f7f336955fa601fcd9ecb0e30911e6543882b2027dcbd27ac307d25fabd342db

Analysis

max time kernel
28s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meta Unban/Cleaners/AppleCleaner.exe
Size

3.6MB
MD5

da2176757b2fead6539243b42057cb3c
SHA1

e14195bd4066e90c821caabd6ca63a173c1ca802
SHA256

1a62ed192ff4a7bd746fa24c8d7cd96578a4c7e9f0d4a6651a2a3d0baff9c433
SHA512

b9d13ecd8679064bc4cd9dbd823ba5367aebe13177c9ed5e6c6c40d70823ed32977bd40cde73ccfaa49f6f32b19b4f06f9396beb145bd774891d4290873c735d
SSDEEP

98304:gmQu0iNucsADierKQYRc4sNHOZjKg5tkdv+HR5+a:fQabDieOQ944HOZjp5tkx+x3

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

AppleCleaner.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AppleCleaner.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AppleCleaner.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppleCleaner.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AppleCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AppleCleaner.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1960-54-0x000000013FC60000-0x0000000140603000-memory.dmp	themida
behavioral1/memory/1960-56-0x000000013FC60000-0x0000000140603000-memory.dmp	themida
behavioral1/memory/1960-55-0x000000013FC60000-0x0000000140603000-memory.dmp	themida
behavioral1/memory/1960-57-0x000000013FC60000-0x0000000140603000-memory.dmp	themida
behavioral1/memory/1960-58-0x000000013FC60000-0x0000000140603000-memory.dmp	themida
behavioral1/memory/1960-79-0x000000013FC60000-0x0000000140603000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

AppleCleaner.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AppleCleaner.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AppleCleaner.exe

Drops desktop.ini file(s) 7 IoCs

Processes:

AppleCleaner.exeiexplore.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FKH3QY1L\desktop.ini	AppleCleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JRKDF3EN\desktop.ini	AppleCleaner.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	iexplore.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	AppleCleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\27279TJF\desktop.ini	AppleCleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ARRDY5WI\desktop.ini	AppleCleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	AppleCleaner.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppleCleaner.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	AppleCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "DADY"	AppleCleaner.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

AppleCleaner.exe

pid process

1960 AppleCleaner.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1960	AppleCleaner.exe

Enumerates system info in registry 2 TTPs 19 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppleCleaner.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	AppleCleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "DADY"	AppleCleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	AppleCleaner.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	AppleCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	AppleCleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "a45d289a-503ab71f-9"	AppleCleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "bea9e323-4f50a2d3-e"	AppleCleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AppleCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	AppleCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	AppleCleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion = "pc-q35-4.J"	AppleCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	AppleCleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	AppleCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	AppleCleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	AppleCleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	AppleCleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	AppleCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AppleCleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	AppleCleaner.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1804 taskkill.exe
1216 taskkill.exe
1172 taskkill.exe

pid	process
1804	taskkill.exe
1216	taskkill.exe
1172	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEAppleCleaner.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LinksBar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 585129f4795cd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = c0e55df0795cd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 1da1e90586738a1f	AppleCleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Suggested Sites	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 805b30f7795cd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c00000000020000000000106600000001000020000000ca3688c1f84f24f059f4ef76c3b6fcfa6a86bc6b5bba4fcf7a6179f0b728e494000000000e80000000020000200000005ab05f50f4a123c711f6f076673b11101ff092d86506f0f8f8078e96c569181910000000e6197ea33ee2f25a6b58f848e985ba5b40000000f3112e58a117a9b241d092f93cabab896254214af7138ec8e374698ac4087952e78345d4aa3ffff35815137739443f8e7424c0d0adc5071b01caba71720b47ac	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c000000000200000000001066000000010000200000005c516bc76852b2512a0178bbb90b72141ab27a57fbc3311d8ecc228c1bda5cbf000000000e8000000002000020000000066167825aa455965a08b9d0aaced4b9436d78276cc60cdf5d3c5393f1d8e2a05000000086f9c2fe8a4a70ca56f2699c95faa70fb5ec9823f5d4075245b330111709aafe0aeb51edc0be9c8f7d4b805faab4d3294b4d8c620a7809aca54c0b882b5b8a89e2ad2a739d751ccfd95e4d46d39580c04000000039d86f4a19923d55c62d70ca32f6c672fd6b2566515e80ed0aa1164dd6cd833533204f2a007b2608ce59f325d9efd53d06d7b9a03f8d87e00340691e72672b3a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Setup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{296903E1-C86D-11ED-A684-7E8ED113D2E8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 904e21f4795cd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = 00b329f4795cd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1804 taskkill.exe
Token: SeDebugPrivilege 1216 taskkill.exe
Token: SeDebugPrivilege 1172 taskkill.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1488 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1488 iexplore.exe
1488 iexplore.exe
924 IEXPLORE.EXE
924 IEXPLORE.EXE
924 IEXPLORE.EXE
924 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe

pid	process
1488	iexplore.exe

pid	process
1488	iexplore.exe
1488	iexplore.exe
924	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

AppleCleaner.execmd.execmd.execmd.execmd.exeiexplore.exe

description	pid	process	target process
PID 1960 wrote to memory of 1940	1960	AppleCleaner.exe	cmd.exe
PID 1960 wrote to memory of 1940	1960	AppleCleaner.exe	cmd.exe
PID 1960 wrote to memory of 1940	1960	AppleCleaner.exe	cmd.exe
PID 1940 wrote to memory of 1804	1940	cmd.exe	taskkill.exe
PID 1940 wrote to memory of 1804	1940	cmd.exe	taskkill.exe
PID 1940 wrote to memory of 1804	1940	cmd.exe	taskkill.exe
PID 1960 wrote to memory of 468	1960	AppleCleaner.exe	cmd.exe
PID 1960 wrote to memory of 468	1960	AppleCleaner.exe	cmd.exe
PID 1960 wrote to memory of 468	1960	AppleCleaner.exe	cmd.exe
PID 468 wrote to memory of 1216	468	cmd.exe	taskkill.exe
PID 468 wrote to memory of 1216	468	cmd.exe	taskkill.exe
PID 468 wrote to memory of 1216	468	cmd.exe	taskkill.exe
PID 1960 wrote to memory of 1724	1960	AppleCleaner.exe	cmd.exe
PID 1960 wrote to memory of 1724	1960	AppleCleaner.exe	cmd.exe
PID 1960 wrote to memory of 1724	1960	AppleCleaner.exe	cmd.exe
PID 1724 wrote to memory of 1172	1724	cmd.exe	taskkill.exe
PID 1724 wrote to memory of 1172	1724	cmd.exe	taskkill.exe
PID 1724 wrote to memory of 1172	1724	cmd.exe	taskkill.exe
PID 1960 wrote to memory of 1776	1960	AppleCleaner.exe	cmd.exe
PID 1960 wrote to memory of 1776	1960	AppleCleaner.exe	cmd.exe
PID 1960 wrote to memory of 1776	1960	AppleCleaner.exe	cmd.exe
PID 1776 wrote to memory of 1488	1776	cmd.exe	iexplore.exe
PID 1776 wrote to memory of 1488	1776	cmd.exe	iexplore.exe
PID 1776 wrote to memory of 1488	1776	cmd.exe	iexplore.exe
PID 1488 wrote to memory of 924	1488	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 924	1488	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 924	1488	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 924	1488	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\AppleCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\AppleCleaner.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://applecheats.cc
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://applecheats.cc/
3⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:924

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\taskkill.exe
taskkill /f /im Battle.net.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
bf1aa16fded98f5dad963061690a6a90

SHA1
c20115621642544398d4795fdd0b8c5ee33f7793

SHA256
760285755c457c414849c056ac5add5c53636d2149dfe9d772445d434ada9cd4

SHA512
d3b0599be9282a77ab3d28093b1f856404b5893ec15f9e5b3780796e3c5b2d37d402f9d88750f747a0e028e2a036eeb5d7d596b6e8bfda22c7394e7c20873d27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
84bc6a792076c76ce0d022ef3fc29263

SHA1
2b8b6149c3e67cee1370891841c1fdd3e28bc469

SHA256
d689ff0f93541b790c6ffe77f5f6d93a754fd9af79488d5402f31187b7cd74dd

SHA512
4cac87b94ba12fb17ef277d04e7b24eb96373fafe3e9e2b7e7c0a6ad90b2a8ec8c1b068b1a571037908f73582efdcb62b608dad96777c6714a43d111769b7ee4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a21150e8a7c4afce98683628814f8927

SHA1
9e4c4f8f8f59497896a028db55b15d7da3dcf0e1

SHA256
73170243b748c42ba03189cd170cccd809aa946b4f6c7d4feec93dc25b228eba

SHA512
198d896f70c4401bb44006f2bf18a3fba6ff071ad90c61a0709b89c87f9262bcc34cffedfdb9f270b478637d6dc140f334278781d28245fc30e1a01dd7f2520e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e3e6801f9913320372a1b8bc0d5706a

SHA1
793a66fb0eb24ac27a78f269bc34a032873869f3

SHA256
71f55f72912f42381baba900f103a69f9bdd132a570487c871fc1f97430deaf6

SHA512
645aaa3d6bc8bfc1f823e75b8e03b72eee8644659d00605c1fb89eeede1813a716a9b685d97904b98b0f4ae9afaed82419638bfdd6bec9ccfa5c50f87b3b356d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
522369828ce6e3320b4c95892587b597

SHA1
3dbbbe6aa4e5174a09a760d19215d144db7a2a63

SHA256
04e4757c3fefacac8081e8db45ec79442882c3f618ad4486518a070504a68aeb

SHA512
9362168df21043cc7e8eba52caff0ed0cbf59b51f4ae758e014020011d798bc43cc9eea86dde1d02ec4c862d45df44bab191ad8f066112160c0f700c8ca45042

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4acb7f25dc59d92e066a8ac41b216cec

SHA1
2fad9b23b7bdb58923f2a75662dc59e60b56e6b2

SHA256
b80432107da3642e3d3b72f1830ab71645d6b0a53e6bc5cb1bb1fcbf5a96ceb6

SHA512
b5564f0d7f551ed82e8af113e3a60e2858acbe2b402f4919acb1e2567408e17cc86a2a402a85238181fd019fbd80ffbcdb01067e88e362ab6a51227eb7f871b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daf2fc2949ef8d2bc92bcaee871d4805

SHA1
80d4552f10e60be9faf1fc710c4f41832108ae28

SHA256
0603a53b0572040832c157b5161cb48d7896b3a1b5e3cf94387c948db18373e5

SHA512
96eb6becc6c8af0d6080e5b5b01bd8a44ba92bd1cbbf7f1bb05a2645523e45bc5b4768c6fa1fc32cde79576c45fc3df85b1d042d22dac6130db5c35c07395720

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66fba990347794cf2056a8c99dc4f936

SHA1
5edb3243c56a362f39f38a9051b243641519886b

SHA256
b5fdc6cfdcd1addc1db3583c76691626a317add9b533b7fe0ccf307d311a1a59

SHA512
78249cb86942cbb21f8aaceeaf65c20532a90123541ccab94800d32f8a23c34c3bdafc2ff11eb9fa1c6e5715d05ca49c837c05b8b90c2a14e0d6649889c7af4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1346f99f95b4d735a80f6a41d3c667d8

SHA1
0e081eb019dd4e9e2843e1a5fd2cbcb69494449b

SHA256
68f1a7850dcaac6744bdee409c82427ee2ef8494179ab321fdd0ebb2afc68e70

SHA512
ad4a53de111dbb9c20e22f9ceca6036a16b2243bf8cd5f88e1ca126366a169c0468e0832e42559556b1899d25ed009a49b777e04a3dab39e9423f0c2f3e4dc86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d4c473918292976874332e6b353cd4a0

SHA1
ddae37256f0c45b15afef6c2d5bef316ecf459a6

SHA256
407375f58d188438aecfc2f71722bb8083a7adbc31fff2239d5b584472dab4e1

SHA512
d350e6b9eeacf2824b45fb9b85fe83e27fb6da9cc2a94437f31aea1b38cdf6e8fb2e31f42231bf5a65778a8dbcc399874a6f1d0a58564eb425c059c76d04148e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar85F9.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
memory/1960-55-0x000000013FC60000-0x0000000140603000-memory.dmp

Filesize
9.6MB

Download
memory/1960-56-0x000000013FC60000-0x0000000140603000-memory.dmp

Filesize
9.6MB

Download
memory/1960-54-0x000000013FC60000-0x0000000140603000-memory.dmp

Filesize
9.6MB

Download
memory/1960-57-0x000000013FC60000-0x0000000140603000-memory.dmp

Filesize
9.6MB

Download
memory/1960-79-0x000000013FC60000-0x0000000140603000-memory.dmp

Filesize
9.6MB

Download
memory/1960-58-0x000000013FC60000-0x0000000140603000-memory.dmp

Filesize
9.6MB

Download