Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
13-07-2022 06:30
Static task
static1
Behavioral task
behavioral1
Sample
CFDI_826271_53535.exe
Resource
win7-20220414-en
General
-
Target
CFDI_826271_53535.exe
-
Size
894KB
-
MD5
f89a4c9d373e3c928bc405d56a496850
-
SHA1
de58bf97363c74d83249df1ec2f1e9d62a2101d9
-
SHA256
c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d
-
SHA512
eb02dcd476e67db8ec0d9bfde5698967c657bbc6cb55973445c565cd10999772b8ba18ecacd85c36bb88ac81898a0d34f2509cf6e2a954c890ffc5c07421d514
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
Gozip.exemiktotik.exemiktotik.exey579yu5yc_1.exes191iag1y.exepid process 608 Gozip.exe 268 miktotik.exe 572 miktotik.exe 960 y579yu5yc_1.exe 1728 s191iag1y.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
explorer.exemiktotik.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "giuabupt.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\y579yu5yc.exe miktotik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\y579yu5yc.exe\DisableExceptionChainValidation miktotik.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.execmd.exemiktotik.exeexplorer.exepid process 1416 cmd.exe 1720 cmd.exe 1720 cmd.exe 268 miktotik.exe 1600 explorer.exe 1600 explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\y579yu5yc.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\y579yu5yc.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\y579yu5yc.exe" explorer.exe -
Processes:
miktotik.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA miktotik.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
miktotik.exeexplorer.exepid process 572 miktotik.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
miktotik.exey579yu5yc_1.exedescription pid process target process PID 268 set thread context of 572 268 miktotik.exe miktotik.exe PID 960 set thread context of 0 960 y579yu5yc_1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
miktotik.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 miktotik.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString miktotik.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1504 timeout.exe 1524 timeout.exe 2008 timeout.exe 1684 timeout.exe 1660 timeout.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 844 taskkill.exe 1284 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\y579yu5yc_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\y579yu5yc_1.exe:14EDFC78 explorer.exe -
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
Processes:
net.exenet.exenltest.exenltest.exenet.exechoice.exepid process 1936 net.exe 108 net.exe 1968 nltest.exe 1696 nltest.exe 1464 net.exe 1788 choice.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
explorer.exepid process 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
miktotik.exeexplorer.exepid process 572 miktotik.exe 572 miktotik.exe 1600 explorer.exe 1600 explorer.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
taskkill.exemiktotik.exetaskkill.exeexplorer.exes191iag1y.exedescription pid process Token: SeDebugPrivilege 844 taskkill.exe Token: SeDebugPrivilege 572 miktotik.exe Token: SeRestorePrivilege 572 miktotik.exe Token: SeBackupPrivilege 572 miktotik.exe Token: SeLoadDriverPrivilege 572 miktotik.exe Token: SeCreatePagefilePrivilege 572 miktotik.exe Token: SeShutdownPrivilege 572 miktotik.exe Token: SeTakeOwnershipPrivilege 572 miktotik.exe Token: SeChangeNotifyPrivilege 572 miktotik.exe Token: SeCreateTokenPrivilege 572 miktotik.exe Token: SeMachineAccountPrivilege 572 miktotik.exe Token: SeSecurityPrivilege 572 miktotik.exe Token: SeAssignPrimaryTokenPrivilege 572 miktotik.exe Token: SeCreateGlobalPrivilege 572 miktotik.exe Token: 33 572 miktotik.exe Token: SeDebugPrivilege 1284 taskkill.exe Token: SeDebugPrivilege 1600 explorer.exe Token: SeRestorePrivilege 1600 explorer.exe Token: SeBackupPrivilege 1600 explorer.exe Token: SeLoadDriverPrivilege 1600 explorer.exe Token: SeCreatePagefilePrivilege 1600 explorer.exe Token: SeShutdownPrivilege 1600 explorer.exe Token: SeTakeOwnershipPrivilege 1600 explorer.exe Token: SeChangeNotifyPrivilege 1600 explorer.exe Token: SeCreateTokenPrivilege 1600 explorer.exe Token: SeMachineAccountPrivilege 1600 explorer.exe Token: SeSecurityPrivilege 1600 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1600 explorer.exe Token: SeCreateGlobalPrivilege 1600 explorer.exe Token: 33 1600 explorer.exe Token: SeDebugPrivilege 1728 s191iag1y.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CFDI_826271_53535.exeWScript.execmd.exeWScript.execmd.exedescription pid process target process PID 1280 wrote to memory of 992 1280 CFDI_826271_53535.exe WScript.exe PID 1280 wrote to memory of 992 1280 CFDI_826271_53535.exe WScript.exe PID 1280 wrote to memory of 992 1280 CFDI_826271_53535.exe WScript.exe PID 1280 wrote to memory of 992 1280 CFDI_826271_53535.exe WScript.exe PID 1280 wrote to memory of 992 1280 CFDI_826271_53535.exe WScript.exe PID 1280 wrote to memory of 992 1280 CFDI_826271_53535.exe WScript.exe PID 1280 wrote to memory of 992 1280 CFDI_826271_53535.exe WScript.exe PID 992 wrote to memory of 1416 992 WScript.exe cmd.exe PID 992 wrote to memory of 1416 992 WScript.exe cmd.exe PID 992 wrote to memory of 1416 992 WScript.exe cmd.exe PID 992 wrote to memory of 1416 992 WScript.exe cmd.exe PID 992 wrote to memory of 1416 992 WScript.exe cmd.exe PID 992 wrote to memory of 1416 992 WScript.exe cmd.exe PID 992 wrote to memory of 1416 992 WScript.exe cmd.exe PID 1416 wrote to memory of 1684 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1684 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1684 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1684 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1684 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1684 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1684 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 608 1416 cmd.exe Gozip.exe PID 1416 wrote to memory of 608 1416 cmd.exe Gozip.exe PID 1416 wrote to memory of 608 1416 cmd.exe Gozip.exe PID 1416 wrote to memory of 608 1416 cmd.exe Gozip.exe PID 1416 wrote to memory of 608 1416 cmd.exe Gozip.exe PID 1416 wrote to memory of 608 1416 cmd.exe Gozip.exe PID 1416 wrote to memory of 608 1416 cmd.exe Gozip.exe PID 1416 wrote to memory of 1660 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1660 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1660 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1660 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1660 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1660 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1660 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1688 1416 cmd.exe WScript.exe PID 1416 wrote to memory of 1688 1416 cmd.exe WScript.exe PID 1416 wrote to memory of 1688 1416 cmd.exe WScript.exe PID 1416 wrote to memory of 1688 1416 cmd.exe WScript.exe PID 1416 wrote to memory of 1688 1416 cmd.exe WScript.exe PID 1416 wrote to memory of 1688 1416 cmd.exe WScript.exe PID 1416 wrote to memory of 1688 1416 cmd.exe WScript.exe PID 1416 wrote to memory of 1504 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1504 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1504 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1504 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1504 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1504 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1504 1416 cmd.exe timeout.exe PID 1688 wrote to memory of 1720 1688 WScript.exe cmd.exe PID 1688 wrote to memory of 1720 1688 WScript.exe cmd.exe PID 1688 wrote to memory of 1720 1688 WScript.exe cmd.exe PID 1688 wrote to memory of 1720 1688 WScript.exe cmd.exe PID 1688 wrote to memory of 1720 1688 WScript.exe cmd.exe PID 1688 wrote to memory of 1720 1688 WScript.exe cmd.exe PID 1688 wrote to memory of 1720 1688 WScript.exe cmd.exe PID 1720 wrote to memory of 652 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 652 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 652 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 652 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 652 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 652 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 652 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 1524 1720 cmd.exe timeout.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 652 attrib.exe 1004 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe"C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\timeout.exetimeout 75⤵
- Delays execution with timeout.exe
PID:1684
-
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe"Gozip.exe" e -p398FsVBddjkd8cwr nmh3745.rar5⤵
- Executes dropped EXE
PID:608
-
-
C:\Windows\SysWOW64\timeout.exetimeout 65⤵
- Delays execution with timeout.exe
PID:1660
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.bat" "6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\controllevel"7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:652
-
-
C:\Windows\SysWOW64\timeout.exetimeout 17⤵
- Delays execution with timeout.exe
PID:1524
-
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exemiktotik.exe /start7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:268 -
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exemiktotik.exe /start8⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:572 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe9⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\y579yu5yc_1.exe/suac10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:960
-
-
C:\Users\Admin\AppData\Local\Temp\s191iag1y.exe"C:\Users\Admin\AppData\Local\Temp\s191iag1y.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\system32\cmd.exe"cmd.exe" /c net group "Domain Admins" /domain11⤵PID:1236
-
C:\Windows\system32\net.exenet group "Domain Admins" /domain12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1936 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "Domain Admins" /domain13⤵PID:832
-
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c net group "domain computers" /domain11⤵PID:1120
-
C:\Windows\system32\net.exenet group "domain computers" /domain12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:108 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "domain computers" /domain13⤵PID:1764
-
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c nltest /domain_trusts /all_trusts11⤵PID:1272
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1968
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c nltest /domain_trusts11⤵PID:952
-
C:\Windows\system32\nltest.exenltest /domain_trusts12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1696
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c net view /all11⤵PID:588
-
C:\Windows\system32\net.exenet view /all12⤵
- Discovers systems in the same network
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1464
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\s191iag1y.exe" && /C choice /C Y /N /D Y /T 3 & Del "shfolder.dll" && Del LAG1 && Del LAG211⤵PID:1740
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 312⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1788
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gozip.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gozip.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef"7⤵
- Views/modifies file attributes
PID:1004
-
-
C:\Windows\SysWOW64\timeout.exetimeout 47⤵
- Delays execution with timeout.exe
PID:2008
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 85⤵
- Delays execution with timeout.exe
PID:1504
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
Filesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
Filesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
Filesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
Filesize
114B
MD58f5293bc4ace65a9f51ba97bddcd7eee
SHA1e11a5055530092c3a805d757110c4f8761976eef
SHA256a48489f790e76faeaaed41f123031e708881226c224030213861cba419ca34f4
SHA512c319cf12985d57b3d00737107a20e0c06a236d654064255dcc7023aa312871b52d399a9e9a55743fb3a446d2624a1049013f0ca8132ed6b6432658c396fa981d
-
Filesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
Filesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
Filesize
373KB
MD5b1aa11c4722efbcaaf5ebf5f17880d17
SHA1b4b8578e13eb1a860524e827ac8bdd5d8ece604b
SHA2562e7ba0fb3f5edd6091e13e0d3a127210813433e46cea81a61a211d6a95457e27
SHA512a7668dfca645f63b571aff7ac11709b5578a4cd5947bf468fba11e4f5d455ef1b0917acc12c558e7b27d2eff1a8debb19b2c7783b7742c97c81b54fedcedd7b5
-
Filesize
1KB
MD5bf223a7df3a7feecfcb49a5d01d781d9
SHA1d8b2b0f48887e63928576773efe1ab5776d7dfb0
SHA256494cc4d4211c1ed3f88255a46d501040b885c9b5cca26dcae5e37185d883957e
SHA512e15ca76450e99b21982efeeba4c148c9f28dddd85ae0fdb43e496813a4556b83022e2bb1d553de1c851065e09c7866bc6a9829da84dc0fcf3b269a03b0857fc2
-
Filesize
668B
MD5814380ebb377d7ebca662c6ac563eec0
SHA13487cf2382cd0bc87a677e637de1ae40ccfbc13b
SHA256b58d9796ee64ea6731a6e54fdeb997ebc4ac148e3982e9c48fdc1f79d1531136
SHA51241737175039c4f62159be44fcd683aff05be9f7ea97b7061222d34528995768cf1656c617991a5d7a5595bd958687a5adbeb208fe961aa2afb4fd2bf2a8d7d66
-
Filesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
Filesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
Filesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
Filesize
85B
MD5bf045999e4ca77b57de18d5ff25e1272
SHA1e8dab3a106e479a53c4ea61443c2ff7873d17c67
SHA25689f2f0f40f06ed45b155adf713b127931ebb41c162e08e0cda75ecb9e10fdf17
SHA512e191b410d97f021d3dd55ad3565559cf0f3dd6dcc7157f7d6ff60dd610128dfe875cc00f67106653df758e07b6d845fc4e7a7ee290f8d7d8a58d58a90a018f6a
-
Filesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
Filesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
Filesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
Filesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
Filesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
Filesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5