a3d25bd5b75b188d6280f6e5f8ba7185ef041f6bf25cd8e4875b433a4552b12a

Analysis

max time kernel
204s
max time network
133s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
Size

410KB
MD5

a6c776f57b289b97ddf353c32776a4ae
SHA1

6da71ee426632b691e785b22ce9762db728f68ad
SHA256

686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716
SHA512

6afaf962e2a01c827e711bda9cc9c68e02c0c81a9da6208b4e35b482e210719994fbe3d804ef453bf824338b7b9bb3131b7e8606cfd86fd89bf597a004a61802
SSDEEP

12288:eIGmqFaVrXRP5Qo1CaeFWO+N+P52WZUHcyEaK54W7i4ZP/XjI:eStVFPutfo5X

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

svcnosts.exesvcnosts.exesvcnost.exe

pid process

452 svcnosts.exe
1976 svcnosts.exe
1052 svcnost.exe
Sets file to hidden 1 TTPs 10 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

816 attrib.exe
2032 attrib.exe
788 attrib.exe
1840 attrib.exe
1152 attrib.exe
1584 attrib.exe
1864 attrib.exe
1156 attrib.exe
920 attrib.exe
1884 attrib.exe

pid	process
452	svcnosts.exe
1976	svcnosts.exe
1052	svcnost.exe

pid	process
816	attrib.exe
2032	attrib.exe
788	attrib.exe
1840	attrib.exe
1152	attrib.exe
1584	attrib.exe
1864	attrib.exe
1156	attrib.exe
920	attrib.exe
1884	attrib.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorers = "C:\\Windows\\explorer.exe /root c:\\windows\\system32\\rundll32.exe ..\\windows\\system32\\user32.dll.ShellExecute(%s), C:\\System_VoIume_lnformation\\Jnt\\sytyfokyq\\bmz\\explorer.exe\u009d, 0xff3leca"	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorers = "C:\\Windows\\explorer.exe /root c:\\windows\\system32\\rundll32.exe ..\\windows\\system32\\user32.dll.ShellExecute(%s), C:\\System_VoIume_lnformation\\Jnt\\howu\\bmz\\explorer.exe\u009d, 0xff3leca"	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe

Drops desktop.ini file(s) 7 IoCs

Processes:

686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\sefera\Jnt\ruji\desktop.ini	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
File opened for modification	C:\sefera\Jnt\ruji\desktop.ini	attrib.exe
File opened for modification	C:\sefera\desktop.ini	attrib.exe
File opened for modification	C:\sefera\Jnt\vapipyh\desktop.ini	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
File opened for modification	C:\sefera\Jnt\vapipyh\desktop.ini	attrib.exe
File opened for modification	C:\sefera\desktop.ini	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
File opened for modification	C:\sefera\desktop.ini	attrib.exe

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cacls.execacls.execacls.execacls.execacls.execacls.execacls.execacls.exe

description	ioc	process
File opened (read-only)	\??\N:	cacls.exe
File opened (read-only)	\??\N:	cacls.exe
File opened (read-only)	\??\N:	cacls.exe
File opened (read-only)	\??\N:	cacls.exe
File opened (read-only)	\??\N:	cacls.exe
File opened (read-only)	\??\N:	cacls.exe
File opened (read-only)	\??\N:	cacls.exe
File opened (read-only)	\??\n:	cacls.exe
File opened (read-only)	\??\n:	cacls.exe
File opened (read-only)	\??\n:	cacls.exe
File opened (read-only)	\??\N:	cacls.exe
File opened (read-only)	\??\n:	cacls.exe
File opened (read-only)	\??\n:	cacls.exe
File opened (read-only)	\??\n:	cacls.exe
File opened (read-only)	\??\n:	cacls.exe
File opened (read-only)	\??\n:	cacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1584 taskkill.exe

pid	process
1584	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 42 IoCs

Processes:

explorer.exe686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefiles\shell\open\command\ = "\"C:\\System_VoIume_lnformation\\Jnt\\sytyfokyq\\explorers.exe\" rts \"%1\""	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000006b55837c122041707044617461003c0008000400efbe6b55837c6b55837c2a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000006b55537e10204c6f63616c00380008000400efbe6b55837c6b55537e2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\ = "exefiles"	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefiles\shell\open\command\ = "\"C:\\System_VoIume_lnformation\\Jnt\\howu\\explorers.exe\" rts \"%1\""	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefiles\shell\open\command	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000006b552283100041646d696e00380008000400efbe6b55837c6b5522832a00000031000000000003000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000007a550050102054656d700000360008000400efbe6b55837c7a5500502a000000ff010000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefiles\shell\open	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefiles	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefiles\shell	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000006b55837c1100557365727300600008000400efbeee3a851a6b55837c2a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exesvcnosts.exe

pid	process
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
452	svcnosts.exe
452	svcnosts.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exesvcnosts.exetaskkill.exesvcnosts.exesvcnost.exe

description	pid	process
Token: SeDebugPrivilege	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
Token: SeDebugPrivilege	452	svcnosts.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1976	svcnosts.exe
Token: SeDebugPrivilege	1052	svcnost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1772 wrote to memory of 1884	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	explorer.exe
PID 1772 wrote to memory of 1884	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	explorer.exe
PID 1772 wrote to memory of 1884	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	explorer.exe
PID 1772 wrote to memory of 752	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 752	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 752	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 752 wrote to memory of 1808	752	cmd.exe	cacls.exe
PID 752 wrote to memory of 1808	752	cmd.exe	cacls.exe
PID 752 wrote to memory of 1808	752	cmd.exe	cacls.exe
PID 1772 wrote to memory of 1448	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 1448	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 1448	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1448 wrote to memory of 736	1448	cmd.exe	cacls.exe
PID 1448 wrote to memory of 736	1448	cmd.exe	cacls.exe
PID 1448 wrote to memory of 736	1448	cmd.exe	cacls.exe
PID 1772 wrote to memory of 2028	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 2028	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 2028	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 2028 wrote to memory of 1508	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 1508	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 1508	2028	cmd.exe	cacls.exe
PID 1772 wrote to memory of 1000	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 1000	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 1000	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1000 wrote to memory of 1824	1000	cmd.exe	cacls.exe
PID 1000 wrote to memory of 1824	1000	cmd.exe	cacls.exe
PID 1000 wrote to memory of 1824	1000	cmd.exe	cacls.exe
PID 1772 wrote to memory of 1592	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 1592	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 1592	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1592 wrote to memory of 1156	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 1156	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 1156	1592	cmd.exe	cacls.exe
PID 1772 wrote to memory of 1608	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 1608	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 1608	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1608 wrote to memory of 1764	1608	cmd.exe	cacls.exe
PID 1608 wrote to memory of 1764	1608	cmd.exe	cacls.exe
PID 1608 wrote to memory of 1764	1608	cmd.exe	cacls.exe
PID 1772 wrote to memory of 624	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 624	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 624	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 624 wrote to memory of 916	624	cmd.exe	cacls.exe
PID 624 wrote to memory of 916	624	cmd.exe	cacls.exe
PID 624 wrote to memory of 916	624	cmd.exe	cacls.exe
PID 1772 wrote to memory of 808	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 808	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 808	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 808 wrote to memory of 1180	808	cmd.exe	cacls.exe
PID 808 wrote to memory of 1180	808	cmd.exe	cacls.exe
PID 808 wrote to memory of 1180	808	cmd.exe	cacls.exe
PID 1772 wrote to memory of 1456	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 1456	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 1456	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1456 wrote to memory of 1884	1456	cmd.exe	attrib.exe
PID 1456 wrote to memory of 1884	1456	cmd.exe	attrib.exe
PID 1456 wrote to memory of 1884	1456	cmd.exe	attrib.exe
PID 1772 wrote to memory of 736	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 736	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 1772 wrote to memory of 736	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe
PID 736 wrote to memory of 1152	736	cmd.exe	attrib.exe
PID 736 wrote to memory of 1152	736	cmd.exe	attrib.exe
PID 736 wrote to memory of 1152	736	cmd.exe	attrib.exe
PID 1772 wrote to memory of 1068	1772	686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe	cmd.exe

Views/modifies file attributes 1 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
600	attrib.exe
2032	attrib.exe
920	attrib.exe
1840	attrib.exe
816	attrib.exe
1584	attrib.exe
788	attrib.exe
1864	attrib.exe
1156	attrib.exe
1884	attrib.exe
1152	attrib.exe
1952	attrib.exe

C:\Users\Admin\AppData\Local\Temp\686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
"C:\Users\Admin\AppData\Local\Temp\686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" C:\Users\Admin\AppData\Local\Temp\686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe\..
2⤵
PID:1884

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t
2⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\system32\cacls.exe
cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t
3⤵
- Enumerates connected drives
PID:1808

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls n:\sefera\Jnt\null\..\.. /r administrators /e /t
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\system32\cacls.exe
cacls n:\sefera\Jnt\null\..\.. /r administrators /e /t
3⤵
- Enumerates connected drives
PID:736

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls n:\sefera\Jnt\null\..\.. /r Admin /e /t
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\cacls.exe
cacls n:\sefera\Jnt\null\..\.. /r Admin /e /t
3⤵
- Enumerates connected drives
PID:1508

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\cacls.exe
cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t
3⤵
- Enumerates connected drives
PID:1824

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t
2⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\system32\cacls.exe
cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t
3⤵
- Enumerates connected drives
PID:1156

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r administrators /e /t
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\cacls.exe
cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r administrators /e /t
3⤵
- Enumerates connected drives
PID:1764

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r Admin /e /t
2⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\system32\cacls.exe
cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r Admin /e /t
3⤵
- Enumerates connected drives
PID:916

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\system32\cacls.exe
cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t
3⤵
- Enumerates connected drives
PID:1180

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\ruji\..\.. +r +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\system32\attrib.exe
attrib C:\sefera\Jnt\ruji\..\.. +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1884

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\ruji\..\..\desktop.ini +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\system32\attrib.exe
attrib C:\sefera\Jnt\ruji\..\..\desktop.ini +s +h
3⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1152

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\ruji +r +s +h
2⤵
PID:1068

C:\Windows\system32\attrib.exe
attrib C:\sefera\Jnt\ruji +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1840

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\ruji\desktop.ini +s +h
2⤵
PID:1684

C:\Windows\system32\attrib.exe
attrib C:\sefera\Jnt\ruji\desktop.ini +s +h
3⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:816

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib C:\System_VoIume_lnformation\Jnt\howu\..\.. +r +s +h
2⤵
PID:1988

C:\Windows\system32\attrib.exe
attrib C:\System_VoIume_lnformation\Jnt\howu\..\.. +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1584

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\ruji\..\.. /d administrators /e
2⤵
PID:804

C:\Windows\system32\cacls.exe
cacls C:\sefera\Jnt\ruji\..\.. /d administrators /e
3⤵
PID:1328

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\ruji\..\.. /d everyone /e
2⤵
PID:1252

C:\Windows\system32\cacls.exe
cacls C:\sefera\Jnt\ruji\..\.. /d everyone /e
3⤵
PID:1496

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\ruji\..\.. /d Admin /e
2⤵
PID:1884

C:\Windows\system32\cacls.exe
cacls C:\sefera\Jnt\ruji\..\.. /d Admin /e
3⤵
PID:1888

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /d administrators /e
2⤵
PID:968

C:\Windows\system32\cacls.exe
cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /d administrators /e
3⤵
PID:1840

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /d everyone /e
2⤵
PID:920

C:\Windows\system32\cacls.exe
cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /d everyone /e
3⤵
PID:1724

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /d Admin /e
2⤵
PID:828

C:\Windows\system32\cacls.exe
cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /d Admin /e
3⤵
PID:308

C:\sefera\Jnt\ruji\svcnosts.exe
"C:\sefera\Jnt\ruji\svcnosts.exe" fdrg
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /im svcnost.exe /im svcnosts.exe /f
2⤵
PID:1944

C:\Windows\system32\taskkill.exe
taskkill /im svcnost.exe /im svcnosts.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\ruji\..\.. /g everyone:f /e /t
2⤵
PID:1764

C:\Windows\system32\cacls.exe
cacls C:\sefera\Jnt\ruji\..\.. /g everyone:f /e /t
3⤵
PID:1216

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\ruji\..\.. /r administrators /e /t
2⤵
PID:1780

C:\Windows\system32\cacls.exe
cacls C:\sefera\Jnt\ruji\..\.. /r administrators /e /t
3⤵
PID:1616

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\ruji\..\.. /r Admin /e /t
2⤵
PID:688

C:\Windows\system32\cacls.exe
cacls C:\sefera\Jnt\ruji\..\.. /r Admin /e /t
3⤵
PID:1828

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\ruji\..\.. /g everyone:f /e /t
2⤵
PID:824

C:\Windows\system32\cacls.exe
cacls C:\sefera\Jnt\ruji\..\.. /g everyone:f /e /t
3⤵
PID:584

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /g everyone:f /e /t
2⤵
PID:1808

C:\Windows\system32\cacls.exe
cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /g everyone:f /e /t
3⤵
PID:1948

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /r administrators /e /t
2⤵
PID:1116

C:\Windows\system32\cacls.exe
cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /r administrators /e /t
3⤵
PID:1584

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /r Admin /e /t
2⤵
PID:948

C:\Windows\system32\cacls.exe
cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /r Admin /e /t
3⤵
PID:1588

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /g everyone:f /e /t
2⤵
PID:1616

C:\Windows\system32\cacls.exe
cacls C:\System_VoIume_lnformation\Jnt\howu\..\.. /g everyone:f /e /t
3⤵
PID:1840

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls "C:\sefera\Jnt\ruji" /g everyone:f /t /c /e
2⤵
PID:1828

C:\Windows\system32\cacls.exe
cacls "C:\sefera\Jnt\ruji" /g everyone:f /t /c /e
3⤵
PID:548

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib "C:\sefera\Jnt\ruji*" -h -s -r /d
2⤵
PID:1956

C:\Windows\system32\attrib.exe
attrib "C:\sefera\Jnt\ruji*" -h -s -r /d
3⤵
- Views/modifies file attributes
PID:600

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\sefera\Jnt\ruji" /f /s /q
2⤵
PID:1180

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd "C:\sefera\Jnt\ruji" /s /q
2⤵
PID:308

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls "C:\System_VoIume_lnformation\Jnt\howu" /g everyone:f /t /c /e
2⤵
PID:1200

C:\Windows\system32\cacls.exe
cacls "C:\System_VoIume_lnformation\Jnt\howu" /g everyone:f /t /c /e
3⤵
PID:1484

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib "C:\System_VoIume_lnformation\Jnt\howu*" -h -s -r /d
2⤵
PID:1580

C:\Windows\system32\attrib.exe
attrib "C:\System_VoIume_lnformation\Jnt\howu*" -h -s -r /d
3⤵
- Views/modifies file attributes
PID:1952

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\System_VoIume_lnformation\Jnt\howu" /f /s /q
2⤵
PID:1092

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd "C:\System_VoIume_lnformation\Jnt\howu" /s /q
2⤵
PID:1668

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\vapipyh\..\.. +r +s +h
2⤵
PID:600

C:\Windows\system32\attrib.exe
attrib C:\sefera\Jnt\vapipyh\..\.. +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2032

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\vapipyh\..\..\desktop.ini +s +h
2⤵
PID:1380

C:\Windows\system32\attrib.exe
attrib C:\sefera\Jnt\vapipyh\..\..\desktop.ini +s +h
3⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:788

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\vapipyh +r +s +h
2⤵
PID:1484

C:\Windows\system32\attrib.exe
attrib C:\sefera\Jnt\vapipyh +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1864

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\vapipyh\desktop.ini +s +h
2⤵
PID:1992

C:\Windows\system32\attrib.exe
attrib C:\sefera\Jnt\vapipyh\desktop.ini +s +h
3⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1156

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib C:\System_VoIume_lnformation\Jnt\sytyfokyq\..\.. +r +s +h
2⤵
PID:1980

C:\Windows\system32\attrib.exe
attrib C:\System_VoIume_lnformation\Jnt\sytyfokyq\..\.. +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:920

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\vapipyh\..\.. /d administrators /e
2⤵
PID:968

C:\Windows\system32\cacls.exe
cacls C:\sefera\Jnt\vapipyh\..\.. /d administrators /e
3⤵
PID:1448

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\vapipyh\..\.. /d everyone /e
2⤵
PID:948

C:\Windows\system32\cacls.exe
cacls C:\sefera\Jnt\vapipyh\..\.. /d everyone /e
3⤵
PID:1116

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\vapipyh\..\.. /d Admin /e
2⤵
PID:1092

C:\Windows\system32\cacls.exe
cacls C:\sefera\Jnt\vapipyh\..\.. /d Admin /e
3⤵
PID:688

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\sytyfokyq\..\.. /d administrators /e
2⤵
PID:808

C:\Windows\system32\cacls.exe
cacls C:\System_VoIume_lnformation\Jnt\sytyfokyq\..\.. /d administrators /e
3⤵
PID:1604

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\sytyfokyq\..\.. /d everyone /e
2⤵
PID:1176

C:\Windows\system32\cacls.exe
cacls C:\System_VoIume_lnformation\Jnt\sytyfokyq\..\.. /d everyone /e
3⤵
PID:1536

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\sytyfokyq\..\.. /d Admin /e
2⤵
PID:1576

C:\Windows\system32\cacls.exe
cacls C:\System_VoIume_lnformation\Jnt\sytyfokyq\..\.. /d Admin /e
3⤵
PID:1692

C:\sefera\Jnt\vapipyh\svcnosts.exe
"C:\sefera\Jnt\vapipyh\svcnosts.exe" fdrg
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\sefera\Jnt\vapipyh\svcnost.exe
"C:\sefera\Jnt\vapipyh\svcnost.exe" nm
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files .exe
Filesize
410KB

MD5
a6c776f57b289b97ddf353c32776a4ae

SHA1
6da71ee426632b691e785b22ce9762db728f68ad

SHA256
686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716

SHA512
6afaf962e2a01c827e711bda9cc9c68e02c0c81a9da6208b4e35b482e210719994fbe3d804ef453bf824338b7b9bb3131b7e8606cfd86fd89bf597a004a61802

Download Submit
C:\Show Hidden Files.bat
Filesize
458KB

MD5
eb0e0c123d2ea9af6487b8d695eb402f

SHA1
6730f38a2cc3af5580532de53ea1d08e89e88e48

SHA256
a5c4046be14907415076e391baffcfbaff7464c234359cee3ca0a0c0b1c8f25a

SHA512
c60df41d30a40d7b71d997e4a1e85f49b9a5b31164947d26f35e83058edb07035d9582c259f905ec3749209656d616ac25ec438e91b7ccb4cb4695f58e7f5370

Download Submit
C:\System_VoIume_lnformation\Jnt\howu\bmz\explorer.exe
Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
C:\System_VoIume_lnformation\Jnt\howu\explorers.exe
Filesize
296KB

MD5
e1c8e6fa5477fc3c6459b70ec2c362e0

SHA1
585a71ee1d2f2354628ddd3367f3f3779c0f47fb

SHA256
33aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360

SHA512
a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551

Download Submit
C:\System_VoIume_lnformation\Jnt\howu\gotera.bmp
Filesize
410KB

MD5
f1a2d63899b87cef381f57bb4d195f7c

SHA1
91c1849a76df0dce80e14ef40458e6c9d677ee77

SHA256
c0f305f40a1cccce836a9dc9f44368abc4173d4a697709d3ec8c71afdc30fcea

SHA512
36a6374c903c436b8c423a0c654c27624ee38739b84e9851a42d62db46f48c4bccd8112a92e0194e36ba96c7548bc4bcb479aea6f0133a963e4221be90b51b84

Download Submit
C:\sefera\Jnt\ruji\desktop.ini
Filesize
127B

MD5
adc4b5d4444d26293dc782b6238ca6f0

SHA1
056aca176cdc486f810aaf4f711d662c452e9760

SHA256
abe8a5933ff450a89b8e9a736f08874b43b7355d17ffe6540c4a6ead0f0995d3

SHA512
a539127e8257905a9c0d8559b7d1f985413ed59235479fd08d42995c5faa1644a4b75e296c12ea002962e2c782c57cad098f45b0f7f1e9ce0f456627c50d3616

Download Submit
C:\sefera\Jnt\ruji\gotera.bmp
Filesize
410KB

MD5
f1a2d63899b87cef381f57bb4d195f7c

SHA1
91c1849a76df0dce80e14ef40458e6c9d677ee77

SHA256
c0f305f40a1cccce836a9dc9f44368abc4173d4a697709d3ec8c71afdc30fcea

SHA512
36a6374c903c436b8c423a0c654c27624ee38739b84e9851a42d62db46f48c4bccd8112a92e0194e36ba96c7548bc4bcb479aea6f0133a963e4221be90b51b84

Download Submit
C:\sefera\Jnt\ruji\svcnost.exe
Filesize
296KB

MD5
e1c8e6fa5477fc3c6459b70ec2c362e0

SHA1
585a71ee1d2f2354628ddd3367f3f3779c0f47fb

SHA256
33aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360

SHA512
a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551

Download Submit
C:\sefera\Jnt\ruji\svcnosts.exe
Filesize
296KB

MD5
e1c8e6fa5477fc3c6459b70ec2c362e0

SHA1
585a71ee1d2f2354628ddd3367f3f3779c0f47fb

SHA256
33aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360

SHA512
a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551

Download Submit
C:\sefera\Jnt\ruji\svcnosts.exe
Filesize
296KB

MD5
e1c8e6fa5477fc3c6459b70ec2c362e0

SHA1
585a71ee1d2f2354628ddd3367f3f3779c0f47fb

SHA256
33aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360

SHA512
a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551

Download Submit
C:\sefera\Jnt\vapipyh\desktop.ini
Filesize
127B

MD5
adc4b5d4444d26293dc782b6238ca6f0

SHA1
056aca176cdc486f810aaf4f711d662c452e9760

SHA256
abe8a5933ff450a89b8e9a736f08874b43b7355d17ffe6540c4a6ead0f0995d3

SHA512
a539127e8257905a9c0d8559b7d1f985413ed59235479fd08d42995c5faa1644a4b75e296c12ea002962e2c782c57cad098f45b0f7f1e9ce0f456627c50d3616

Download Submit
C:\sefera\Jnt\vapipyh\svcnost.exe
Filesize
296KB

MD5
e1c8e6fa5477fc3c6459b70ec2c362e0

SHA1
585a71ee1d2f2354628ddd3367f3f3779c0f47fb

SHA256
33aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360

SHA512
a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551

Download Submit
C:\sefera\Jnt\vapipyh\svcnost.exe
Filesize
296KB

MD5
e1c8e6fa5477fc3c6459b70ec2c362e0

SHA1
585a71ee1d2f2354628ddd3367f3f3779c0f47fb

SHA256
33aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360

SHA512
a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551

Download Submit
C:\sefera\Jnt\vapipyh\svcnosts.exe
Filesize
296KB

MD5
e1c8e6fa5477fc3c6459b70ec2c362e0

SHA1
585a71ee1d2f2354628ddd3367f3f3779c0f47fb

SHA256
33aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360

SHA512
a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551

Download Submit
C:\sefera\Jnt\vapipyh\svcnosts.exe
Filesize
296KB

MD5
e1c8e6fa5477fc3c6459b70ec2c362e0

SHA1
585a71ee1d2f2354628ddd3367f3f3779c0f47fb

SHA256
33aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360

SHA512
a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551

Download Submit
C:\sefera\desktop.ini
Filesize
127B

MD5
adc4b5d4444d26293dc782b6238ca6f0

SHA1
056aca176cdc486f810aaf4f711d662c452e9760

SHA256
abe8a5933ff450a89b8e9a736f08874b43b7355d17ffe6540c4a6ead0f0995d3

SHA512
a539127e8257905a9c0d8559b7d1f985413ed59235479fd08d42995c5faa1644a4b75e296c12ea002962e2c782c57cad098f45b0f7f1e9ce0f456627c50d3616

Download Submit
C:\sefera\desktop.ini
Filesize
127B

MD5
adc4b5d4444d26293dc782b6238ca6f0

SHA1
056aca176cdc486f810aaf4f711d662c452e9760

SHA256
abe8a5933ff450a89b8e9a736f08874b43b7355d17ffe6540c4a6ead0f0995d3

SHA512
a539127e8257905a9c0d8559b7d1f985413ed59235479fd08d42995c5faa1644a4b75e296c12ea002962e2c782c57cad098f45b0f7f1e9ce0f456627c50d3616

Download Submit
memory/308-135-0x0000000000000000-mapping.dmp

Download
memory/308-100-0x0000000000000000-mapping.dmp

Download
memory/452-105-0x0000000001F30000-0x0000000001FD0000-memory.dmp

Filesize
640KB

Download
memory/452-101-0x0000000000000000-mapping.dmp

Download
memory/452-104-0x0000000000840000-0x0000000000894000-memory.dmp

Filesize
336KB

Download
memory/548-131-0x0000000000000000-mapping.dmp

Download
memory/584-118-0x0000000000000000-mapping.dmp

Download
memory/600-133-0x0000000000000000-mapping.dmp

Download
memory/624-73-0x0000000000000000-mapping.dmp

Download
memory/688-113-0x0000000000000000-mapping.dmp

Download
memory/736-79-0x0000000000000000-mapping.dmp

Download
memory/736-63-0x0000000000000000-mapping.dmp

Download
memory/752-60-0x0000000000000000-mapping.dmp

Download
memory/804-89-0x0000000000000000-mapping.dmp

Download
memory/808-75-0x0000000000000000-mapping.dmp

Download
memory/816-85-0x0000000000000000-mapping.dmp

Download
memory/824-117-0x0000000000000000-mapping.dmp

Download
memory/828-99-0x0000000000000000-mapping.dmp

Download
memory/900-68-0x00000000039C0000-0x00000000039D0000-memory.dmp

Filesize
64KB

Download
memory/916-74-0x0000000000000000-mapping.dmp

Download
memory/920-97-0x0000000000000000-mapping.dmp

Download
memory/948-123-0x0000000000000000-mapping.dmp

Download
memory/968-95-0x0000000000000000-mapping.dmp

Download
memory/1000-66-0x0000000000000000-mapping.dmp

Download
memory/1052-144-0x0000000000BC0000-0x0000000000C14000-memory.dmp

Filesize
336KB

Download
memory/1068-82-0x0000000000000000-mapping.dmp

Download
memory/1116-121-0x0000000000000000-mapping.dmp

Download
memory/1152-80-0x0000000000000000-mapping.dmp

Download
memory/1156-70-0x0000000000000000-mapping.dmp

Download
memory/1180-134-0x0000000000000000-mapping.dmp

Download
memory/1180-76-0x0000000000000000-mapping.dmp

Download
memory/1216-110-0x0000000000000000-mapping.dmp

Download
memory/1252-91-0x0000000000000000-mapping.dmp

Download
memory/1328-90-0x0000000000000000-mapping.dmp

Download
memory/1448-62-0x0000000000000000-mapping.dmp

Download
memory/1456-77-0x0000000000000000-mapping.dmp

Download
memory/1496-92-0x0000000000000000-mapping.dmp

Download
memory/1508-65-0x0000000000000000-mapping.dmp

Download
memory/1584-122-0x0000000000000000-mapping.dmp

Download
memory/1584-108-0x0000000000000000-mapping.dmp

Download
memory/1584-88-0x0000000000000000-mapping.dmp

Download
memory/1588-124-0x0000000000000000-mapping.dmp

Download
memory/1592-69-0x0000000000000000-mapping.dmp

Download
memory/1608-71-0x0000000000000000-mapping.dmp

Download
memory/1616-128-0x0000000000000000-mapping.dmp

Download
memory/1616-112-0x0000000000000000-mapping.dmp

Download
memory/1684-84-0x0000000000000000-mapping.dmp

Download
memory/1724-98-0x0000000000000000-mapping.dmp

Download
memory/1764-109-0x0000000000000000-mapping.dmp

Download
memory/1764-72-0x0000000000000000-mapping.dmp

Download
memory/1772-55-0x0000000000240000-0x000000000029C000-memory.dmp

Filesize
368KB

Download
memory/1772-56-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download
memory/1772-54-0x0000000000DA0000-0x0000000000E0E000-memory.dmp

Filesize
440KB

Download
memory/1780-111-0x0000000000000000-mapping.dmp

Download
memory/1808-61-0x0000000000000000-mapping.dmp

Download
memory/1808-119-0x0000000000000000-mapping.dmp

Download
memory/1824-67-0x0000000000000000-mapping.dmp

Download
memory/1828-114-0x0000000000000000-mapping.dmp

Download
memory/1828-130-0x0000000000000000-mapping.dmp

Download
memory/1840-83-0x0000000000000000-mapping.dmp

Download
memory/1840-129-0x0000000000000000-mapping.dmp

Download
memory/1840-96-0x0000000000000000-mapping.dmp

Download
memory/1884-78-0x0000000000000000-mapping.dmp

Download
memory/1884-57-0x0000000000000000-mapping.dmp

Download
memory/1884-93-0x0000000000000000-mapping.dmp

Download
memory/1888-94-0x0000000000000000-mapping.dmp

Download
memory/1944-107-0x0000000000000000-mapping.dmp

Download
memory/1948-120-0x0000000000000000-mapping.dmp

Download
memory/1956-132-0x0000000000000000-mapping.dmp

Download
memory/1976-140-0x00000000001D0000-0x0000000000224000-memory.dmp

Filesize
336KB

Download
memory/1988-87-0x0000000000000000-mapping.dmp

Download
memory/2028-64-0x0000000000000000-mapping.dmp

Download