f7f336955fa601fcd9ecb0e30911e6543882b2027dcbd27ac307d25fabd342db

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meta Unban/Cleaners/AppleS5-DEL.exe
Size

3.1MB
MD5

6af7ea6d60309e7a05339a72accc2074
SHA1

1ccfcccae4a481c29c8b142715a9dee070918df9
SHA256

eb8302fbd0a3eda7620c0af1728a5d151afe1648d07525862c3701fc34c36d63
SHA512

bd5e87af04689d7ba11f4d08dae3396de3260d0af8d5813a664bce4b4105f1721b2cbddfc3c8bfb1013f357581b2841790ae523213fa5487c9b39b12198bdc2d
SSDEEP

49152:WMn54uFpQJqpleSBtthqtwRTJP8fOa9pu75KEpIj4ZVCbshPW6G9VSpnZ:AJmeqt31qOaPIUEnbOePWv3gZ

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

AppleS5-DEL.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AppleS5-DEL.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1404 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AppleS5-DEL.exe

pid	process
1404	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppleS5-DEL.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AppleS5-DEL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AppleS5-DEL.exe

Executes dropped EXE 1 IoCs

Processes:

pid process

1356

pid	process
1356

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral3/memory/2016-54-0x000000013F430000-0x000000013FCED000-memory.dmp	themida
behavioral3/memory/2016-55-0x000000013F430000-0x000000013FCED000-memory.dmp	themida
behavioral3/memory/2016-56-0x000000013F430000-0x000000013FCED000-memory.dmp	themida
behavioral3/memory/2016-57-0x000000013F430000-0x000000013FCED000-memory.dmp	themida
behavioral3/memory/2016-58-0x000000013F430000-0x000000013FCED000-memory.dmp	themida
behavioral3/memory/2016-71-0x000000013F430000-0x000000013FCED000-memory.dmp	themida
\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\AppleS5-DEL.exe	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

AppleS5-DEL.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AppleS5-DEL.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

AppleS5-DEL.exe

pid process

2016 AppleS5-DEL.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AppleS5-DEL.exe

pid	process
2016	AppleS5-DEL.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Apple-1077081819179"	reg.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exe

pid process

2000 ipconfig.exe
984 ipconfig.exe
1584 ipconfig.exe

pid	process
2000	ipconfig.exe
984	ipconfig.exe
1584	ipconfig.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
432	taskkill.exe
884	taskkill.exe
1656	taskkill.exe
2024	taskkill.exe
316	taskkill.exe
1504	taskkill.exe
2004	taskkill.exe
1532	taskkill.exe
1744	taskkill.exe
816	taskkill.exe
556	taskkill.exe
1516	taskkill.exe
1932	taskkill.exe
1968	taskkill.exe

Modifies registry class 2 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Interface\ClsidStore = 010773115674275713793632700494018262109031002259021146	reg.exe

Modifies registry key 1 TTPs 25 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
692	reg.exe
1992	reg.exe
2004	reg.exe
1052	reg.exe
1584	reg.exe
1744	reg.exe
1884	reg.exe
1968	reg.exe
1792	reg.exe
920	reg.exe
804	reg.exe
1696	reg.exe
1732	reg.exe
864	reg.exe
816	reg.exe
1480	reg.exe
1088	reg.exe
632	reg.exe
1652	reg.exe
1448	reg.exe
1692	reg.exe
1404	reg.exe
1456	reg.exe
1932	reg.exe
1928	reg.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AppleS5-DEL.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1404	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1404	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1404	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1704	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1704	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1704	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1900	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1900	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1900	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 764	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 764	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 764	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1000	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1000	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1000	2016	AppleS5-DEL.exe	cmd.exe
PID 1000 wrote to memory of 1516	1000	cmd.exe	taskkill.exe
PID 1000 wrote to memory of 1516	1000	cmd.exe	taskkill.exe
PID 1000 wrote to memory of 1516	1000	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 1812	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1812	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1812	2016	AppleS5-DEL.exe	cmd.exe
PID 1812 wrote to memory of 1932	1812	cmd.exe	taskkill.exe
PID 1812 wrote to memory of 1932	1812	cmd.exe	taskkill.exe
PID 1812 wrote to memory of 1932	1812	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 828	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 828	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 828	2016	AppleS5-DEL.exe	cmd.exe
PID 828 wrote to memory of 816	828	cmd.exe	taskkill.exe
PID 828 wrote to memory of 816	828	cmd.exe	taskkill.exe
PID 828 wrote to memory of 816	828	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 1556	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1556	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1556	2016	AppleS5-DEL.exe	cmd.exe
PID 1556 wrote to memory of 1968	1556	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 1968	1556	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 1968	1556	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 1676	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1676	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1676	2016	AppleS5-DEL.exe	cmd.exe
PID 1676 wrote to memory of 432	1676	cmd.exe	taskkill.exe
PID 1676 wrote to memory of 432	1676	cmd.exe	taskkill.exe
PID 1676 wrote to memory of 432	1676	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 804	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 804	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 804	2016	AppleS5-DEL.exe	cmd.exe
PID 804 wrote to memory of 884	804	cmd.exe	taskkill.exe
PID 804 wrote to memory of 884	804	cmd.exe	taskkill.exe
PID 804 wrote to memory of 884	804	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 1448	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1448	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1448	2016	AppleS5-DEL.exe	cmd.exe
PID 1448 wrote to memory of 1504	1448	cmd.exe	taskkill.exe
PID 1448 wrote to memory of 1504	1448	cmd.exe	taskkill.exe
PID 1448 wrote to memory of 1504	1448	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 1608	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1608	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 1608	2016	AppleS5-DEL.exe	cmd.exe
PID 1608 wrote to memory of 1656	1608	cmd.exe	taskkill.exe
PID 1608 wrote to memory of 1656	1608	cmd.exe	taskkill.exe
PID 1608 wrote to memory of 1656	1608	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 2000	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 2000	2016	AppleS5-DEL.exe	cmd.exe
PID 2016 wrote to memory of 2000	2016	AppleS5-DEL.exe	cmd.exe
PID 2000 wrote to memory of 2004	2000	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\AppleS5-DEL.exe
"C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\AppleS5-DEL.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color 0b
2⤵
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1196

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1488

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1820

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1620

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1500

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
2⤵
PID:1552

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
2⤵
PID:2020

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
2⤵
PID:1556

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
3⤵
- Modifies registry key
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:1204

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-10770 /f
3⤵
- Modifies registry key
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:364

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-10770 /f
3⤵
- Modifies registry key
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
2⤵
PID:1708

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-1077081819179 /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&1
2⤵
PID:884

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple10770-818-19179-1584231816} /f
3⤵
- Modifies registry key
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f
2⤵
PID:1576

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple10770-818-19179-1584231816} /f
3⤵
- Modifies registry key
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:1504

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 10770-818-19179-15842 /f
3⤵
- Modifies registry key
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
2⤵
PID:1168

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple10770-818-19179-15842 /f
3⤵
- Modifies registry key
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
2⤵
PID:1604

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games /f
3⤵
- Modifies registry key
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games /f
2⤵
PID:1900

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic Games /f
3⤵
- Modifies registry key
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f
2⤵
PID:1704

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f
3⤵
- Modifies registry key
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
2⤵
PID:2000

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
3⤵
- Modifies registry key
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
2⤵
PID:276

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
3⤵
- Modifies registry key
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
2⤵
PID:764

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
3⤵
- Modifies registry key
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
2⤵
PID:604

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
3⤵
- Modifies registry key
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
2⤵
PID:1532

C:\Windows\system32\reg.exe
reg delete HKCR\com.epicgames.launcher /f
3⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
2⤵
PID:892

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
3⤵
- Modifies registry key
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1108

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 10773115674275713793632700494018262109031002259021146 /f
3⤵
- Modifies registry class
- Modifies registry key
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1812

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-10773-11567-42757137 /f
3⤵
- Modifies registry key
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
2⤵
PID:1620

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
3⤵
- Modifies registry key
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:328

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 10773115674275713793632700494018262109031002259021146 /f
3⤵
- Modifies registry key
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1416

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 10773115674275713793632700494018262109031002259021146 /f
3⤵
- Modifies registry key
PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
2⤵
PID:1296

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
3⤵
- Modifies registry key
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh winsock reset
2⤵
PID:432

C:\Windows\system32\netsh.exe
netsh winsock reset
3⤵
PID:272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int ip reset
2⤵
PID:1448

C:\Windows\system32\netsh.exe
netsh int ip reset
3⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall reset
2⤵
PID:1604

C:\Windows\system32\netsh.exe
netsh advfirewall reset
3⤵
- Modifies Windows Firewall
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
2⤵
PID:1052

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /release
2⤵
PID:1452

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /renew
2⤵
PID:764

C:\Windows\system32\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arp -d
2⤵
PID:1000

C:\Windows\system32\ARP.EXE
arp -d
3⤵
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh interface ip delete arpcache
2⤵
PID:1312

C:\Windows\system32\netsh.exe
netsh interface ip delete arpcache
3⤵
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Windows\IME\networkclean.exe
2⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c %systemdrive%\Windows\IME\adapters.exe
2⤵
PID:852

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-10773-11567-42757137 /f
1⤵
- Modifies registry key
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\AppleS5-DEL.exe
Filesize
3.1MB

MD5
6af7ea6d60309e7a05339a72accc2074

SHA1
1ccfcccae4a481c29c8b142715a9dee070918df9

SHA256
eb8302fbd0a3eda7620c0af1728a5d151afe1648d07525862c3701fc34c36d63

SHA512
bd5e87af04689d7ba11f4d08dae3396de3260d0af8d5813a664bce4b4105f1721b2cbddfc3c8bfb1013f357581b2841790ae523213fa5487c9b39b12198bdc2d

Download Submit
memory/2016-54-0x000000013F430000-0x000000013FCED000-memory.dmp

Filesize
8.7MB

Download
memory/2016-55-0x000000013F430000-0x000000013FCED000-memory.dmp

Filesize
8.7MB

Download
memory/2016-56-0x000000013F430000-0x000000013FCED000-memory.dmp

Filesize
8.7MB

Download
memory/2016-57-0x000000013F430000-0x000000013FCED000-memory.dmp

Filesize
8.7MB

Download
memory/2016-58-0x000000013F430000-0x000000013FCED000-memory.dmp

Filesize
8.7MB

Download
memory/2016-71-0x000000013F430000-0x000000013FCED000-memory.dmp

Filesize
8.7MB

Download