Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-09-2021 05:56
Static task
static1
Behavioral task
behavioral1
Sample
info.txt.js
Resource
win7-en-20210920
General
-
Target
info.txt.js
-
Size
3KB
-
MD5
a7d8a48297c4927fd6d9fa9bfd224871
-
SHA1
07f40176246032463687f71e63bfbf42276f95b3
-
SHA256
7f99624842278a1f965ff411dc0efe4c26b1bb2d22099ab7fc87f5d8508b0413
-
SHA512
9971a6e9c33fbcc13f47b6025f876b7dded0406c389e5e014f210173c55ccd4f2eccab293c34527204d7572e04ed83afee406bfe8049cb89d1adc97145144a2d
Malware Config
Signatures
-
Taurus Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/620-67-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral1/memory/620-68-0x000000000041EB74-mapping.dmp family_taurus_stealer behavioral1/memory/620-71-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 11 IoCs
Processes:
WScript.exeflow pid process 1 2012 WScript.exe 3 2012 WScript.exe 5 2012 WScript.exe 6 2012 WScript.exe 7 2012 WScript.exe 20 2012 WScript.exe 21 2012 WScript.exe 24 2012 WScript.exe 25 2012 WScript.exe 26 2012 WScript.exe 27 2012 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
Setup.exeSetup.exeClfbibif.exesvchost32.exeservices32.exesvchost32.exesihost32.exepid process 1684 Setup.exe 620 Setup.exe 1572 Clfbibif.exe 1732 svchost32.exe 2016 services32.exe 2028 svchost32.exe 1056 sihost32.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Clfbibif.exeservices32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Clfbibif.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Clfbibif.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services32.exe -
Deletes itself 1 IoCs
Processes:
wscript.exepid process 2024 wscript.exe -
Loads dropped DLL 6 IoCs
Processes:
Setup.exeSetup.execmd.exesvchost32.execmd.exesvchost32.exepid process 1684 Setup.exe 620 Setup.exe 1288 cmd.exe 1732 svchost32.exe 740 cmd.exe 2028 svchost32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Clfbibif.exe themida C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe themida behavioral1/memory/1572-83-0x000000013FD90000-0x000000013FD91000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe themida \Users\Admin\AppData\Local\Temp\services32.exe themida C:\Users\Admin\AppData\Local\Temp\services32.exe themida behavioral1/memory/2016-140-0x000000013F610000-0x000000013F611000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\services32.exe themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\rYbykTEK = "C:\\Users\\Admin\\AppData\\Roaming\\rtbGdENb.jse" wscript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Clfbibif.exeservices32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Clfbibif.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Clfbibif.exeservices32.exepid process 1572 Clfbibif.exe 2016 services32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 1684 set thread context of 620 1684 Setup.exe Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1940 schtasks.exe 1616 schtasks.exe 1752 schtasks.exe 1556 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1260 timeout.exe -
Processes:
Setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Setup.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exepid process 1404 powershell.exe 1952 powershell.exe 472 powershell.exe 376 powershell.exe 1732 svchost32.exe 852 powershell.exe 880 powershell.exe 2024 powershell.exe 1640 powershell.exe 2028 svchost32.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exedescription pid process Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 472 powershell.exe Token: SeDebugPrivilege 376 powershell.exe Token: SeDebugPrivilege 1732 svchost32.exe Token: SeDebugPrivilege 852 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 2028 svchost32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wscript.exeWScript.exeSetup.exeSetup.execmd.execmd.exeClfbibif.execmd.exedescription pid process target process PID 2024 wrote to memory of 2012 2024 wscript.exe WScript.exe PID 2024 wrote to memory of 2012 2024 wscript.exe WScript.exe PID 2024 wrote to memory of 2012 2024 wscript.exe WScript.exe PID 2012 wrote to memory of 1684 2012 WScript.exe Setup.exe PID 2012 wrote to memory of 1684 2012 WScript.exe Setup.exe PID 2012 wrote to memory of 1684 2012 WScript.exe Setup.exe PID 2012 wrote to memory of 1684 2012 WScript.exe Setup.exe PID 2012 wrote to memory of 1684 2012 WScript.exe Setup.exe PID 2012 wrote to memory of 1684 2012 WScript.exe Setup.exe PID 2012 wrote to memory of 1684 2012 WScript.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 1684 wrote to memory of 620 1684 Setup.exe Setup.exe PID 620 wrote to memory of 1572 620 Setup.exe Clfbibif.exe PID 620 wrote to memory of 1572 620 Setup.exe Clfbibif.exe PID 620 wrote to memory of 1572 620 Setup.exe Clfbibif.exe PID 620 wrote to memory of 1572 620 Setup.exe Clfbibif.exe PID 620 wrote to memory of 1628 620 Setup.exe cmd.exe PID 620 wrote to memory of 1628 620 Setup.exe cmd.exe PID 620 wrote to memory of 1628 620 Setup.exe cmd.exe PID 620 wrote to memory of 1628 620 Setup.exe cmd.exe PID 1628 wrote to memory of 1940 1628 cmd.exe schtasks.exe PID 1628 wrote to memory of 1940 1628 cmd.exe schtasks.exe PID 1628 wrote to memory of 1940 1628 cmd.exe schtasks.exe PID 1628 wrote to memory of 1940 1628 cmd.exe schtasks.exe PID 620 wrote to memory of 2004 620 Setup.exe cmd.exe PID 620 wrote to memory of 2004 620 Setup.exe cmd.exe PID 620 wrote to memory of 2004 620 Setup.exe cmd.exe PID 620 wrote to memory of 2004 620 Setup.exe cmd.exe PID 620 wrote to memory of 1196 620 Setup.exe cmd.exe PID 620 wrote to memory of 1196 620 Setup.exe cmd.exe PID 620 wrote to memory of 1196 620 Setup.exe cmd.exe PID 620 wrote to memory of 1196 620 Setup.exe cmd.exe PID 2004 wrote to memory of 1616 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 1616 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 1616 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 1616 2004 cmd.exe schtasks.exe PID 1572 wrote to memory of 2024 1572 Clfbibif.exe cmd.exe PID 1572 wrote to memory of 2024 1572 Clfbibif.exe cmd.exe PID 1572 wrote to memory of 2024 1572 Clfbibif.exe cmd.exe PID 2024 wrote to memory of 1404 2024 cmd.exe powershell.exe PID 2024 wrote to memory of 1404 2024 cmd.exe powershell.exe PID 2024 wrote to memory of 1404 2024 cmd.exe powershell.exe PID 2024 wrote to memory of 1952 2024 cmd.exe powershell.exe PID 2024 wrote to memory of 1952 2024 cmd.exe powershell.exe PID 2024 wrote to memory of 1952 2024 cmd.exe powershell.exe PID 2024 wrote to memory of 472 2024 cmd.exe powershell.exe PID 2024 wrote to memory of 472 2024 cmd.exe powershell.exe PID 2024 wrote to memory of 472 2024 cmd.exe powershell.exe PID 2024 wrote to memory of 376 2024 cmd.exe powershell.exe PID 2024 wrote to memory of 376 2024 cmd.exe powershell.exe PID 2024 wrote to memory of 376 2024 cmd.exe powershell.exe PID 1572 wrote to memory of 1288 1572 Clfbibif.exe cmd.exe PID 1572 wrote to memory of 1288 1572 Clfbibif.exe cmd.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\info.txt.js1⤵
- Deletes itself
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\rtbGdENb.jse"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe"C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe"6⤵
- Loads dropped DLL
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit8⤵PID:720
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'9⤵
- Creates scheduled task(s)
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\services32.exe"C:\Users\Admin\AppData\Local\Temp\services32.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2016 -
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit9⤵PID:916
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\services32.exe"9⤵
- Loads dropped DLL
PID:740 -
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\services32.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit11⤵PID:1180
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'12⤵
- Creates scheduled task(s)
PID:1556 -
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"11⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"11⤵PID:2044
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 312⤵PID:276
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"8⤵PID:1972
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 39⤵PID:1704
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe"6⤵
- Creates scheduled task(s)
PID:1940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\ekfelBGb.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\ekfelBGb.exe"6⤵
- Creates scheduled task(s)
PID:1616 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\Setup.exe5⤵PID:1196
-
C:\Windows\SysWOW64\timeout.exetimeout /t 36⤵
- Delays execution with timeout.exe
PID:1260
-
C:\Windows\system32\taskeng.exetaskeng.exe {FADEC855-AEF5-41DB-97F7-86119F6C9C66} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b4660eb00a0bda6878645d6a4d73f1b0
SHA17dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA25644d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc
-
MD5
b4660eb00a0bda6878645d6a4d73f1b0
SHA17dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA25644d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc
-
MD5
68106119e2ebb4bf67817e6549871a74
SHA1be2b0aa9150887fadd85a4c5795501e83a4e1ef4
SHA25607f697a46c26e3b4149a0db587227d571f5ffae8e013276c5ca91618d5b8b0f4
SHA5123b4ffac36c69e8bae20991d8fff7c2bc5734e944ea37d5212aedb1d319e430c373c310d0ee2460f02b08b56c915f1a507faae33f4e001e3a3bc5a48ee508dfa9
-
MD5
68106119e2ebb4bf67817e6549871a74
SHA1be2b0aa9150887fadd85a4c5795501e83a4e1ef4
SHA25607f697a46c26e3b4149a0db587227d571f5ffae8e013276c5ca91618d5b8b0f4
SHA5123b4ffac36c69e8bae20991d8fff7c2bc5734e944ea37d5212aedb1d319e430c373c310d0ee2460f02b08b56c915f1a507faae33f4e001e3a3bc5a48ee508dfa9
-
MD5
68106119e2ebb4bf67817e6549871a74
SHA1be2b0aa9150887fadd85a4c5795501e83a4e1ef4
SHA25607f697a46c26e3b4149a0db587227d571f5ffae8e013276c5ca91618d5b8b0f4
SHA5123b4ffac36c69e8bae20991d8fff7c2bc5734e944ea37d5212aedb1d319e430c373c310d0ee2460f02b08b56c915f1a507faae33f4e001e3a3bc5a48ee508dfa9
-
MD5
b4660eb00a0bda6878645d6a4d73f1b0
SHA17dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA25644d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc
-
MD5
b4660eb00a0bda6878645d6a4d73f1b0
SHA17dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA25644d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc
-
MD5
acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070
-
MD5
acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070
-
MD5
acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070
-
MD5
acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070
-
MD5
812beec5864b07c7731ef249ea507f80
SHA1b3e676a95d1fb0a37bc6cf68d265fb0978203cb7
SHA25676431f8d6eb79586cf18b7fe473970f043ea4774c44abd8212dabfe2936df8e2
SHA51287afd83e7ef4196ec0d950a3f7cc230670acfbc89b7b8b56052005c4150a628928f592d257e64601433b70708014d67d800d4e3e25c66616540063cd07e82cf2
-
MD5
812beec5864b07c7731ef249ea507f80
SHA1b3e676a95d1fb0a37bc6cf68d265fb0978203cb7
SHA25676431f8d6eb79586cf18b7fe473970f043ea4774c44abd8212dabfe2936df8e2
SHA51287afd83e7ef4196ec0d950a3f7cc230670acfbc89b7b8b56052005c4150a628928f592d257e64601433b70708014d67d800d4e3e25c66616540063cd07e82cf2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5a77a6f427f7f62529e868b7cf814ee98
SHA112e0df4a3799d2cdef29fddc254a871c04df008c
SHA2561b57e439724c1fe1e3324c35ad380bfa88d342211dd2b2dfa48e3541349796a4
SHA512c289160ddc477f951cf4e5fb2ccf39af77de6f5144f3e7cdd05d2d8cd14c8fb38a143134ed64c1887fc52bcc863f88fc838c19f8688546ace6d06a9bb0811445
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD513af8161b935c620a73d36dd00327ce2
SHA1fad232626b5f5ab88855b16427d8fb3efea9723b
SHA2566852687d98931c0baac4f20ffaf670ac548e93066d844d7b22c91f220e94a43c
SHA5128a443cc9957a585bedac7102c3d9f45ea59dd5208be27ee7451198027d5ce9ecb9215b87122db3c202b63543a49268d34f0eb98cc7869886feec9e4cc4d02a9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5a77a6f427f7f62529e868b7cf814ee98
SHA112e0df4a3799d2cdef29fddc254a871c04df008c
SHA2561b57e439724c1fe1e3324c35ad380bfa88d342211dd2b2dfa48e3541349796a4
SHA512c289160ddc477f951cf4e5fb2ccf39af77de6f5144f3e7cdd05d2d8cd14c8fb38a143134ed64c1887fc52bcc863f88fc838c19f8688546ace6d06a9bb0811445
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD513af8161b935c620a73d36dd00327ce2
SHA1fad232626b5f5ab88855b16427d8fb3efea9723b
SHA2566852687d98931c0baac4f20ffaf670ac548e93066d844d7b22c91f220e94a43c
SHA5128a443cc9957a585bedac7102c3d9f45ea59dd5208be27ee7451198027d5ce9ecb9215b87122db3c202b63543a49268d34f0eb98cc7869886feec9e4cc4d02a9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5a77a6f427f7f62529e868b7cf814ee98
SHA112e0df4a3799d2cdef29fddc254a871c04df008c
SHA2561b57e439724c1fe1e3324c35ad380bfa88d342211dd2b2dfa48e3541349796a4
SHA512c289160ddc477f951cf4e5fb2ccf39af77de6f5144f3e7cdd05d2d8cd14c8fb38a143134ed64c1887fc52bcc863f88fc838c19f8688546ace6d06a9bb0811445
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5a77a6f427f7f62529e868b7cf814ee98
SHA112e0df4a3799d2cdef29fddc254a871c04df008c
SHA2561b57e439724c1fe1e3324c35ad380bfa88d342211dd2b2dfa48e3541349796a4
SHA512c289160ddc477f951cf4e5fb2ccf39af77de6f5144f3e7cdd05d2d8cd14c8fb38a143134ed64c1887fc52bcc863f88fc838c19f8688546ace6d06a9bb0811445
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD513af8161b935c620a73d36dd00327ce2
SHA1fad232626b5f5ab88855b16427d8fb3efea9723b
SHA2566852687d98931c0baac4f20ffaf670ac548e93066d844d7b22c91f220e94a43c
SHA5128a443cc9957a585bedac7102c3d9f45ea59dd5208be27ee7451198027d5ce9ecb9215b87122db3c202b63543a49268d34f0eb98cc7869886feec9e4cc4d02a9a
-
MD5
0c16a5e293dcef0d5161f188ca8b1ed9
SHA1c3ca13590f8c3964de3e639aa908ba9601fe2509
SHA2563522c792d0b76231320540567d2fe4084a29060e14121635e68b90ee68c9a6d4
SHA5124eed53d7d260497727c83b9876dad6ef0482474ac99291751357014006aaa581e1f91aa53a2fefb9bef8db5c364653375e42eacb554b698ff519b27aef1d84fb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
b4660eb00a0bda6878645d6a4d73f1b0
SHA17dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA25644d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc
-
MD5
68106119e2ebb4bf67817e6549871a74
SHA1be2b0aa9150887fadd85a4c5795501e83a4e1ef4
SHA25607f697a46c26e3b4149a0db587227d571f5ffae8e013276c5ca91618d5b8b0f4
SHA5123b4ffac36c69e8bae20991d8fff7c2bc5734e944ea37d5212aedb1d319e430c373c310d0ee2460f02b08b56c915f1a507faae33f4e001e3a3bc5a48ee508dfa9
-
MD5
b4660eb00a0bda6878645d6a4d73f1b0
SHA17dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA25644d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc
-
MD5
acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070
-
MD5
acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070
-
MD5
812beec5864b07c7731ef249ea507f80
SHA1b3e676a95d1fb0a37bc6cf68d265fb0978203cb7
SHA25676431f8d6eb79586cf18b7fe473970f043ea4774c44abd8212dabfe2936df8e2
SHA51287afd83e7ef4196ec0d950a3f7cc230670acfbc89b7b8b56052005c4150a628928f592d257e64601433b70708014d67d800d4e3e25c66616540063cd07e82cf2