb6449b251eadc82672f84bdd5ec256a6
-
Filesize
1KB
MD58e1fdd1b66d2fee9f6a052524d4ddca5
SHA10a9d0994559d1be2eecd8b0d6960540ca627bdb6
SHA2564cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13
SHA5125a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3
-
Filesize
240B
MD562c677d1b01376f5a983a8cadc098583
SHA17d12949782b65732c663b69890ca3559e210d1e7
SHA256e1d4fbe4b5e1c21e2093d41ad8e46d9f8106bce044387ef611c3341edc914921
SHA512c964c81ed47e1fc634e0eb53fc14af9256baec9a17cea68728b2553cb6d3c8cb20f403b5282fbb0575a5fba620d84afa996ef612f69ebf96da87d6baf2c4b710
-
Filesize
1KB
MD58275d2c2245e8de8c281ba2a9d2d9b69
SHA15c88d14d3b25a7a6e2d0fd12fa44db5f59ddacbe
SHA2569f8d1a40b5373201843032d3c85f4dde4a20110323a62b91c4a843cee52b2370
SHA5128c4907649932b2c698e5e97bcd26cef1080cbab2bfb5a06d4bd230de2cd7e701e3966b1c8c8d8be3f39ee570feafce5daf0a3c7014abb1e77e4141664639f4ac
-
Filesize
1KB
MD575ae08a4a068b23ce626d07e9f3788aa
SHA1a32274e443918e1a3c70cc2d60fab562be0a8fe8
SHA256d43e73ad55648e865173cf4552cf1f812d299c5d58f8cdc83a2f10365633840d
SHA5120597f93a8ed7e7fbabdb0d088723a0b8d4e6277c65e3d732bd593930dfb8d454cbba7a483f1173fe63ec3f548ece1825e312876a5ec4569d54b0bef12f2196d6
-
Filesize
1KB
MD56beb9db6d7549b07271688e9772067dc
SHA1410b3c6ffa33c17697a005ae2ca02abb92c2e8ac
SHA2566b830d4238dcf55ab6d900a1422bc43c1fea43e8b0f4746b3a18d978cefd9142
SHA512ab84281af54d1d217fe9feb8d18b9b2b1893437ab84c160a93a9edffe0e4b95e67a5a6412cedb938c463d9e8ad45ea8582fe91c0ed42a5946ae3e0a1857add1b
-
Filesize
1KB
MD5c76456f917f2454b11094307cddf538e
SHA18b71666f6377822817af0e471223561d6b3c307e
SHA256658bb703eca2dad2e2b2473799bdda84625e4089aec8d03f287bc049fa10eb7d
SHA512ef516fc2599af34ec1d495a5fd05529fb8f3456bf361d3229b86ab3220c7a839b937d460c0c12884932965f87ce1af148a4e1a67a60b2420aa9fcae0f5fd7ba2
-
Filesize
1KB
MD5fbb72f45b0688bd1988ee5448e79936b
SHA13db7dac3f7ebd5299d828d19e5afa4f9cd691ff4
SHA256b03a2f8a2dc39c65d2286135151ad3bc79c1bd8b1e1ee14548d679da83370419
SHA512d2f16b55532159e148e2428b04c9b325f8023c75a6188a068963c91648e6619268f39f6d209d3918e2fde80e344fa9ff39bb0cd327417f1e7e54a81ad0eae84b
-
Filesize
948B
MD5f399941d756e9826f3a5aa6aec2b7885
SHA1323c93f09c6608541ec2923ce0396bd4e72e1bda
SHA25618539741dcc043451ddf1627ce2819385200fbec3d9f827ea928f9757e5f5811
SHA512d47ea930bf088d349278db5ce1c3c8d72ee0eca4e935b54815ac0dc54fd956bec7520f242845f8605df4dcc8d7ee679fcbdc58d0a3c2fa8191487016ca7f570f
-
Filesize
1KB
MD5beaa733206e6159a16f84258a3868738
SHA15d973073d1fb8bf3b4654ad9172b1519c5ee3ce7
SHA256d5387e07c332114cd393c847f7e0fe5108ec208798391a756fc1298daab786dd
SHA5120fa50d16101a53ff2c43c62e370462feeae1283b6c33167d1ca9e293d2373f00e16f289f07caabe5789aa633c3a622bca4d3e499fd6af38001a3dbcee454b73f
-
Filesize
64B
MD5b68ab4ca7e39baffff644d4820c98f0c
SHA125aee3c71f29c4520c9a89a13ce47864b75ced4e
SHA256974a01642047984dcc7429b685decc35b22bfb88926f25174f77721f4afaf676
SHA5125c96c46ba870ced22f9956ecec737fe2a6d4d73a52a1db323b29a82324f3fbd298ecb0a79ce55828bcb9e813b64815bae137d480f26e9d69f6cf7830dfd4ab9d
-
Filesize
1KB
MD5df55b2040cf60bbaaed4946ec47d9ec3
SHA18e85ce63481c7ef33b9414c2e84a3a63677e5cc1
SHA256fa9cc5dac95adda87c5e09a8daed9701de298b9706a9b4473c459ca1208332c6
SHA5129f707130fbef0665d929f63cfa6e34331df46a059059d8dfcd144eb02669d85bd5d38f015ff53453338beeed9cff8804cb09d6fe1c2d2cb735f5e94a585929f2
-
Filesize
229KB
MD556c788116da32ec8e9ac3b1b0e66b520
SHA1545f203f2bdf6fac2f131a76a5f36e21637b27ca
SHA256f67268d2659ceb1e8cf8a7560784372294bcd8f249f7c0efdf33216722a5f0bb
SHA5127da85b8e5f92f4a448a10f5c60c21f46b3eb511fda461b15956339ca7130c901e05ad58856a3a3903cdb52b81c4051d3bb0222e87aefab87136351d1ff01734f
-
Filesize
71KB
MD5f9b08bd21b40a938122b479095b7c70c
SHA1eb925e3927b83c20d8d24bdab2e587c10d6ac8cd
SHA256c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8
SHA512fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.1MB
MD524b1beaf827ed5732cc435c76170afb0
SHA1dbab0b15b40f22765af4219d6db16579396b0ae7
SHA2565365a7256f9b85da3eb0aaaf1ddf50ee2928c0d3b23b89a21a9400b6502ad4f2
SHA51200cf09d9066d654776d835597cfa228b7b33a4a083e8564c172d3ac78bf249feb87187e88de22be4720484d60a34dfbfd4f47bff404960627bde4837d896e4ba
-
Filesize
414KB
MD590e223bf18b03806310ece78fa3d0f7a
SHA12e826b6144240fd6474e20b4f5546fccaa8c20c2
SHA256be0acb1b44409370cecb19d243b1a420484fc195fe30b58fbe896357ee3b8dc1
SHA512f6310f0bcd27ecfcfd86714c8b3b8cb26160cd214ec6a80457985aec7628d7cddb1bf2b4958dce72c588489ec010f56bd818c0a754e5f0fd02999dfb5cc216cd
-
Filesize
23KB
MD532fe01ccb93b0233503d0aaaa451f7b2
SHA158e5a63142150e8fb175dbb4dedea2ce405d7db0
SHA2566988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43
SHA51276945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6
-
Filesize
37KB
MD5b37dd1a1f0507baf993471ae1b7a314c
SHA19aff9d71492ffff8d51f8e8d67f5770755899882
SHA256e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc
SHA512ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
5.1MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
5.2MB
-
Filesize
10.8MB
-
Filesize
472KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
256KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
136KB
