Analysis
-
max time kernel
149s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
24-11-2022 01:06
General
-
Target
b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a.exe
-
Size
96KB
-
MD5
347fafe56ef50d6edb9f81d47dc40731
-
SHA1
3c66549b28ae60c4028e0833efdde00303f54511
-
SHA256
b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
-
SHA512
5e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
SSDEEP
1536:O9wvQUreUbyzsB+2zeNOpQxgbZdCNlv4wsaec7ht0LGa8:SA/yzn2ze8pnbZd0v33/h6
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 15 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 15 IoCs
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 7 IoCs
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 30 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 15 IoCs
-
Runs regedit.exe 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a.exe"C:\Users\Admin\AppData\Local\Temp\b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~FF75.bat "C:\Users\Admin\AppData\Local\Temp\b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a.exe"2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a.exe"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBInfo.vbe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Drivers\USBInfo.com"C:\Windows\system32\Drivers\USBInfo.com"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~1DDE.bat "C:\Windows\system32\Drivers\USBInfo.com"5⤵
- Drops file in Drivers directory
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h autorun.inf6⤵
- Drops autorun.inf file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "$Recycle.Bin"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Documents and Settings"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "MSOCache"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "PerfLogs"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Program Files"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Program Files (x86)"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "ProgramData"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Recovery"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "System Volume Information"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Users"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Windows"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\System Volume Information.exeFilesize
96KB
MD5347fafe56ef50d6edb9f81d47dc40731
SHA13c66549b28ae60c4028e0833efdde00303f54511
SHA256b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
SHA5125e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
C:\Users\Admin\AppData\Local\Temp\~1DDE.batFilesize
4KB
MD5bc278224d87330dbedf84ddefdced3f1
SHA10a21b60897db6bd7559fef583bb095266110b653
SHA2561d75230f2ab4daeb62d42bb1bea8a5c4c9f6831f3830407f9615677dc29dac7a
SHA5126ff654c73c68420d97657657f77d3934aaa60fddceca095d0f9d3f169e6fab7435d3a758f0d3eae086b2ee32ea7e5c0fa3ba602bc9416e0e1e2ca8743f0d846a
-
C:\Users\Admin\AppData\Local\Temp\~FF75.batFilesize
4KB
MD5bc278224d87330dbedf84ddefdced3f1
SHA10a21b60897db6bd7559fef583bb095266110b653
SHA2561d75230f2ab4daeb62d42bb1bea8a5c4c9f6831f3830407f9615677dc29dac7a
SHA5126ff654c73c68420d97657657f77d3934aaa60fddceca095d0f9d3f169e6fab7435d3a758f0d3eae086b2ee32ea7e5c0fa3ba602bc9416e0e1e2ca8743f0d846a
-
C:\Windows\SysWOW64\Drivers\USBInfo.comFilesize
96KB
MD5347fafe56ef50d6edb9f81d47dc40731
SHA13c66549b28ae60c4028e0833efdde00303f54511
SHA256b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
SHA5125e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
C:\Windows\SysWOW64\Drivers\USBInfo.vbeFilesize
77B
MD554ceb8eabaff522c097e4949d39fbd09
SHA1304fd3c274aac25477ba1f3f500ae34e6c94612d
SHA256d2d64a938a71d1b747112176eeb345991433fc81475a397b85b6b4c3d97f8550
SHA5123c6ce4fe30121305b176a3ccc7358343bfdd28537358e7289e4354b52f152c018acfe843659df5bd35228fca804b0285baa8350e2b6ca39719bdefdb77b2e0be
-
C:\Windows\SysWOW64\Drivers\USBStor.vbeFilesize
20B
MD5905d7a48a13a75ced1342bbdf0a3ace2
SHA13bcc021a82ed38810bcf61286eb1f4e578e3721f
SHA25610338a72fbacb4fdf731d8937cdf23519896c5122b6a80079527cebf8406b3cd
SHA512fe77b8b928ba1ffb1a8bf941b2a0279b3ca6512d30dd1a2e2f363f9b2be245e361fab40232bc868f0f7e79bacc476653a49b66d2cf6945ed87b0c776783db8c1
-
C:\Windows\SysWOW64\Drivers\USBSys.vbeFilesize
19B
MD5322866ac1312f3bc0dd8685949f35b6a
SHA1dc3f64764aa99595ee48721142d2301ebbe07aec
SHA2565417fd3704beb2760ed54c38048ae44d2cd49312be2a8f104e542bbd5bbc88d6
SHA5121b5c2320beaeb34895a1d11882566463d365a128db4d260189850990e1215ce737334ee96b43ecd2c018f040548209cc6f11328a5a9b9eb5f57fc6ac61afe03d
-
C:\Windows\SysWOW64\drivers\USBInfo.comFilesize
96KB
MD5347fafe56ef50d6edb9f81d47dc40731
SHA13c66549b28ae60c4028e0833efdde00303f54511
SHA256b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
SHA5125e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
C:\Windows\SysWOW64\drivers\USBInfo.sy_Filesize
1KB
MD5e3f32bf45469d18567e23485109ffdd4
SHA12e207b073a4237e05b5da89f9ca2e9771757620c
SHA256e41ad345599c751ed8b124229df31681f2c44d322d092f85c2205b97f09c8a81
SHA512e8ab034c883c747d6a093d1221e080adf84a1c3662e4469c59cf49f693561262d435c28eede60e18151222fd9562abc6c81b6a57fa5587032cbc2d0b74a0c0e5
-
C:\autorun.infFilesize
149B
MD5babb9292822f6963475088494e446a00
SHA1d0f96ea279562a899f24b5a6905065de029877b0
SHA256bff5694d6d4c8a41217fa9d98d95c355a6f63ef939a4ef89bc45d1cf443a1f9d
SHA512b96daa0a52867f7f0454c8b35d85682aa22c3ac59495760c95204cc1cfc419bd88b5cc59d92dfab5a6343f8f86659e35e2f38cda0c1ea014d2377ab5e525fd5b
-
C:\╬─╝■╝╨.exeFilesize
96KB
MD5347fafe56ef50d6edb9f81d47dc40731
SHA13c66549b28ae60c4028e0833efdde00303f54511
SHA256b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
SHA5125e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
\Windows\SysWOW64\drivers\USBInfo.comFilesize
96KB
MD5347fafe56ef50d6edb9f81d47dc40731
SHA13c66549b28ae60c4028e0833efdde00303f54511
SHA256b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
SHA5125e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
\Windows\SysWOW64\drivers\USBInfo.comFilesize
96KB
MD5347fafe56ef50d6edb9f81d47dc40731
SHA13c66549b28ae60c4028e0833efdde00303f54511
SHA256b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
SHA5125e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
memory/340-119-0x0000000000000000-mapping.dmp
-
memory/432-61-0x0000000000000000-mapping.dmp
-
memory/452-150-0x0000000000000000-mapping.dmp
-
memory/540-128-0x0000000000000000-mapping.dmp
-
memory/556-67-0x0000000000000000-mapping.dmp
-
memory/584-111-0x0000000000000000-mapping.dmp
-
memory/608-127-0x0000000000000000-mapping.dmp
-
memory/636-142-0x0000000000000000-mapping.dmp
-
memory/676-107-0x0000000000000000-mapping.dmp
-
memory/844-57-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/844-54-0x0000000000000000-mapping.dmp
-
memory/892-109-0x0000000000000000-mapping.dmp
-
memory/900-85-0x0000000000000000-mapping.dmp
-
memory/904-134-0x0000000000000000-mapping.dmp
-
memory/904-97-0x0000000000000000-mapping.dmp
-
memory/984-95-0x0000000000000000-mapping.dmp
-
memory/984-132-0x0000000000000000-mapping.dmp
-
memory/1008-86-0x0000000000000000-mapping.dmp
-
memory/1028-122-0x0000000000000000-mapping.dmp
-
memory/1152-144-0x0000000000000000-mapping.dmp
-
memory/1184-76-0x0000000000000000-mapping.dmp
-
memory/1204-147-0x0000000000000000-mapping.dmp
-
memory/1296-126-0x0000000000000000-mapping.dmp
-
memory/1312-81-0x0000000000000000-mapping.dmp
-
memory/1316-99-0x0000000000000000-mapping.dmp
-
memory/1320-141-0x0000000000000000-mapping.dmp
-
memory/1348-113-0x0000000000000000-mapping.dmp
-
memory/1380-94-0x0000000000000000-mapping.dmp
-
memory/1380-131-0x0000000000000000-mapping.dmp
-
memory/1404-90-0x0000000000000000-mapping.dmp
-
memory/1440-69-0x0000000000000000-mapping.dmp
-
memory/1500-72-0x0000000000000000-mapping.dmp
-
memory/1516-137-0x0000000000000000-mapping.dmp
-
memory/1516-101-0x0000000000000000-mapping.dmp
-
memory/1528-102-0x0000000000000000-mapping.dmp
-
memory/1540-117-0x0000000000000000-mapping.dmp
-
memory/1604-83-0x0000000000000000-mapping.dmp
-
memory/1612-103-0x0000000000000000-mapping.dmp
-
memory/1624-91-0x0000000000000000-mapping.dmp
-
memory/1628-129-0x0000000000000000-mapping.dmp
-
memory/1632-89-0x0000000000000000-mapping.dmp
-
memory/1640-87-0x0000000000000000-mapping.dmp
-
memory/1644-149-0x0000000000000000-mapping.dmp
-
memory/1672-135-0x0000000000000000-mapping.dmp
-
memory/1696-105-0x0000000000000000-mapping.dmp
-
memory/1700-120-0x0000000000000000-mapping.dmp
-
memory/1704-112-0x0000000000000000-mapping.dmp
-
memory/1708-96-0x0000000000000000-mapping.dmp
-
memory/1708-133-0x0000000000000000-mapping.dmp
-
memory/1716-148-0x0000000000000000-mapping.dmp
-
memory/1740-78-0x0000000000000000-mapping.dmp
-
memory/1744-92-0x0000000000000000-mapping.dmp
-
memory/1752-114-0x0000000000000000-mapping.dmp
-
memory/1760-71-0x0000000000000000-mapping.dmp
-
memory/1760-116-0x0000000000000000-mapping.dmp
-
memory/1764-88-0x0000000000000000-mapping.dmp
-
memory/1808-143-0x0000000000000000-mapping.dmp
-
memory/1868-104-0x0000000000000000-mapping.dmp
-
memory/1888-118-0x0000000000000000-mapping.dmp
-
memory/1940-124-0x0000000000000000-mapping.dmp
-
memory/1960-139-0x0000000000000000-mapping.dmp
-
memory/1960-58-0x0000000000000000-mapping.dmp
-
memory/1996-93-0x0000000000000000-mapping.dmp
-
memory/2028-56-0x0000000000000000-mapping.dmp
-
memory/2032-146-0x0000000000000000-mapping.dmp