Analysis
-
max time kernel
189s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
24-11-2022 01:06
General
-
Target
b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a.exe
-
Size
96KB
-
MD5
347fafe56ef50d6edb9f81d47dc40731
-
SHA1
3c66549b28ae60c4028e0833efdde00303f54511
-
SHA256
b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
-
SHA512
5e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
SSDEEP
1536:O9wvQUreUbyzsB+2zeNOpQxgbZdCNlv4wsaec7ht0LGa8:SA/yzn2ze8pnbZd0v33/h6
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 10 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 10 IoCs
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 7 IoCs
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 20 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 10 IoCs
-
Modifies registry class 2 IoCs
-
Runs regedit.exe 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a.exe"C:\Users\Admin\AppData\Local\Temp\b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~2839.bat "C:\Users\Admin\AppData\Local\Temp\b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBInfo.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Drivers\USBInfo.com"C:\Windows\system32\Drivers\USBInfo.com"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~83C6.bat "C:\Windows\system32\Drivers\USBInfo.com"5⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h autorun.inf6⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "$Recycle.Bin"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Documents and Settings"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "odt"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "PerfLogs"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Program Files"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Program Files (x86)"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "ProgramData"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Recovery"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "System Volume Information"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Users"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Windows"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Runs regedit.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\System Volume Information.exeFilesize
96KB
MD5347fafe56ef50d6edb9f81d47dc40731
SHA13c66549b28ae60c4028e0833efdde00303f54511
SHA256b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
SHA5125e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
C:\Users\Admin\AppData\Local\Temp\~2839.batFilesize
4KB
MD5bc278224d87330dbedf84ddefdced3f1
SHA10a21b60897db6bd7559fef583bb095266110b653
SHA2561d75230f2ab4daeb62d42bb1bea8a5c4c9f6831f3830407f9615677dc29dac7a
SHA5126ff654c73c68420d97657657f77d3934aaa60fddceca095d0f9d3f169e6fab7435d3a758f0d3eae086b2ee32ea7e5c0fa3ba602bc9416e0e1e2ca8743f0d846a
-
C:\Users\Admin\AppData\Local\Temp\~83C6.batFilesize
4KB
MD5bc278224d87330dbedf84ddefdced3f1
SHA10a21b60897db6bd7559fef583bb095266110b653
SHA2561d75230f2ab4daeb62d42bb1bea8a5c4c9f6831f3830407f9615677dc29dac7a
SHA5126ff654c73c68420d97657657f77d3934aaa60fddceca095d0f9d3f169e6fab7435d3a758f0d3eae086b2ee32ea7e5c0fa3ba602bc9416e0e1e2ca8743f0d846a
-
C:\Windows\SysWOW64\Drivers\USBInfo.comFilesize
96KB
MD5347fafe56ef50d6edb9f81d47dc40731
SHA13c66549b28ae60c4028e0833efdde00303f54511
SHA256b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
SHA5125e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
C:\Windows\SysWOW64\Drivers\USBInfo.vbeFilesize
77B
MD554ceb8eabaff522c097e4949d39fbd09
SHA1304fd3c274aac25477ba1f3f500ae34e6c94612d
SHA256d2d64a938a71d1b747112176eeb345991433fc81475a397b85b6b4c3d97f8550
SHA5123c6ce4fe30121305b176a3ccc7358343bfdd28537358e7289e4354b52f152c018acfe843659df5bd35228fca804b0285baa8350e2b6ca39719bdefdb77b2e0be
-
C:\Windows\SysWOW64\Drivers\USBStor.vbeFilesize
20B
MD5905d7a48a13a75ced1342bbdf0a3ace2
SHA13bcc021a82ed38810bcf61286eb1f4e578e3721f
SHA25610338a72fbacb4fdf731d8937cdf23519896c5122b6a80079527cebf8406b3cd
SHA512fe77b8b928ba1ffb1a8bf941b2a0279b3ca6512d30dd1a2e2f363f9b2be245e361fab40232bc868f0f7e79bacc476653a49b66d2cf6945ed87b0c776783db8c1
-
C:\Windows\SysWOW64\Drivers\USBSys.vbeFilesize
19B
MD5322866ac1312f3bc0dd8685949f35b6a
SHA1dc3f64764aa99595ee48721142d2301ebbe07aec
SHA2565417fd3704beb2760ed54c38048ae44d2cd49312be2a8f104e542bbd5bbc88d6
SHA5121b5c2320beaeb34895a1d11882566463d365a128db4d260189850990e1215ce737334ee96b43ecd2c018f040548209cc6f11328a5a9b9eb5f57fc6ac61afe03d
-
C:\Windows\SysWOW64\drivers\USBInfo.comFilesize
96KB
MD5347fafe56ef50d6edb9f81d47dc40731
SHA13c66549b28ae60c4028e0833efdde00303f54511
SHA256b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
SHA5125e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
C:\Windows\SysWOW64\drivers\USBInfo.sy_Filesize
1KB
MD5e3f32bf45469d18567e23485109ffdd4
SHA12e207b073a4237e05b5da89f9ca2e9771757620c
SHA256e41ad345599c751ed8b124229df31681f2c44d322d092f85c2205b97f09c8a81
SHA512e8ab034c883c747d6a093d1221e080adf84a1c3662e4469c59cf49f693561262d435c28eede60e18151222fd9562abc6c81b6a57fa5587032cbc2d0b74a0c0e5
-
C:\autorun.infFilesize
149B
MD5babb9292822f6963475088494e446a00
SHA1d0f96ea279562a899f24b5a6905065de029877b0
SHA256bff5694d6d4c8a41217fa9d98d95c355a6f63ef939a4ef89bc45d1cf443a1f9d
SHA512b96daa0a52867f7f0454c8b35d85682aa22c3ac59495760c95204cc1cfc419bd88b5cc59d92dfab5a6343f8f86659e35e2f38cda0c1ea014d2377ab5e525fd5b
-
C:\╬─╝■╝╨.exeFilesize
96KB
MD5347fafe56ef50d6edb9f81d47dc40731
SHA13c66549b28ae60c4028e0833efdde00303f54511
SHA256b69ae4a13dff3e76060d9bfa66bb838d0881e5a79b82ec5bf647d6256415b92a
SHA5125e8ae51ee81d911d1f2902552fab9f34f13d0d8f699312be3bea84a12e621c41c8ed477929596de1112c30f7d7ace2d97241bcf8db509122e60030f3c049c0b9
-
memory/116-175-0x0000000000000000-mapping.dmp
-
memory/364-165-0x0000000000000000-mapping.dmp
-
memory/760-202-0x0000000000000000-mapping.dmp
-
memory/792-159-0x0000000000000000-mapping.dmp
-
memory/808-190-0x0000000000000000-mapping.dmp
-
memory/868-161-0x0000000000000000-mapping.dmp
-
memory/880-191-0x0000000000000000-mapping.dmp
-
memory/944-179-0x0000000000000000-mapping.dmp
-
memory/1060-154-0x0000000000000000-mapping.dmp
-
memory/1168-166-0x0000000000000000-mapping.dmp
-
memory/1332-163-0x0000000000000000-mapping.dmp
-
memory/1384-205-0x0000000000000000-mapping.dmp
-
memory/1460-176-0x0000000000000000-mapping.dmp
-
memory/1620-195-0x0000000000000000-mapping.dmp
-
memory/1660-185-0x0000000000000000-mapping.dmp
-
memory/1912-188-0x0000000000000000-mapping.dmp
-
memory/1932-156-0x0000000000000000-mapping.dmp
-
memory/2112-152-0x0000000000000000-mapping.dmp
-
memory/2276-142-0x0000000000000000-mapping.dmp
-
memory/2552-170-0x0000000000000000-mapping.dmp
-
memory/2636-174-0x0000000000000000-mapping.dmp
-
memory/2672-168-0x0000000000000000-mapping.dmp
-
memory/2924-200-0x0000000000000000-mapping.dmp
-
memory/3020-194-0x0000000000000000-mapping.dmp
-
memory/3076-160-0x0000000000000000-mapping.dmp
-
memory/3136-150-0x0000000000000000-mapping.dmp
-
memory/3232-171-0x0000000000000000-mapping.dmp
-
memory/3236-187-0x0000000000000000-mapping.dmp
-
memory/3340-158-0x0000000000000000-mapping.dmp
-
memory/3348-186-0x0000000000000000-mapping.dmp
-
memory/3348-147-0x0000000000000000-mapping.dmp
-
memory/3412-132-0x0000000000000000-mapping.dmp
-
memory/3440-169-0x0000000000000000-mapping.dmp
-
memory/3484-181-0x0000000000000000-mapping.dmp
-
memory/3580-183-0x0000000000000000-mapping.dmp
-
memory/3596-178-0x0000000000000000-mapping.dmp
-
memory/3600-203-0x0000000000000000-mapping.dmp
-
memory/3756-164-0x0000000000000000-mapping.dmp
-
memory/3760-157-0x0000000000000000-mapping.dmp
-
memory/3904-172-0x0000000000000000-mapping.dmp
-
memory/3936-145-0x0000000000000000-mapping.dmp
-
memory/3972-137-0x0000000000000000-mapping.dmp
-
memory/4028-198-0x0000000000000000-mapping.dmp
-
memory/4040-173-0x0000000000000000-mapping.dmp
-
memory/4088-204-0x0000000000000000-mapping.dmp
-
memory/4284-180-0x0000000000000000-mapping.dmp
-
memory/4292-197-0x0000000000000000-mapping.dmp
-
memory/4296-192-0x0000000000000000-mapping.dmp
-
memory/4480-135-0x0000000000000000-mapping.dmp
-
memory/4568-148-0x0000000000000000-mapping.dmp
-
memory/4576-140-0x0000000000000000-mapping.dmp
-
memory/4588-162-0x0000000000000000-mapping.dmp
-
memory/4612-193-0x0000000000000000-mapping.dmp
-
memory/4720-201-0x0000000000000000-mapping.dmp
-
memory/4784-196-0x0000000000000000-mapping.dmp
-
memory/4816-206-0x0000000000000000-mapping.dmp
-
memory/4828-134-0x0000000000000000-mapping.dmp
-
memory/4848-199-0x0000000000000000-mapping.dmp
-
memory/4852-144-0x0000000000000000-mapping.dmp
-
memory/4888-184-0x0000000000000000-mapping.dmp
-
memory/4900-189-0x0000000000000000-mapping.dmp
-
memory/5032-177-0x0000000000000000-mapping.dmp
-
memory/5048-182-0x0000000000000000-mapping.dmp
-
memory/5064-155-0x0000000000000000-mapping.dmp