cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62

Analysis

max time kernel
121s
max time network
137s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
Size

593KB
MD5

67aca6a4e6a6bff00b3f6868671d443a
SHA1

b4eeee56d52d4d64248b5cdbcc933f3eb5b4e371
SHA256

cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62
SHA512

beb96c2c06f54b5f1186ac0b5906717eb96760eaca9f265a35f0176dd77d845c5ad5beff5cc2d37f22243b7b5488371f20b3da6a16a3c233d34a9074232089aa
SSDEEP

12288:VuBSP/amC/BJSpc/aaT9/gur79Yq63kfydqAKTE1qH:sA6/Bwy/aI/gK79YH0FAgxH

Score

10^/10

bootkit evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

BqjnC0gFVHRul8.exezbzuux.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	BqjnC0gFVHRul8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zbzuux.exe

Executes dropped EXE 5 IoCs

Processes:

BqjnC0gFVHRul8.exewin.exewio.exewiq.exezbzuux.exe

pid process

1664 BqjnC0gFVHRul8.exe
1240 win.exe
2024 wio.exe
848 wiq.exe
1428 zbzuux.exe

pid	process
1664	BqjnC0gFVHRul8.exe
1240	win.exe
2024	wio.exe
848	wiq.exe
1428	zbzuux.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/272-91-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/272-93-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/272-101-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/272-100-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/272-94-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/272-105-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1316 cmd.exe

pid	process
1316	cmd.exe

Loads dropped DLL 18 IoCs

Processes:

cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exerundll32.exerundll32.exeBqjnC0gFVHRul8.exe

pid	process
692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
952	rundll32.exe
952	rundll32.exe
952	rundll32.exe
952	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
1664	BqjnC0gFVHRul8.exe
1664	BqjnC0gFVHRul8.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zbzuux.exeBqjnC0gFVHRul8.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /I"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /D"	zbzuux.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	BqjnC0gFVHRul8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /d"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /q"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /Q"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /e"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xjetifasocuk = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\pcmothes.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /E"	BqjnC0gFVHRul8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /n"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /u"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /o"	zbzuux.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /X"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /M"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /x"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /s"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /h"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /B"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /p"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /c"	zbzuux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zbzuux = "C:\\Users\\Admin\\zbzuux.exe /W"	zbzuux.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

win.exe

description ioc process

File opened for modification \??\physicaldrive0 win.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wiq.exe

description pid process target process

PID 848 set thread context of 272 848 wiq.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1564 tasklist.exe

description	ioc	process
File opened for modification	\??\physicaldrive0	win.exe

description	pid	process	target process
PID 848 set thread context of 272	848	wiq.exe	svchost.exe

pid	process
1564	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeBqjnC0gFVHRul8.exerundll32.exe

pid	process
272	svchost.exe
1664	BqjnC0gFVHRul8.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
952	rundll32.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe
272	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

win.exetasklist.exe

description pid process

Token: SeShutdownPrivilege 1240 win.exe
Token: SeDebugPrivilege 1564 tasklist.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

BqjnC0gFVHRul8.exewiq.exezbzuux.exe

pid process

1664 BqjnC0gFVHRul8.exe
848 wiq.exe
1428 zbzuux.exe

description	pid	process
Token: SeShutdownPrivilege	1240	win.exe
Token: SeDebugPrivilege	1564	tasklist.exe

pid	process
1664	BqjnC0gFVHRul8.exe
848	wiq.exe
1428	zbzuux.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exewio.exewiq.exerundll32.exeBqjnC0gFVHRul8.execmd.exezbzuux.exe

description	pid	process	target process
PID 692 wrote to memory of 1664	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	BqjnC0gFVHRul8.exe
PID 692 wrote to memory of 1664	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	BqjnC0gFVHRul8.exe
PID 692 wrote to memory of 1664	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	BqjnC0gFVHRul8.exe
PID 692 wrote to memory of 1664	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	BqjnC0gFVHRul8.exe
PID 692 wrote to memory of 1240	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	win.exe
PID 692 wrote to memory of 1240	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	win.exe
PID 692 wrote to memory of 1240	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	win.exe
PID 692 wrote to memory of 1240	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	win.exe
PID 692 wrote to memory of 2024	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wio.exe
PID 692 wrote to memory of 2024	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wio.exe
PID 692 wrote to memory of 2024	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wio.exe
PID 692 wrote to memory of 2024	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wio.exe
PID 692 wrote to memory of 848	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wiq.exe
PID 692 wrote to memory of 848	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wiq.exe
PID 692 wrote to memory of 848	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wiq.exe
PID 692 wrote to memory of 848	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wiq.exe
PID 2024 wrote to memory of 952	2024	wio.exe	rundll32.exe
PID 2024 wrote to memory of 952	2024	wio.exe	rundll32.exe
PID 2024 wrote to memory of 952	2024	wio.exe	rundll32.exe
PID 2024 wrote to memory of 952	2024	wio.exe	rundll32.exe
PID 2024 wrote to memory of 952	2024	wio.exe	rundll32.exe
PID 2024 wrote to memory of 952	2024	wio.exe	rundll32.exe
PID 2024 wrote to memory of 952	2024	wio.exe	rundll32.exe
PID 692 wrote to memory of 1316	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	cmd.exe
PID 692 wrote to memory of 1316	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	cmd.exe
PID 692 wrote to memory of 1316	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	cmd.exe
PID 692 wrote to memory of 1316	692	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	cmd.exe
PID 848 wrote to memory of 272	848	wiq.exe	svchost.exe
PID 848 wrote to memory of 272	848	wiq.exe	svchost.exe
PID 848 wrote to memory of 272	848	wiq.exe	svchost.exe
PID 848 wrote to memory of 272	848	wiq.exe	svchost.exe
PID 848 wrote to memory of 272	848	wiq.exe	svchost.exe
PID 848 wrote to memory of 272	848	wiq.exe	svchost.exe
PID 848 wrote to memory of 272	848	wiq.exe	svchost.exe
PID 848 wrote to memory of 272	848	wiq.exe	svchost.exe
PID 952 wrote to memory of 320	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 320	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 320	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 320	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 320	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 320	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 320	952	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 1428	1664	BqjnC0gFVHRul8.exe	zbzuux.exe
PID 1664 wrote to memory of 1428	1664	BqjnC0gFVHRul8.exe	zbzuux.exe
PID 1664 wrote to memory of 1428	1664	BqjnC0gFVHRul8.exe	zbzuux.exe
PID 1664 wrote to memory of 1428	1664	BqjnC0gFVHRul8.exe	zbzuux.exe
PID 1664 wrote to memory of 680	1664	BqjnC0gFVHRul8.exe	cmd.exe
PID 1664 wrote to memory of 680	1664	BqjnC0gFVHRul8.exe	cmd.exe
PID 1664 wrote to memory of 680	1664	BqjnC0gFVHRul8.exe	cmd.exe
PID 1664 wrote to memory of 680	1664	BqjnC0gFVHRul8.exe	cmd.exe
PID 680 wrote to memory of 1564	680	cmd.exe	tasklist.exe
PID 680 wrote to memory of 1564	680	cmd.exe	tasklist.exe
PID 680 wrote to memory of 1564	680	cmd.exe	tasklist.exe
PID 680 wrote to memory of 1564	680	cmd.exe	tasklist.exe
PID 1428 wrote to memory of 1564	1428	zbzuux.exe	tasklist.exe
PID 1428 wrote to memory of 1564	1428	zbzuux.exe	tasklist.exe
PID 1428 wrote to memory of 1564	1428	zbzuux.exe	tasklist.exe
PID 1428 wrote to memory of 1564	1428	zbzuux.exe	tasklist.exe
PID 1428 wrote to memory of 1564	1428	zbzuux.exe	tasklist.exe
PID 1428 wrote to memory of 1564	1428	zbzuux.exe	tasklist.exe
PID 1428 wrote to memory of 1564	1428	zbzuux.exe	tasklist.exe
PID 1428 wrote to memory of 1564	1428	zbzuux.exe	tasklist.exe
PID 1428 wrote to memory of 1564	1428	zbzuux.exe	tasklist.exe
PID 1428 wrote to memory of 1564	1428	zbzuux.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
"C:\Users\Admin\AppData\Local\Temp\cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\BqjnC0gFVHRul8.exe
BqjnC0gFVHRul8.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\zbzuux.exe
"C:\Users\Admin\zbzuux.exe"
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del BqjnC0gFVHRul8.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Users\Admin\win.exe
win.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Users\Admin\wio.exe
wio.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\pcmothes.dll",Startup
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\pcmothes.dll",iep
4⤵
- Loads dropped DLL
PID:320

C:\Users\Admin\wiq.exe
wiq.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:272

C:\Windows\SysWOW64\cmd.exe
cmd /c del cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
2⤵
- Deletes itself
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\pcmothes.dll
Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
C:\Users\Admin\BqjnC0gFVHRul8.exe
Filesize
148KB

MD5
fc8e30e732d9e1483b7d29ea39ad9c15

SHA1
04215f820a214d11e1dd9a832ac264605cf98604

SHA256
c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585

SHA512
d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6

Download Submit
C:\Users\Admin\BqjnC0gFVHRul8.exe
Filesize
148KB

MD5
fc8e30e732d9e1483b7d29ea39ad9c15

SHA1
04215f820a214d11e1dd9a832ac264605cf98604

SHA256
c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585

SHA512
d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6

Download Submit
C:\Users\Admin\win.exe
Filesize
172KB

MD5
16dfe37b77854e727eabedd05239ebee

SHA1
9218bb944834fb46eb2f04858ada0dacdf821d77

SHA256
8ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267

SHA512
56c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903

Download Submit
C:\Users\Admin\win.exe
Filesize
172KB

MD5
16dfe37b77854e727eabedd05239ebee

SHA1
9218bb944834fb46eb2f04858ada0dacdf821d77

SHA256
8ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267

SHA512
56c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903

Download Submit
C:\Users\Admin\wio.exe
Filesize
103KB

MD5
f7756f6980dc23ef661085d6cd999831

SHA1
cd77f7a9bc8c058023779a531e2deac8c3241638

SHA256
53122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740

SHA512
b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df

Download Submit
C:\Users\Admin\wio.exe
Filesize
103KB

MD5
f7756f6980dc23ef661085d6cd999831

SHA1
cd77f7a9bc8c058023779a531e2deac8c3241638

SHA256
53122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740

SHA512
b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df

Download Submit
C:\Users\Admin\wiq.exe
Filesize
52KB

MD5
65a849404ffe62e0d2f56d7993f00920

SHA1
6401a9e92690172958fbf0ee122990479628e92f

SHA256
afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50

SHA512
99af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38

Download Submit
C:\Users\Admin\wiq.exe
Filesize
52KB

MD5
65a849404ffe62e0d2f56d7993f00920

SHA1
6401a9e92690172958fbf0ee122990479628e92f

SHA256
afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50

SHA512
99af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38

Download Submit
C:\Users\Admin\zbzuux.exe
Filesize
148KB

MD5
0da648563c67f80ffed865dbda503a49

SHA1
de530bf7e089af158740766ea8a544753ce1b178

SHA256
fb204a35f3618533f4afe45968d8ec91b10681456cdeefb07a094853b078a80f

SHA512
3f83e53e2b220687c7eaf56c0da66e298169e3117d02d09f5a910af67d4582ce33f600a3715249043713204d59c1424013d9d59f9270f669fccfbaccf2558efe

Download Submit
C:\Users\Admin\zbzuux.exe
Filesize
148KB

MD5
0da648563c67f80ffed865dbda503a49

SHA1
de530bf7e089af158740766ea8a544753ce1b178

SHA256
fb204a35f3618533f4afe45968d8ec91b10681456cdeefb07a094853b078a80f

SHA512
3f83e53e2b220687c7eaf56c0da66e298169e3117d02d09f5a910af67d4582ce33f600a3715249043713204d59c1424013d9d59f9270f669fccfbaccf2558efe

Download Submit
\Users\Admin\AppData\Local\pcmothes.dll
Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\pcmothes.dll
Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\pcmothes.dll
Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\pcmothes.dll
Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\pcmothes.dll
Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\pcmothes.dll
Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\pcmothes.dll
Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\pcmothes.dll
Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\BqjnC0gFVHRul8.exe
Filesize
148KB

MD5
fc8e30e732d9e1483b7d29ea39ad9c15

SHA1
04215f820a214d11e1dd9a832ac264605cf98604

SHA256
c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585

SHA512
d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6

Download Submit
\Users\Admin\BqjnC0gFVHRul8.exe
Filesize
148KB

MD5
fc8e30e732d9e1483b7d29ea39ad9c15

SHA1
04215f820a214d11e1dd9a832ac264605cf98604

SHA256
c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585

SHA512
d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6

Download Submit
\Users\Admin\win.exe
Filesize
172KB

MD5
16dfe37b77854e727eabedd05239ebee

SHA1
9218bb944834fb46eb2f04858ada0dacdf821d77

SHA256
8ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267

SHA512
56c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903

Download Submit
\Users\Admin\win.exe
Filesize
172KB

MD5
16dfe37b77854e727eabedd05239ebee

SHA1
9218bb944834fb46eb2f04858ada0dacdf821d77

SHA256
8ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267

SHA512
56c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903

Download Submit
\Users\Admin\wio.exe
Filesize
103KB

MD5
f7756f6980dc23ef661085d6cd999831

SHA1
cd77f7a9bc8c058023779a531e2deac8c3241638

SHA256
53122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740

SHA512
b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df

Download Submit
\Users\Admin\wio.exe
Filesize
103KB

MD5
f7756f6980dc23ef661085d6cd999831

SHA1
cd77f7a9bc8c058023779a531e2deac8c3241638

SHA256
53122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740

SHA512
b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df

Download Submit
\Users\Admin\wiq.exe
Filesize
52KB

MD5
65a849404ffe62e0d2f56d7993f00920

SHA1
6401a9e92690172958fbf0ee122990479628e92f

SHA256
afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50

SHA512
99af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38

Download Submit
\Users\Admin\wiq.exe
Filesize
52KB

MD5
65a849404ffe62e0d2f56d7993f00920

SHA1
6401a9e92690172958fbf0ee122990479628e92f

SHA256
afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50

SHA512
99af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38

Download Submit
\Users\Admin\zbzuux.exe
Filesize
148KB

MD5
0da648563c67f80ffed865dbda503a49

SHA1
de530bf7e089af158740766ea8a544753ce1b178

SHA256
fb204a35f3618533f4afe45968d8ec91b10681456cdeefb07a094853b078a80f

SHA512
3f83e53e2b220687c7eaf56c0da66e298169e3117d02d09f5a910af67d4582ce33f600a3715249043713204d59c1424013d9d59f9270f669fccfbaccf2558efe

Download Submit
\Users\Admin\zbzuux.exe
Filesize
148KB

MD5
0da648563c67f80ffed865dbda503a49

SHA1
de530bf7e089af158740766ea8a544753ce1b178

SHA256
fb204a35f3618533f4afe45968d8ec91b10681456cdeefb07a094853b078a80f

SHA512
3f83e53e2b220687c7eaf56c0da66e298169e3117d02d09f5a910af67d4582ce33f600a3715249043713204d59c1424013d9d59f9270f669fccfbaccf2558efe

Download Submit
memory/272-96-0x000000000040C400-mapping.dmp

Download
memory/272-90-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/272-91-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/272-93-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/272-105-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/272-101-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/272-94-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/272-100-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/320-113-0x0000000000291000-0x000000000029E000-memory.dmp

Filesize
52KB

Download
memory/320-106-0x0000000000000000-mapping.dmp

Download
memory/680-123-0x0000000000000000-mapping.dmp

Download
memory/848-71-0x0000000000000000-mapping.dmp

Download
memory/952-78-0x0000000000000000-mapping.dmp

Download
memory/952-95-0x0000000000141000-0x000000000014E000-memory.dmp

Filesize
52KB

Download
memory/952-86-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1240-97-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1240-66-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1240-104-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1240-87-0x0000000000260000-0x00000000002B6000-memory.dmp

Filesize
344KB

Download
memory/1240-60-0x0000000000000000-mapping.dmp

Download
memory/1240-102-0x0000000000260000-0x00000000002B6000-memory.dmp

Filesize
344KB

Download
memory/1316-80-0x0000000000000000-mapping.dmp

Download
memory/1428-116-0x0000000000000000-mapping.dmp

Download
memory/1564-125-0x0000000000000000-mapping.dmp

Download
memory/1664-56-0x0000000000000000-mapping.dmp

Download
memory/2024-73-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2024-99-0x0000000001D51000-0x0000000001D5E000-memory.dmp

Filesize
52KB

Download
memory/2024-64-0x0000000000000000-mapping.dmp

Download