Analysis
-
max time kernel
160s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
13-07-2022 06:30
Static task
static1
Behavioral task
behavioral1
Sample
CFDI_826271_53535.exe
Resource
win7-20220414-en
General
-
Target
CFDI_826271_53535.exe
-
Size
894KB
-
MD5
f89a4c9d373e3c928bc405d56a496850
-
SHA1
de58bf97363c74d83249df1ec2f1e9d62a2101d9
-
SHA256
c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d
-
SHA512
eb02dcd476e67db8ec0d9bfde5698967c657bbc6cb55973445c565cd10999772b8ba18ecacd85c36bb88ac81898a0d34f2509cf6e2a954c890ffc5c07421d514
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
Gozip.exemiktotik.exemiktotik.exeug17ku7qs1_1.exei1u7oaaai5sm9.exepid process 880 Gozip.exe 760 miktotik.exe 1820 miktotik.exe 1028 ug17ku7qs1_1.exe 1884 i1u7oaaai5sm9.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
miktotik.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ug17ku7qs1.exe miktotik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ug17ku7qs1.exe\DisableExceptionChainValidation miktotik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "lhjwfuhstp.exe" explorer.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.execmd.exemiktotik.exeexplorer.exepid process 1264 cmd.exe 608 cmd.exe 608 cmd.exe 760 miktotik.exe 2024 explorer.exe 2024 explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\ug17ku7qs1.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\ug17ku7qs1.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\ug17ku7qs1.exe\"" explorer.exe -
Processes:
miktotik.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA miktotik.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
miktotik.exeexplorer.exepid process 1820 miktotik.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
miktotik.exeug17ku7qs1_1.exedescription pid process target process PID 760 set thread context of 1820 760 miktotik.exe miktotik.exe PID 1028 set thread context of 0 1028 ug17ku7qs1_1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
miktotik.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString miktotik.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 miktotik.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 2012 timeout.exe 556 timeout.exe 272 timeout.exe 576 timeout.exe 2004 timeout.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 856 taskkill.exe 1720 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe:14EDFC78 explorer.exe -
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
Processes:
net.exenet.exenltest.exenltest.exenet.exechoice.exepid process 1936 net.exe 1744 net.exe 1568 nltest.exe 1532 nltest.exe 1360 net.exe 576 choice.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
explorer.exepid process 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
miktotik.exeexplorer.exepid process 1820 miktotik.exe 1820 miktotik.exe 2024 explorer.exe 2024 explorer.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
taskkill.exemiktotik.exetaskkill.exeexplorer.exei1u7oaaai5sm9.exedescription pid process Token: SeDebugPrivilege 1720 taskkill.exe Token: SeDebugPrivilege 1820 miktotik.exe Token: SeRestorePrivilege 1820 miktotik.exe Token: SeBackupPrivilege 1820 miktotik.exe Token: SeLoadDriverPrivilege 1820 miktotik.exe Token: SeCreatePagefilePrivilege 1820 miktotik.exe Token: SeShutdownPrivilege 1820 miktotik.exe Token: SeTakeOwnershipPrivilege 1820 miktotik.exe Token: SeChangeNotifyPrivilege 1820 miktotik.exe Token: SeCreateTokenPrivilege 1820 miktotik.exe Token: SeMachineAccountPrivilege 1820 miktotik.exe Token: SeSecurityPrivilege 1820 miktotik.exe Token: SeAssignPrimaryTokenPrivilege 1820 miktotik.exe Token: SeCreateGlobalPrivilege 1820 miktotik.exe Token: 33 1820 miktotik.exe Token: SeDebugPrivilege 856 taskkill.exe Token: SeDebugPrivilege 2024 explorer.exe Token: SeRestorePrivilege 2024 explorer.exe Token: SeBackupPrivilege 2024 explorer.exe Token: SeLoadDriverPrivilege 2024 explorer.exe Token: SeCreatePagefilePrivilege 2024 explorer.exe Token: SeShutdownPrivilege 2024 explorer.exe Token: SeTakeOwnershipPrivilege 2024 explorer.exe Token: SeChangeNotifyPrivilege 2024 explorer.exe Token: SeCreateTokenPrivilege 2024 explorer.exe Token: SeMachineAccountPrivilege 2024 explorer.exe Token: SeSecurityPrivilege 2024 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2024 explorer.exe Token: SeCreateGlobalPrivilege 2024 explorer.exe Token: 33 2024 explorer.exe Token: SeDebugPrivilege 1884 i1u7oaaai5sm9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CFDI_826271_53535.exeWScript.execmd.exeWScript.execmd.exedescription pid process target process PID 552 wrote to memory of 1260 552 CFDI_826271_53535.exe WScript.exe PID 552 wrote to memory of 1260 552 CFDI_826271_53535.exe WScript.exe PID 552 wrote to memory of 1260 552 CFDI_826271_53535.exe WScript.exe PID 552 wrote to memory of 1260 552 CFDI_826271_53535.exe WScript.exe PID 552 wrote to memory of 1260 552 CFDI_826271_53535.exe WScript.exe PID 552 wrote to memory of 1260 552 CFDI_826271_53535.exe WScript.exe PID 552 wrote to memory of 1260 552 CFDI_826271_53535.exe WScript.exe PID 1260 wrote to memory of 1264 1260 WScript.exe cmd.exe PID 1260 wrote to memory of 1264 1260 WScript.exe cmd.exe PID 1260 wrote to memory of 1264 1260 WScript.exe cmd.exe PID 1260 wrote to memory of 1264 1260 WScript.exe cmd.exe PID 1260 wrote to memory of 1264 1260 WScript.exe cmd.exe PID 1260 wrote to memory of 1264 1260 WScript.exe cmd.exe PID 1260 wrote to memory of 1264 1260 WScript.exe cmd.exe PID 1264 wrote to memory of 2012 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 2012 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 2012 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 2012 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 2012 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 2012 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 2012 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 880 1264 cmd.exe Gozip.exe PID 1264 wrote to memory of 880 1264 cmd.exe Gozip.exe PID 1264 wrote to memory of 880 1264 cmd.exe Gozip.exe PID 1264 wrote to memory of 880 1264 cmd.exe Gozip.exe PID 1264 wrote to memory of 880 1264 cmd.exe Gozip.exe PID 1264 wrote to memory of 880 1264 cmd.exe Gozip.exe PID 1264 wrote to memory of 880 1264 cmd.exe Gozip.exe PID 1264 wrote to memory of 556 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 556 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 556 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 556 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 556 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 556 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 556 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 1792 1264 cmd.exe WScript.exe PID 1264 wrote to memory of 1792 1264 cmd.exe WScript.exe PID 1264 wrote to memory of 1792 1264 cmd.exe WScript.exe PID 1264 wrote to memory of 1792 1264 cmd.exe WScript.exe PID 1264 wrote to memory of 1792 1264 cmd.exe WScript.exe PID 1264 wrote to memory of 1792 1264 cmd.exe WScript.exe PID 1264 wrote to memory of 1792 1264 cmd.exe WScript.exe PID 1264 wrote to memory of 272 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 272 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 272 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 272 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 272 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 272 1264 cmd.exe timeout.exe PID 1264 wrote to memory of 272 1264 cmd.exe timeout.exe PID 1792 wrote to memory of 608 1792 WScript.exe cmd.exe PID 1792 wrote to memory of 608 1792 WScript.exe cmd.exe PID 1792 wrote to memory of 608 1792 WScript.exe cmd.exe PID 1792 wrote to memory of 608 1792 WScript.exe cmd.exe PID 1792 wrote to memory of 608 1792 WScript.exe cmd.exe PID 1792 wrote to memory of 608 1792 WScript.exe cmd.exe PID 1792 wrote to memory of 608 1792 WScript.exe cmd.exe PID 608 wrote to memory of 1504 608 cmd.exe attrib.exe PID 608 wrote to memory of 1504 608 cmd.exe attrib.exe PID 608 wrote to memory of 1504 608 cmd.exe attrib.exe PID 608 wrote to memory of 1504 608 cmd.exe attrib.exe PID 608 wrote to memory of 1504 608 cmd.exe attrib.exe PID 608 wrote to memory of 1504 608 cmd.exe attrib.exe PID 608 wrote to memory of 1504 608 cmd.exe attrib.exe PID 608 wrote to memory of 576 608 cmd.exe timeout.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1504 attrib.exe 2028 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe"C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 75⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe"Gozip.exe" e -p398FsVBddjkd8cwr nmh3745.rar5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 65⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.bat" "6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\controllevel"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 17⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exemiktotik.exe /start7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exemiktotik.exe /start8⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe9⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe/suac10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe"C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd.exe" /c net group "Domain Admins" /domain11⤵
-
C:\Windows\system32\net.exenet group "Domain Admins" /domain12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "Domain Admins" /domain13⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /c net group "domain computers" /domain11⤵
-
C:\Windows\system32\net.exenet group "domain computers" /domain12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "domain computers" /domain13⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /c nltest /domain_trusts /all_trusts11⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exe"cmd.exe" /c nltest /domain_trusts11⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts12⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exe"cmd.exe" /c net view /all11⤵
-
C:\Windows\system32\net.exenet view /all12⤵
- Discovers systems in the same network
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe" && /C choice /C Y /N /D Y /T 3 & Del "shfolder.dll" && Del LAG1 && Del LAG211⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 312⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gozip.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Gozip.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef"7⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 47⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 85⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exeFilesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exeFilesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbsFilesize
114B
MD58f5293bc4ace65a9f51ba97bddcd7eee
SHA1e11a5055530092c3a805d757110c4f8761976eef
SHA256a48489f790e76faeaaed41f123031e708881226c224030213861cba419ca34f4
SHA512c319cf12985d57b3d00737107a20e0c06a236d654064255dcc7023aa312871b52d399a9e9a55743fb3a446d2624a1049013f0ca8132ed6b6432658c396fa981d
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exeFilesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exeFilesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Preferences.datFilesize
373KB
MD5b1aa11c4722efbcaaf5ebf5f17880d17
SHA1b4b8578e13eb1a860524e827ac8bdd5d8ece604b
SHA2562e7ba0fb3f5edd6091e13e0d3a127210813433e46cea81a61a211d6a95457e27
SHA512a7668dfca645f63b571aff7ac11709b5578a4cd5947bf468fba11e4f5d455ef1b0917acc12c558e7b27d2eff1a8debb19b2c7783b7742c97c81b54fedcedd7b5
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.batFilesize
1KB
MD5bf223a7df3a7feecfcb49a5d01d781d9
SHA1d8b2b0f48887e63928576773efe1ab5776d7dfb0
SHA256494cc4d4211c1ed3f88255a46d501040b885c9b5cca26dcae5e37185d883957e
SHA512e15ca76450e99b21982efeeba4c148c9f28dddd85ae0fdb43e496813a4556b83022e2bb1d553de1c851065e09c7866bc6a9829da84dc0fcf3b269a03b0857fc2
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.batFilesize
668B
MD5814380ebb377d7ebca662c6ac563eec0
SHA13487cf2382cd0bc87a677e637de1ae40ccfbc13b
SHA256b58d9796ee64ea6731a6e54fdeb997ebc4ac148e3982e9c48fdc1f79d1531136
SHA51241737175039c4f62159be44fcd683aff05be9f7ea97b7061222d34528995768cf1656c617991a5d7a5595bd958687a5adbeb208fe961aa2afb4fd2bf2a8d7d66
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbsFilesize
85B
MD5bf045999e4ca77b57de18d5ff25e1272
SHA1e8dab3a106e479a53c4ea61443c2ff7873d17c67
SHA25689f2f0f40f06ed45b155adf713b127931ebb41c162e08e0cda75ecb9e10fdf17
SHA512e191b410d97f021d3dd55ad3565559cf0f3dd6dcc7157f7d6ff60dd610128dfe875cc00f67106653df758e07b6d845fc4e7a7ee290f8d7d8a58d58a90a018f6a
-
\??\PIPE\NETLOGONMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exeFilesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exeFilesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exeFilesize
947KB
MD56ed0cca96fe69be3b775499509f0b029
SHA1e1c57829dd8947cc09b8b4ffcaaad07939efbb2d
SHA256bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab
SHA512a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5
-
memory/272-73-0x0000000000000000-mapping.dmp
-
memory/540-138-0x0000000000000000-mapping.dmp
-
memory/552-54-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/556-69-0x0000000000000000-mapping.dmp
-
memory/576-153-0x0000000000000000-mapping.dmp
-
memory/576-81-0x0000000000000000-mapping.dmp
-
memory/608-77-0x0000000000000000-mapping.dmp
-
memory/608-89-0x0000000000250000-0x00000000002EB000-memory.dmpFilesize
620KB
-
memory/608-90-0x0000000000250000-0x00000000002EB000-memory.dmpFilesize
620KB
-
memory/760-99-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/760-86-0x0000000000000000-mapping.dmp
-
memory/760-92-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/856-108-0x0000000000000000-mapping.dmp
-
memory/880-66-0x0000000000000000-mapping.dmp
-
memory/936-149-0x0000000000000000-mapping.dmp
-
memory/1028-129-0x0000000000000000-mapping.dmp
-
memory/1028-132-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/1208-127-0x00000000025A0000-0x00000000025A6000-memory.dmpFilesize
24KB
-
memory/1260-55-0x0000000000000000-mapping.dmp
-
memory/1264-59-0x0000000000000000-mapping.dmp
-
memory/1360-150-0x0000000000000000-mapping.dmp
-
memory/1392-141-0x0000000000000000-mapping.dmp
-
memory/1504-79-0x0000000000000000-mapping.dmp
-
memory/1532-148-0x0000000000000000-mapping.dmp
-
memory/1568-145-0x0000000000000000-mapping.dmp
-
memory/1600-147-0x0000000000000000-mapping.dmp
-
memory/1720-103-0x0000000000000000-mapping.dmp
-
memory/1732-144-0x0000000000000000-mapping.dmp
-
memory/1744-142-0x0000000000000000-mapping.dmp
-
memory/1792-72-0x0000000000000000-mapping.dmp
-
memory/1820-95-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1820-106-0x0000000000440000-0x00000000004A6000-memory.dmpFilesize
408KB
-
memory/1820-117-0x00000000020C0000-0x00000000020CC000-memory.dmpFilesize
48KB
-
memory/1820-115-0x0000000000440000-0x00000000004A6000-memory.dmpFilesize
408KB
-
memory/1820-116-0x00000000003E0000-0x00000000003ED000-memory.dmpFilesize
52KB
-
memory/1820-114-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1820-93-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1820-124-0x0000000000440000-0x00000000004A6000-memory.dmpFilesize
408KB
-
memory/1820-104-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1820-100-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1820-96-0x00000000004015C6-mapping.dmp
-
memory/1884-137-0x0000000000E30000-0x0000000000E38000-memory.dmpFilesize
32KB
-
memory/1884-135-0x0000000000000000-mapping.dmp
-
memory/1884-151-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmpFilesize
8KB
-
memory/1936-139-0x0000000000000000-mapping.dmp
-
memory/1952-140-0x0000000000000000-mapping.dmp
-
memory/1972-143-0x0000000000000000-mapping.dmp
-
memory/1976-152-0x0000000000000000-mapping.dmp
-
memory/2004-112-0x0000000000000000-mapping.dmp
-
memory/2012-61-0x0000000000000000-mapping.dmp
-
memory/2024-122-0x0000000000410000-0x0000000000566000-memory.dmpFilesize
1.3MB
-
memory/2024-123-0x0000000002210000-0x000000000221C000-memory.dmpFilesize
48KB
-
memory/2024-121-0x0000000077110000-0x0000000077290000-memory.dmpFilesize
1.5MB
-
memory/2024-120-0x0000000073F81000-0x0000000073F83000-memory.dmpFilesize
8KB
-
memory/2024-118-0x0000000000000000-mapping.dmp
-
memory/2024-125-0x0000000077110000-0x0000000077290000-memory.dmpFilesize
1.5MB
-
memory/2024-126-0x0000000000410000-0x0000000000566000-memory.dmpFilesize
1.3MB
-
memory/2028-110-0x0000000000000000-mapping.dmp