f8a5ffdc8bdb7590517a0418b6468dc1e0ee58a8573d87d8ab9c0aef71b598cc

General

Target

KILLER.vbs
Size

47KB
MD5

a0c297bdf8292acd6722a3ea07611083
SHA1

b2eb77063193f1566fe8898086b2c6f286c52d4b
SHA256

f8a5ffdc8bdb7590517a0418b6468dc1e0ee58a8573d87d8ab9c0aef71b598cc
SHA512

9ffd27e9acf261f7f8aeb3a98a89257e4cb5c8dc78aca7d64762f1d895230fc1248c7b1333816fa7ca823eb4c8c9d4b01c2a1db71f66a792837d155557c45900
SSDEEP

384:m71TIEgivcqpCghtpCAhDnVLri57VurlgRL1xCLI05ej+1DPpUo/i/vFCbWZkraw:m7cGV95hIG1/d49gsCDs8

Score

10^/10

discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

wscript.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe
Blocklisted process makes network request 5 IoCs

Processes:

wscript.exe

flow pid process

4 2012 wscript.exe
5 2012 wscript.exe
7 2012 wscript.exe
9 2012 wscript.exe
10 2012 wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

flow	pid	process
4	2012	wscript.exe
5	2012	wscript.exe
7	2012	wscript.exe
9	2012	wscript.exe
10	2012	wscript.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

596 takeown.exe
1960 icacls.exe
1356 takeown.exe
1712 icacls.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1960 icacls.exe
1356 takeown.exe
1712 icacls.exe
596 takeown.exe

pid	process
596	takeown.exe
1960	icacls.exe
1356	takeown.exe
1712	icacls.exe

pid	process
1960	icacls.exe
1356	takeown.exe
1712	icacls.exe
596	takeown.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg"	wscript.exe

Drops file in Windows directory 1 IoCs

Processes:

wscript.exe

description ioc process

File opened for modification C:\Windows\System32 wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

624 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\System32	wscript.exe

pid	process
624	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\s1159 = "Bolbi"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\s2359 = "Bolbi"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International	wscript.exe

Modifies registry class 11 IoCs

Processes:

cmd.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.scr	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "dllfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "dllfile"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "exefile"	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1344 explorer.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

taskkill.exetakeown.exeexplorer.exeAUDIODG.EXEtakeown.exe

description	pid	process
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeTakeOwnershipPrivilege	1356	takeown.exe
Token: SeShutdownPrivilege	1344	explorer.exe
Token: SeShutdownPrivilege	1344	explorer.exe
Token: SeShutdownPrivilege	1344	explorer.exe
Token: SeShutdownPrivilege	1344	explorer.exe
Token: SeShutdownPrivilege	1344	explorer.exe
Token: SeShutdownPrivilege	1344	explorer.exe
Token: SeShutdownPrivilege	1344	explorer.exe
Token: SeShutdownPrivilege	1344	explorer.exe
Token: SeShutdownPrivilege	1344	explorer.exe
Token: SeShutdownPrivilege	1344	explorer.exe
Token: 33	1204	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1204	AUDIODG.EXE
Token: 33	1204	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1204	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	596	takeown.exe
Token: SeShutdownPrivilege	1344	explorer.exe
Token: SeShutdownPrivilege	1344	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

explorer.exe

pid	process
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

explorer.exe

pid	process
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

WScript.exewscript.execmd.exe

description	pid	process	target process
PID 1632 wrote to memory of 2012	1632	WScript.exe	wscript.exe
PID 1632 wrote to memory of 2012	1632	WScript.exe	wscript.exe
PID 1632 wrote to memory of 2012	1632	WScript.exe	wscript.exe
PID 2012 wrote to memory of 1640	2012	wscript.exe	cmd.exe
PID 2012 wrote to memory of 1640	2012	wscript.exe	cmd.exe
PID 2012 wrote to memory of 1640	2012	wscript.exe	cmd.exe
PID 1640 wrote to memory of 1960	1640	cmd.exe	rundll32.exe
PID 1640 wrote to memory of 1960	1640	cmd.exe	rundll32.exe
PID 1640 wrote to memory of 1960	1640	cmd.exe	rundll32.exe
PID 1640 wrote to memory of 1684	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 1684	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 1684	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 1736	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 1736	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 1736	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 624	1640	cmd.exe	taskkill.exe
PID 1640 wrote to memory of 624	1640	cmd.exe	taskkill.exe
PID 1640 wrote to memory of 624	1640	cmd.exe	taskkill.exe
PID 1640 wrote to memory of 1344	1640	cmd.exe	explorer.exe
PID 1640 wrote to memory of 1344	1640	cmd.exe	explorer.exe
PID 1640 wrote to memory of 1344	1640	cmd.exe	explorer.exe
PID 1640 wrote to memory of 1356	1640	cmd.exe	takeown.exe
PID 1640 wrote to memory of 1356	1640	cmd.exe	takeown.exe
PID 1640 wrote to memory of 1356	1640	cmd.exe	takeown.exe
PID 1640 wrote to memory of 1712	1640	cmd.exe	icacls.exe
PID 1640 wrote to memory of 1712	1640	cmd.exe	icacls.exe
PID 1640 wrote to memory of 1712	1640	cmd.exe	icacls.exe
PID 1640 wrote to memory of 596	1640	cmd.exe	takeown.exe
PID 1640 wrote to memory of 596	1640	cmd.exe	takeown.exe
PID 1640 wrote to memory of 596	1640	cmd.exe	takeown.exe
PID 1640 wrote to memory of 1960	1640	cmd.exe	icacls.exe
PID 1640 wrote to memory of 1960	1640	cmd.exe	icacls.exe
PID 1640 wrote to memory of 1960	1640	cmd.exe	icacls.exe

System policy modification 1 TTPs 22 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoPinnedList = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPinningToTaskbar = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms, = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KILLER.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\KILLER.vbs" /elevated
  2⤵
  - UAC bypass
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2012
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\System32\rundll32.exe
      C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
      4⤵
      PID:1960
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f
      4⤵
      PID:1684
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f
      4⤵
      PID:1736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:624
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1344
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:1356
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32 /Grant Users:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1712
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:596
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\ /Grant Users:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x554
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

File and Directory Permissions Modification

1

T1222

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Bolbi.txt

Filesize
29B

MD5
b37ed35ef479e43f406429bc36e68ec4

SHA1
5e3ec88d9d13d136af28dea0d3c2529f5b6e3b82

SHA256
cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c

SHA512
d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7

Download Submit
C:\Users\Public\Ghostroot\KillDora.bat

Filesize
482B

MD5
4f08159f1d70d41bf975e23230033a0f

SHA1
ea88d6fbdcf218e0e04a650d947250d8a3dfad40

SHA256
d6e7530e3879225bc21fc17859e5b5c71414375baac27bb361fd9162f4b49e0e

SHA512
958ac467e54d35c4ca5459853d661e49ea81efaa1ce3044114d577fcb757343a40ddb30b9f540cf9c100f05958a843bf312fa879c43bda7513643c824b318d6a

Download Submit
C:\Users\Public\ghostroot\8ydfdsE.jpg

Filesize
59KB

MD5
1e8cd861c7919b862a9c47abae3dcce3

SHA1
4d44512ae2da33a9355463231184bbbfdc4396f2

SHA256
cba3db7504d0b98a3bc5bebc7d4479360f4535378a9ee113c2269811d0a8d6d9

SHA512
ee06887355aeff3fe2865bcde6050d8d139668e78bb352a6a0f32b36446887dab78e50a88c0762e3b3d36dd3288546a6283e2f19a7873f01733666046be60e48

Download Submit
memory/596-69-0x0000000000000000-mapping.dmp

Download
memory/624-63-0x0000000000000000-mapping.dmp

Download
memory/1344-64-0x0000000000000000-mapping.dmp

Download
memory/1356-65-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download
memory/1640-57-0x0000000000000000-mapping.dmp

Download
memory/1684-61-0x0000000000000000-mapping.dmp

Download
memory/1712-67-0x0000000000000000-mapping.dmp

Download
memory/1736-62-0x0000000000000000-mapping.dmp

Download
memory/1960-59-0x0000000000000000-mapping.dmp

Download
memory/1960-70-0x0000000000000000-mapping.dmp

Download
memory/2012-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads