28486a0eb0a65e2c926a44dc8559ccd6deec153b784d91698382512c82cdb401

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unhide.exe
Size

668KB
MD5

0c3717b91073d5e4a8097b69331646a5
SHA1

1c3e14bf1b3b20736ca84f4d3a000dd8cbb84a59
SHA256

28486a0eb0a65e2c926a44dc8559ccd6deec153b784d91698382512c82cdb401
SHA512

a52ee1760327063b5bba79d6da74788d1971dce1466e94e0c4bf2a4283dcf662314635099a4ff885e50683a9817022ef4aec2d8bda23dc132f4ac4773252e564
SSDEEP

12288:fxTCGTc6rYLF4s7E2vqsIG+OBxUkK3nn8eQ3Gj0Hy/23vc8/:pTlQ6rgPE2vagxdynMGjD/8vP

Score

8^/10

ransomware upx

Malware Config

Signatures

Drops file in Drivers directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	attrib.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\UnpublishGroup.tiff	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Unhide.exe

Executes dropped EXE 3 IoCs

pid	Process
4240	setpath.exe
2012	sed.exe
4440	pev.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5068-147-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/files/0x0006000000023178-152.dat	upx
behavioral2/files/0x0006000000023178-153.dat	upx
behavioral2/memory/4240-154-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/files/0x0006000000023179-210.dat	upx

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	attrib.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	attrib.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidinterrupt.inf_amd64_eeb986311b3a5b16\hidinterrupt.sys	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\ServDeps.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\XInputUap.dll	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-DisposableClientVM-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rdpidd.inf_amd64_ce12c614d182f4f9\rdpidd.inf	attrib.exe
File opened for modification	C:\Windows\SysWOW64\slmgr\0407	attrib.exe
File opened for modification	C:\Windows\SysWOW64\mibincodec.dll	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-IDE-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Helium-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fscontentscreener.inf_amd64_bd1517e25f3e419f	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ScheduledTasks\MSFT_ScheduledTask_v1.0.cdxml	attrib.exe
File opened for modification	C:\Windows\SysWOW64\shutdown.exe	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-WMPDMC-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_7_for_KB5005699~31bf3856ad364e35~amd64~~19041.1220.1.0.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint.inf	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\appmgr.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wlgpclnt.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsDolby-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_767b2d723d0fe83b\mdmags64.inf	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\icsigd.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wbem\mstsc.mof	attrib.exe
File opened for modification	C:\Windows\SysWOW64\zh-CN\SyncRes.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\keyboard.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\cmmon32.exe.mui	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Remotefx-Clientvm-Rdvgwddmdx11-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.928.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\c_apo.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\migration\WpcMigration.Uplevel.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\it-IT\RunAsHelper.strings.psd1	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-UtilityVm-SetupAgent-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Shielded-VM-Service-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\mlx5.sys	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\TetheringService.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\F12\msdbg2.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ja-JP\p2p-mesh.mfl	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-CA	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Storage.OneCore.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winspool.drv	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-RDP4VS-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmdf56f.inf_amd64_1e78e192efc26192\mdmdf56f.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\HalExtIntcLpioDma.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsDolby-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netl1e64.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\WMIC.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Devices.Custom.ps.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\ialpssi_gpio.INF_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\usbhub3.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\wvmbusvideo.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\odbcconf.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\DbgModel.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.dll	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-WOW64-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-2-0.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\acppage.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\ykinx64.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\winusb.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\sisraid2.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\dsreg.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\KBDUGHR.DLL	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	attrib.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-200.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-100.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymb.ttf	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-100_contrast-white.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-100.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-200.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-16.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	attrib.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-16.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_scale-100.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\LogoCanary.png.DATA	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-400.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\Views	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-text.xml	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Fonts\segxsym.ttf	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\SoftLandingAssetDark.gif.DATA	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl	attrib.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-125.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\fr-FR.PhoneNumber.ot	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\THMBNAIL.PNG	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common\Resources\ResourceDictionary.xbf	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-125.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-200.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-200.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-80_altform-lightunplated.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-150.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\ui-strings.js	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\ellipsis_16x16x32.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-125.png	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXPSRV.DLL	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-150.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\MSASignIn.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileMediumSquare.scale-100.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Heart.png	attrib.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-integrity-policy_31bf3856ad364e35_10.0.19041.746_none_8a20106aa387072c\Windows.Security.Integrity.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_monitor.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_5be8f42709ef5147\monitor.inf_loc	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-AssignedAccessCsp-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	attrib.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-48.png	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_b7bdf77f1433469b\fms.dll.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\TileSmall.contrast-white_scale-200.png	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..-policies.resources_31bf3856ad364e35_10.0.19041.1_en-us_c4ed144ec53159c2\OOBE.adml	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..g-jscript.resources_31bf3856ad364e35_11.0.19041.1_fr-fr_e05be69a839ace6f\jscript.dll.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_usbser.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_999f2d52b61dc6e7\usbser.inf_loc	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hlink.resources_31bf3856ad364e35_10.0.19041.1_de-de_d7fc2f769e04f845\hlink.dll.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..acysnapin.resources_31bf3856ad364e35_10.0.19041.1_es-es_6d3bcca0321580e5\inetmgr6.exe.mui	attrib.exe
File opened for modification	C:\Windows\INF\.NET CLR Data\_DataPerfCounters.h	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\1041\Vsavb7rtUI.dll	attrib.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~fr-ch~1.0.mum	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_gameport.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_b61044decf06e5b4\gameport.inf_loc	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..ngsclient.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_56dd08c5bd34cd5a\wosc.dll.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..cementmanifests-net_31bf3856ad364e35_10.0.19041.1_none_6d60b01ac2c12eee\NetworkLoadBalancingManagementClient-Replacement.man	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wab-core_31bf3856ad364e35_10.0.19041.1110_none_c9ef9824fef645af\wab32.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-desktop-p..ioning-platform-uap_31bf3856ad364e35_10.0.19041.1202_none_ed8dbbd679137a3a\Microsoft-Desktop-Provisioning.dat	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\tlserror.htm	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\3ef04b2ab7a69aa8d90d3a62538479e4\Microsoft.PowerShell.ConsoleHost.ni.dll	attrib.exe
File opened for modification	C:\Windows\L2Schemas\WLANAP_profile_v1.xsd	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.CompilerServices.VisualC	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XmlDocument	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-MobilePC-Client-Premium-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_c_netservice.inf_31bf3856ad364e35_10.0.19041.1_none_3e72335d87ef0873\c_netservice.inf	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..mplatform.resources_31bf3856ad364e35_10.0.19041.1_de-de_a9b3cd9091c97133\netswitchteamcim.dll.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..mprovider.resources_31bf3856ad364e35_10.0.19041.1_es-es_5e0fc3365edc0afb\nfscimprov_Uninstall.mfl	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\tcpip.adml	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printing-Foundation-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.mum	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\Microsoft.Uev.Common.WinRT.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..ependencyminifilter_31bf3856ad364e35_10.0.19041.928_none_0863e8efe63839e6\f\fsdepends.sys	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..tenterprise-license_31bf3856ad364e35_10.0.19041.1266_none_d8e5a5b80dc620f7\r\IoTEnterprise-OEM-DM-1-ul-store-rtm.xrm-ms	attrib.exe
File opened for modification	C:\Windows\Fonts\consolab.ttf	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Editor	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.es.resx	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..collector.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ae8a774c55ba759\wecsvc.dll.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ime-korean-commonapi_31bf3856ad364e35_10.0.19041.844_none_b78eaf7eaa01dcca\r	attrib.exe
File opened for modification	C:\Windows\Boot\EFI\en-US	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ional-codepage-core_31bf3856ad364e35_10.0.19041.1_none_ecc5d2879c840ab0\C_20261.NLS	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.19041.1_da-dk_c2b1ad4ca766b8f7\tipresx.dll.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_10.0.19041.546_none_bad936652ad03072\f\winsta.dll	attrib.exe
File opened for modification	C:\Windows\INF\PERFLIB\0411\perfh.dat	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.resources.dll	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\LanmanWorkstation.adml	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_mdmeiger.inf_31bf3856ad364e35_10.0.19041.1_none_64c5ea94bd54c295\mdmeiger.inf	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_it-it_f55158e81544d580\iscsicli.exe.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-vault-cpl_31bf3856ad364e35_10.0.19041.423_none_d57ebf249a4ef3f8\f	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.Tasks.resources.dll	attrib.exe
File opened for modification	C:\Windows\Fonts\impact.ttf	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ObjectModel	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..nosticsframeworkapi_31bf3856ad364e35_10.0.19041.1_none_e0e2be0e4a7b510d\ndfapi.dll	attrib.exe
File opened for modification	C:\Windows\INF\.NET CLR Networking 4.0.0.0\0410\_Networkingperfcounters_d.ini	attrib.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Rsat.RemoteAccess.Management.Tools~~1.0.mum	attrib.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\pris\resources.de-DE.pri	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_eaphost.inf_31bf3856ad364e35_10.0.19041.1_none_dd3435528e2a283d\EAPHost.inf	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-http.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6b69392c689c2535\http.sys.mui	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4082629be4b9c8a\tcpip.adml	attrib.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\MediumTile.scale-400.png	attrib.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.ShellCommon\Images	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..nager-runtimeserver_31bf3856ad364e35_10.0.19041.1023_none_d167150e556c5f39\AssignedAccessManager.dll	attrib.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..manifests-printscan_31bf3856ad364e35_10.0.19041.746_none_147dd50012cf1d15\r\TapiMigPlugin.dll	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 3696	5068	Unhide.exe	82
PID 5068 wrote to memory of 3696	5068	Unhide.exe	82
PID 5068 wrote to memory of 3696	5068	Unhide.exe	82
PID 3696 wrote to memory of 4240	3696	cmd.exe	84
PID 3696 wrote to memory of 4240	3696	cmd.exe	84
PID 3696 wrote to memory of 4240	3696	cmd.exe	84
PID 3696 wrote to memory of 2012	3696	cmd.exe	85
PID 3696 wrote to memory of 2012	3696	cmd.exe	85
PID 3696 wrote to memory of 2012	3696	cmd.exe	85
PID 3696 wrote to memory of 228	3696	cmd.exe	86
PID 3696 wrote to memory of 228	3696	cmd.exe	86
PID 3696 wrote to memory of 228	3696	cmd.exe	86
PID 228 wrote to memory of 4440	228	cmd.exe	87
PID 228 wrote to memory of 4440	228	cmd.exe	87
PID 228 wrote to memory of 4440	228	cmd.exe	87
PID 3696 wrote to memory of 4860	3696	cmd.exe	88
PID 3696 wrote to memory of 4860	3696	cmd.exe	88
PID 3696 wrote to memory of 4860	3696	cmd.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4860	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Unhide.exe
"C:\Users\Admin\AppData\Local\Temp\Unhide.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\unhide.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\setpath.exe
    SetPath
    3⤵
    - Executes dropped EXE
    PID:4240
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\sed.exe
    SED -r "s/ //g; s/\\\x22$/\x22/; s/^SET/@SET /I" SetPath00
    3⤵
    - Executes dropped EXE
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c PEV VOLUME
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\pev.exe
      PEV VOLUME
      4⤵
      Executes dropped EXE
      PID:4440
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -H C:\* /S /D
    3⤵
    - Drops file in Drivers directory
    - Modifies extensions of user files
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:4860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SetPath.bat

Filesize
1KB

MD5
d801958ceae5f70610b496d9b470c226

SHA1
3e6c19fd4c825909837c6a539f1062b7100abbe2

SHA256
4ed7c723e6216df05b21537c08e466be504af76bac2cbc04ffc37aa96935b21b

SHA512
f1d26e4c777978697141324e26aefa5a870e170c545605892505d5cfdab901ea385897d7037c538932e1933f9b810b6c31cd1c4d4ed8f61af75225394c7afce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SetPath00

Filesize
1KB

MD5
67a7e99522b111d938759305c5b77fe2

SHA1
a14819fb35b3ece5e69648af8555022c9254471d

SHA256
458fae2d4a72e9563b3519070d287cafba688fe61a400130975c9dc47c72793d

SHA512
40cb88ab4109ffe8abe5f81056a62aecd322a0e6331fe6f44559a92632f9c6d98ec409b2434e4e7e27add47525307b7f659b9a2be0f62b8af8e5565ddc163640

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\grep.exe

Filesize
78KB

MD5
9e05a9c264c8a908a8e79450fcbff047

SHA1
363b2ee171de15aeea793bd7fdffd68d0feb8ba4

SHA256
c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1

SHA512
712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pev.exe

Filesize
249KB

MD5
3c33b26f2f7fa61d882515f2d6078691

SHA1
6a4327de077ea3126fc70c7031ca901383734562

SHA256
908fdb876715f0a77014a37396d9e964fa6359d98099929bab4086e66d72bb9f

SHA512
6682e012e0cf8a3a40873b15eee14dea5cc95e86b181632a5a2dff3498e1d8d6d01ced76efd08089d7e9d5c43ba64143639c0e5414143762a232e6dd964804d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pev.exe

Filesize
249KB

MD5
3c33b26f2f7fa61d882515f2d6078691

SHA1
6a4327de077ea3126fc70c7031ca901383734562

SHA256
908fdb876715f0a77014a37396d9e964fa6359d98099929bab4086e66d72bb9f

SHA512
6682e012e0cf8a3a40873b15eee14dea5cc95e86b181632a5a2dff3498e1d8d6d01ced76efd08089d7e9d5c43ba64143639c0e5414143762a232e6dd964804d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sed.exe

Filesize
96KB

MD5
2b657a67aebb84aea5632c53e61e23bf

SHA1
7d723cf82658da76bda85ae00bf20cb01b43edc8

SHA256
95a2e2cacfb63d095de385a98f1d5d4a21f0e7e8de485cbaf5b872434d43fb73

SHA512
16a68add6c2f6011c3c69dd3a3bf9496730c712e631c4992c19a83747020e8b560e3b93b08e95c536f245508a9c923f18488b2aef300acbe2ecedbe4ff3e5ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sed.exe

Filesize
96KB

MD5
2b657a67aebb84aea5632c53e61e23bf

SHA1
7d723cf82658da76bda85ae00bf20cb01b43edc8

SHA256
95a2e2cacfb63d095de385a98f1d5d4a21f0e7e8de485cbaf5b872434d43fb73

SHA512
16a68add6c2f6011c3c69dd3a3bf9496730c712e631c4992c19a83747020e8b560e3b93b08e95c536f245508a9c923f18488b2aef300acbe2ecedbe4ff3e5ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setpath.exe

Filesize
26KB

MD5
4f5f4878c3931a5906392b6124ae0fcb

SHA1
5119a8d63258583365e7c6e082ccb8879901fd32

SHA256
399ce9f214fd0af7a0ff40e4c28d979642396f602845f7c6d8cb3020aa9f791e

SHA512
ce7d7768f5a35c907af7de745b83f27dba0173f4f107e4c2823a6f1bbf304079fe73f39b8b5807dd421c61a6cabe26272c671e7a940f68752ebfd71638b79299

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setpath.exe

Filesize
26KB

MD5
4f5f4878c3931a5906392b6124ae0fcb

SHA1
5119a8d63258583365e7c6e082ccb8879901fd32

SHA256
399ce9f214fd0af7a0ff40e4c28d979642396f602845f7c6d8cb3020aa9f791e

SHA512
ce7d7768f5a35c907af7de745b83f27dba0173f4f107e4c2823a6f1bbf304079fe73f39b8b5807dd421c61a6cabe26272c671e7a940f68752ebfd71638b79299

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\swxcacls.exe

Filesize
80KB

MD5
9cef63fde7a3a91a747ceb26d00fced3

SHA1
e32f3be159e7ed8ff722d7914e9bd76411f66f56

SHA256
8ddb40f126b0bac6095db82bd45bbe9b5d70b0a1e8542a82ab1df8031d776c9b

SHA512
5f1e0fd8a4f9131104f8cb58c91267026e126a4e832aee4e77ed2d4d8866e9b25406f02f17785c550661a58f9e11dbdd63ab784e9374d5cf7a42c5c7370763b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\unhide.bat

Filesize
2KB

MD5
4427ca90cac3e5b4aff5e173ad2dd4f1

SHA1
9a33cc2a79676fb5f081cca6264aa4ad061058ea

SHA256
46efd6ebae7cbbb36b15b54cf409013172bf0fab6df92daefd9ea793d1fd30b2

SHA512
59bcc51f3a4d7826d1facf27ffa6207ede7bfae2a8a318514022af5bfd9f7063cfd730dec3bb0fe21dc67c6ab669b40afb42118ea4c9986b7e2534d7e0c4726c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\unhide.reg

Filesize
543B

MD5
fca6a5b2508b49f3363404a8e47d552a

SHA1
3ecd0d771baa100f4e1afa810bb3b1a27cd53aad

SHA256
609db8564ed67f25fb27d844c7ef2dfbc6bac0cf30eee127e2625e7583069804

SHA512
640571c86db7ef728bea66073ba35fe017d55edff124fe03deee41b1ff6e9f65bf4cad0fc465557e8ec0031e5eb4b414b8ebd1e3a1750622eadd841aefa1f9ef

Download Submit
memory/2012-161-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4240-154-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4440-206-0x0000000000150000-0x0000000000153000-memory.dmp

Filesize
12KB

Download
memory/4440-205-0x0000000000500000-0x00000000005D0000-memory.dmp

Filesize
832KB

Download
memory/5068-147-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads