Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
31-05-2021 13:47
Static task
static1
Behavioral task
behavioral1
Sample
sample.js
Resource
win7v20210408
General
-
Target
sample.js
-
Size
67KB
-
MD5
3e7159f1fbfbe75bfafde72feb1bf94f
-
SHA1
4e8a7b7c3d52b965bea11c53829334bb0dc908c3
-
SHA256
a5122b7a02ae525036dbef78c6d6042a8c2cd4888a6451c2baca96a0a68ed259
-
SHA512
0beb743a0a4fe2e78483a2bd580eab205a879653ec8c84db6d5ac19c61cc2302df472b9c3f06698c3f5708638b6e7b05fdde310c35bea5b38e23690f91642245
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exeflow pid Process 7 3944 wscript.exe 10 3944 wscript.exe 12 3944 wscript.exe 14 3944 wscript.exe 16 3944 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
692915.datportable.exepsh.exepsh.exe7991i79wo_1.exe3m3cu9i5s3.exepid Process 3408 692915.dat 788 portable.exe 2024 psh.exe 3568 psh.exe 2732 7991i79wo_1.exe 2340 3m3cu9i5s3.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\7991i79wo.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\7991i79wo.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\7991i79wo.exe\"" explorer.exe -
Processes:
psh.execmd.execmd.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psh.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
cmd.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
psh.exeexplorer.execmd.execmd.exepid Process 3568 psh.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 2288 cmd.exe 2420 cmd.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
psh.exe7991i79wo_1.exedescription pid Process procid_target PID 2024 set thread context of 3568 2024 psh.exe 94 PID 2732 set thread context of 0 2732 7991i79wo_1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
psh.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 psh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString psh.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 64 timeout.exe 1968 timeout.exe 3400 timeout.exe 3280 timeout.exe 1820 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 3944 taskkill.exe 2696 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Modifies registry class 2 IoCs
Processes:
692915.datcmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings 692915.dat Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe -
Processes:
wscript.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e wscript.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe:14EDFC78 explorer.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
explorer.exepid Process 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
3m3cu9i5s3.exepid Process 2340 3m3cu9i5s3.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
psh.exeexplorer.exepid Process 3568 psh.exe 3568 psh.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
psh.exetaskkill.exetaskkill.exeexplorer.exedescription pid Process Token: SeDebugPrivilege 3568 psh.exe Token: SeRestorePrivilege 3568 psh.exe Token: SeBackupPrivilege 3568 psh.exe Token: SeLoadDriverPrivilege 3568 psh.exe Token: SeCreatePagefilePrivilege 3568 psh.exe Token: SeShutdownPrivilege 3568 psh.exe Token: SeTakeOwnershipPrivilege 3568 psh.exe Token: SeChangeNotifyPrivilege 3568 psh.exe Token: SeCreateTokenPrivilege 3568 psh.exe Token: SeMachineAccountPrivilege 3568 psh.exe Token: SeSecurityPrivilege 3568 psh.exe Token: SeAssignPrimaryTokenPrivilege 3568 psh.exe Token: SeCreateGlobalPrivilege 3568 psh.exe Token: 33 3568 psh.exe Token: SeDebugPrivilege 3944 taskkill.exe Token: SeDebugPrivilege 2696 taskkill.exe Token: SeDebugPrivilege 4060 explorer.exe Token: SeRestorePrivilege 4060 explorer.exe Token: SeBackupPrivilege 4060 explorer.exe Token: SeLoadDriverPrivilege 4060 explorer.exe Token: SeCreatePagefilePrivilege 4060 explorer.exe Token: SeShutdownPrivilege 4060 explorer.exe Token: SeTakeOwnershipPrivilege 4060 explorer.exe Token: SeChangeNotifyPrivilege 4060 explorer.exe Token: SeCreateTokenPrivilege 4060 explorer.exe Token: SeMachineAccountPrivilege 4060 explorer.exe Token: SeSecurityPrivilege 4060 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4060 explorer.exe Token: SeCreateGlobalPrivilege 4060 explorer.exe Token: 33 4060 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
3m3cu9i5s3.exepid Process 2340 3m3cu9i5s3.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
3m3cu9i5s3.exepid Process 2340 3m3cu9i5s3.exe 2340 3m3cu9i5s3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wscript.exe692915.datWScript.execmd.exeWScript.execmd.exepsh.exepsh.exeexplorer.exedescription pid Process procid_target PID 3944 wrote to memory of 3408 3944 wscript.exe 78 PID 3944 wrote to memory of 3408 3944 wscript.exe 78 PID 3944 wrote to memory of 3408 3944 wscript.exe 78 PID 3408 wrote to memory of 60 3408 692915.dat 80 PID 3408 wrote to memory of 60 3408 692915.dat 80 PID 3408 wrote to memory of 60 3408 692915.dat 80 PID 60 wrote to memory of 2288 60 WScript.exe 81 PID 60 wrote to memory of 2288 60 WScript.exe 81 PID 60 wrote to memory of 2288 60 WScript.exe 81 PID 2288 wrote to memory of 1820 2288 cmd.exe 83 PID 2288 wrote to memory of 1820 2288 cmd.exe 83 PID 2288 wrote to memory of 1820 2288 cmd.exe 83 PID 2288 wrote to memory of 2424 2288 cmd.exe 84 PID 2288 wrote to memory of 2424 2288 cmd.exe 84 PID 2288 wrote to memory of 2424 2288 cmd.exe 84 PID 2288 wrote to memory of 788 2288 cmd.exe 85 PID 2288 wrote to memory of 788 2288 cmd.exe 85 PID 2288 wrote to memory of 788 2288 cmd.exe 85 PID 2288 wrote to memory of 64 2288 cmd.exe 86 PID 2288 wrote to memory of 64 2288 cmd.exe 86 PID 2288 wrote to memory of 64 2288 cmd.exe 86 PID 2288 wrote to memory of 2068 2288 cmd.exe 87 PID 2288 wrote to memory of 2068 2288 cmd.exe 87 PID 2288 wrote to memory of 2068 2288 cmd.exe 87 PID 2288 wrote to memory of 1968 2288 cmd.exe 88 PID 2288 wrote to memory of 1968 2288 cmd.exe 88 PID 2288 wrote to memory of 1968 2288 cmd.exe 88 PID 2068 wrote to memory of 2420 2068 WScript.exe 89 PID 2068 wrote to memory of 2420 2068 WScript.exe 89 PID 2068 wrote to memory of 2420 2068 WScript.exe 89 PID 2420 wrote to memory of 3496 2420 cmd.exe 91 PID 2420 wrote to memory of 3496 2420 cmd.exe 91 PID 2420 wrote to memory of 3496 2420 cmd.exe 91 PID 2420 wrote to memory of 3400 2420 cmd.exe 92 PID 2420 wrote to memory of 3400 2420 cmd.exe 92 PID 2420 wrote to memory of 3400 2420 cmd.exe 92 PID 2420 wrote to memory of 2024 2420 cmd.exe 93 PID 2420 wrote to memory of 2024 2420 cmd.exe 93 PID 2420 wrote to memory of 2024 2420 cmd.exe 93 PID 2024 wrote to memory of 3568 2024 psh.exe 94 PID 2024 wrote to memory of 3568 2024 psh.exe 94 PID 2024 wrote to memory of 3568 2024 psh.exe 94 PID 2024 wrote to memory of 3568 2024 psh.exe 94 PID 2024 wrote to memory of 3568 2024 psh.exe 94 PID 2420 wrote to memory of 3944 2420 cmd.exe 95 PID 2420 wrote to memory of 3944 2420 cmd.exe 95 PID 2420 wrote to memory of 3944 2420 cmd.exe 95 PID 2420 wrote to memory of 2696 2420 cmd.exe 96 PID 2420 wrote to memory of 2696 2420 cmd.exe 96 PID 2420 wrote to memory of 2696 2420 cmd.exe 96 PID 2420 wrote to memory of 2740 2420 cmd.exe 97 PID 2420 wrote to memory of 2740 2420 cmd.exe 97 PID 2420 wrote to memory of 2740 2420 cmd.exe 97 PID 2420 wrote to memory of 3280 2420 cmd.exe 98 PID 2420 wrote to memory of 3280 2420 cmd.exe 98 PID 2420 wrote to memory of 3280 2420 cmd.exe 98 PID 3568 wrote to memory of 4060 3568 psh.exe 99 PID 3568 wrote to memory of 4060 3568 psh.exe 99 PID 3568 wrote to memory of 4060 3568 psh.exe 99 PID 4060 wrote to memory of 2288 4060 explorer.exe 81 PID 4060 wrote to memory of 2288 4060 explorer.exe 81 PID 4060 wrote to memory of 1968 4060 explorer.exe 88 PID 4060 wrote to memory of 1968 4060 explorer.exe 88 PID 4060 wrote to memory of 2420 4060 explorer.exe 89 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 3496 attrib.exe 2740 attrib.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.datC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.dat2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\5jhc441685fd778294a59039\updtcp\video.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\5jhc441685fd778294a59039\updtcp\win23.bat" "4⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
PID:1820
-
-
C:\Windows\SysWOW64\PING.EXEping edwtq ewqdztw d8twd75⤵
- Runs ping.exe
PID:2424
-
-
C:\5jhc441685fd778294a59039\updtcp\portable.exe"portable.exe" e -pIUASU7yyadsih8i32d8hadshias tcp.rar5⤵
- Executes dropped EXE
PID:788
-
-
C:\Windows\SysWOW64\timeout.exetimeout 65⤵
- Delays execution with timeout.exe
PID:64
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\5jhc441685fd778294a59039\updtcp\khg389214.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\5jhc441685fd778294a59039\updtcp\wier.bat" "6⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\5jhc441685fd778294a59039"7⤵
- Views/modifies file attributes
PID:3496
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
PID:3400
-
-
C:\5jhc441685fd778294a59039\updtcp\psh.exepsh.exe /start7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\5jhc441685fd778294a59039\updtcp\psh.exepsh.exe /start8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe9⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe/suac10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe"C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2340
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im portable.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im portable.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\5jhc441685fd778294a59039\updtcp\psh.exe"7⤵
- Views/modifies file attributes
PID:2740
-
-
C:\Windows\SysWOW64\timeout.exetimeout 47⤵
- Delays execution with timeout.exe
PID:3280
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 75⤵
- Delays execution with timeout.exe
PID:1968
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Modify Existing Service
1Registry Run Keys / Startup Folder
2Defense Evasion
Hidden Files and Directories
2Install Root Certificate
1Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ec4694dbfd7699e4d15181d6c4fa1818
SHA13d7424eac4f9d4c199e4a10bbb664d0794301b25
SHA2561e853f2a93fd8c4763b48339a0a8a154a553c5e0dad1d763d60085491986c806
SHA512049c2b3390770fd5777eaba9e78239fc5e8250cfcd8f1154b0244ba00412377e6c353c7b3b600b23196bf85cc525f67ecff7da7f42a031c3bf6138bc51518d56
-
MD5
af8f66afc7877cfa7fd23a532916ec96
SHA1df0fb0fb8c1a77872d8de28416fff394f1a6aec1
SHA256b0197158ca288dae24b2335515ebfa7a3ddf78dba0ff344118fbc1cfb8b75a68
SHA512508578541d239e029e6ae3faaf1ebea45292bdba6ad2262cda3dba78bd026c9d9273756f2459ae0118cac5b3690fd83935be692a48fda89539a553fe4786dcd0
-
MD5
af8f66afc7877cfa7fd23a532916ec96
SHA1df0fb0fb8c1a77872d8de28416fff394f1a6aec1
SHA256b0197158ca288dae24b2335515ebfa7a3ddf78dba0ff344118fbc1cfb8b75a68
SHA512508578541d239e029e6ae3faaf1ebea45292bdba6ad2262cda3dba78bd026c9d9273756f2459ae0118cac5b3690fd83935be692a48fda89539a553fe4786dcd0
-
MD5
b51fde142cb8410161f4c51ed213baa3
SHA1310b2e40b998157e36dc2b805d5580199bb2d467
SHA256d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba
SHA51282568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076
-
MD5
b51fde142cb8410161f4c51ed213baa3
SHA1310b2e40b998157e36dc2b805d5580199bb2d467
SHA256d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba
SHA51282568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076
-
MD5
b51fde142cb8410161f4c51ed213baa3
SHA1310b2e40b998157e36dc2b805d5580199bb2d467
SHA256d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba
SHA51282568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076
-
MD5
af02568d8919fc4cb567a40ae21d25ec
SHA17e98bdb23e6b44332afcfe5f3a099016b7dad279
SHA256a5d15ee0959085dab12cd7dd12da181444cc063e4e3e20a7d17319105097c6fd
SHA512933d7a29ff7166ee9514fd3548597739ca293eb9094097ec716b51949e5f3f733d379ed03175ce29f25424ad62d794ab8df1dd5625653d4fbd2b75a8b2caa920
-
MD5
87b123f86cda5a902af0f3c3673ebae0
SHA1a93f593da9e18343eb7cbc4a8df8eefaae31e179
SHA256a5c96e4fd40ef2ae88fe66fa38178020b69059a2765614e6aa671f46057ef5c0
SHA512fe5e78bb66304e1b4ed13eafd3cb93816511941756ecfa613aaaeba7a0f468aad7e2dfece27f124b5db79a8afe1fb655ef2bd3d6bbd9eb4d42e457dd42775b2f
-
MD5
d8cf8ebd43d707b8f7ac09dca3f69e89
SHA18425069acebb996f4517cfc62fb65de3b9315b8c
SHA256c8c84a5c185cdfcecaafcee8e927fb8024d7e42a86f7b88437cf64f027a3fc7f
SHA5124c4a6bbd6820ccc7ff49ca6feae3055a8357fb3747e0c116239f8cdeac1bdc679df6825c822e7be7ec286065fb21f2f33275ddbcb80bcc51a75c6f2752ba5798
-
MD5
e3e6e937b62671102f2d588c3b63dadd
SHA12059e852dd09a1f9dc22655c3a52ad29e4d9ce70
SHA256762f9ddb99827165175408a90ab56139ed9d8c88d8c9cfec4871ec286d3b6016
SHA512cc52bb6ee086f2dac9c93d101c747731c3a5bed6b4ea3c9c27796ee135bca91c89a90f41b119f137049f09f6f459193c593d3ff48343dc35ba6dfb2ef2077f05
-
MD5
2abb9a0fbbbc79ad7813fe461d6cf84d
SHA11c0f4652edc982c1f395410a150c4a86036b3868
SHA2564cbcbf9b7c7a1409be0f7829def9cbca6a703e6bde0400256ca0d038d0bf056a
SHA512ca5f6e295c702684a4d83d67ee75a0b372f2c7f77277f79cb58f331d5ccfec82bda0897455c136dfbb00f3bf5a30175d5b84607f55b50259b1833e69ffb56684
-
MD5
2abb9a0fbbbc79ad7813fe461d6cf84d
SHA11c0f4652edc982c1f395410a150c4a86036b3868
SHA2564cbcbf9b7c7a1409be0f7829def9cbca6a703e6bde0400256ca0d038d0bf056a
SHA512ca5f6e295c702684a4d83d67ee75a0b372f2c7f77277f79cb58f331d5ccfec82bda0897455c136dfbb00f3bf5a30175d5b84607f55b50259b1833e69ffb56684
-
MD5
b51fde142cb8410161f4c51ed213baa3
SHA1310b2e40b998157e36dc2b805d5580199bb2d467
SHA256d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba
SHA51282568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076
-
MD5
b51fde142cb8410161f4c51ed213baa3
SHA1310b2e40b998157e36dc2b805d5580199bb2d467
SHA256d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba
SHA51282568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076
-
MD5
6bb45c53fc7f643cb2c20a59801e9a9d
SHA17820e7a2ce24022683f15bc651d1d824ae738b7e
SHA256d0e95b938160932bf633ae1d6469ad9ace641d5a54fd567c1b9462bd62934f82
SHA5123f93cf01c93a5942b8df9faa8f7c44c3965d84f89f71c559698c0bf53162acc2e3a83b54e98b1cd77c5ff500f14b6e98bdc921b5dbd3ea135f7a99d1ca0a5d61
-
MD5
6bb45c53fc7f643cb2c20a59801e9a9d
SHA17820e7a2ce24022683f15bc651d1d824ae738b7e
SHA256d0e95b938160932bf633ae1d6469ad9ace641d5a54fd567c1b9462bd62934f82
SHA5123f93cf01c93a5942b8df9faa8f7c44c3965d84f89f71c559698c0bf53162acc2e3a83b54e98b1cd77c5ff500f14b6e98bdc921b5dbd3ea135f7a99d1ca0a5d61