a6b9b8fa15a63c2c8c89a54dde4f5dffaafd6c5f62c9e05cb21c645f4c7b9c86

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.TrojanX-gen.30150.exe
Size

1.3MB
MD5

9b83f4aef17adc5febcbd1c7f787047e
SHA1

b19fbf4f4c053d46bb99afbde6fecd7e4e547700
SHA256

a6b9b8fa15a63c2c8c89a54dde4f5dffaafd6c5f62c9e05cb21c645f4c7b9c86
SHA512

ac8cb32d4050142c57e050b666c65eebe64d5e5ab65884ee8172377761c0daa439c22055810364b967f259db7519705a22b5dececf0c135e94c024bc7dcfe324
SSDEEP

12288:OUtF7OEA8ynvlk7Bw7B67BpJFJSJipac/MZBNmXVytYSAOZHxCkMhrIGtfyog7N5:V/AvkeE9jY6/2BeotYSLtxvMhrIGh8b

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sfero365 = "C:\\Sfero\\Sfero365\\Sfero365.exe"	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2524	ipconfig.exe
2604	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3540	powershell.exe
3540	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe
Token: 34	2800	WMIC.exe
Token: 35	2800	WMIC.exe
Token: 36	2800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe
Token: 34	2800	WMIC.exe
Token: 35	2800	WMIC.exe
Token: 36	2800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	372	WMIC.exe
Token: SeSecurityPrivilege	372	WMIC.exe
Token: SeTakeOwnershipPrivilege	372	WMIC.exe
Token: SeLoadDriverPrivilege	372	WMIC.exe
Token: SeSystemProfilePrivilege	372	WMIC.exe
Token: SeSystemtimePrivilege	372	WMIC.exe
Token: SeProfSingleProcessPrivilege	372	WMIC.exe
Token: SeIncBasePriorityPrivilege	372	WMIC.exe
Token: SeCreatePagefilePrivilege	372	WMIC.exe
Token: SeBackupPrivilege	372	WMIC.exe
Token: SeRestorePrivilege	372	WMIC.exe
Token: SeShutdownPrivilege	372	WMIC.exe
Token: SeDebugPrivilege	372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	372	WMIC.exe
Token: SeRemoteShutdownPrivilege	372	WMIC.exe
Token: SeUndockPrivilege	372	WMIC.exe
Token: SeManageVolumePrivilege	372	WMIC.exe
Token: 33	372	WMIC.exe
Token: 34	372	WMIC.exe
Token: 35	372	WMIC.exe
Token: 36	372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	372	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2108	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	89
PID 1368 wrote to memory of 2108	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	89
PID 1368 wrote to memory of 2108	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	89
PID 1368 wrote to memory of 1448	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	91
PID 1368 wrote to memory of 1448	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	91
PID 1368 wrote to memory of 1448	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	91
PID 1368 wrote to memory of 2508	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	93
PID 1368 wrote to memory of 2508	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	93
PID 1368 wrote to memory of 2508	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	93
PID 1368 wrote to memory of 852	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	95
PID 1368 wrote to memory of 852	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	95
PID 1368 wrote to memory of 852	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	95
PID 1368 wrote to memory of 3136	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	97
PID 1368 wrote to memory of 3136	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	97
PID 1368 wrote to memory of 3136	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	97
PID 1368 wrote to memory of 2604	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	99
PID 1368 wrote to memory of 2604	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	99
PID 1368 wrote to memory of 2604	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	99
PID 1368 wrote to memory of 1036	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	101
PID 1368 wrote to memory of 1036	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	101
PID 1368 wrote to memory of 1036	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	101
PID 1368 wrote to memory of 2976	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	103
PID 1368 wrote to memory of 2976	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	103
PID 1368 wrote to memory of 2976	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	103
PID 1368 wrote to memory of 1216	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	106
PID 1368 wrote to memory of 1216	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	106
PID 1368 wrote to memory of 1216	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	106
PID 1368 wrote to memory of 4364	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	108
PID 1368 wrote to memory of 4364	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	108
PID 1368 wrote to memory of 4364	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	108
PID 1368 wrote to memory of 4628	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	110
PID 1368 wrote to memory of 4628	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	110
PID 1368 wrote to memory of 4628	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	110
PID 1368 wrote to memory of 4892	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	112
PID 1368 wrote to memory of 4892	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	112
PID 1368 wrote to memory of 4892	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	112
PID 1368 wrote to memory of 2828	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	114
PID 1368 wrote to memory of 2828	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	114
PID 1368 wrote to memory of 2828	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	114
PID 1368 wrote to memory of 720	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	116
PID 1368 wrote to memory of 720	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	116
PID 1368 wrote to memory of 720	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	116
PID 1368 wrote to memory of 3716	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	118
PID 1368 wrote to memory of 3716	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	118
PID 1368 wrote to memory of 3716	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	118
PID 1368 wrote to memory of 2400	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	120
PID 1368 wrote to memory of 2400	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	120
PID 1368 wrote to memory of 2400	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	120
PID 1368 wrote to memory of 2432	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	122
PID 1368 wrote to memory of 2432	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	122
PID 1368 wrote to memory of 2432	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	122
PID 1368 wrote to memory of 3052	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	124
PID 1368 wrote to memory of 3052	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	124
PID 1368 wrote to memory of 3052	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	124
PID 1368 wrote to memory of 4756	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	126
PID 1368 wrote to memory of 4756	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	126
PID 1368 wrote to memory of 4756	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	126
PID 1368 wrote to memory of 3420	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	128
PID 1368 wrote to memory of 3420	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	128
PID 1368 wrote to memory of 3420	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	128
PID 1368 wrote to memory of 1888	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	130
PID 1368 wrote to memory of 1888	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	130
PID 1368 wrote to memory of 1888	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	130
PID 1368 wrote to memory of 4768	1368	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	132

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.30150.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.30150.exe"
1⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\A\bat\*.dll
  2⤵
  PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\A\bat\*.txt
  2⤵
  PID:1448
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\A\bat\*.bat
  2⤵
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\B\bat\*.dll
  2⤵
  PID:852
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\B\bat\*.txt
  2⤵
  PID:3136
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\B\bat\*.bat
  2⤵
  PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\I\bat\*.dll
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\I\bat\*.txt
  2⤵
  PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\I\bat\*.bat
  2⤵
  PID:1216
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\K\bat\*.dll
  2⤵
  PID:4364
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\K\bat\*.txt
  2⤵
  PID:4628
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\K\bat\*.bat
  2⤵
  PID:4892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\L\bat\*.dll
  2⤵
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\L\bat\*.txt
  2⤵
  PID:720
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\L\bat\*.bat
  2⤵
  PID:3716
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\R\bat\*.dll
  2⤵
  PID:2400
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\R\bat\*.txt
  2⤵
  PID:2432
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\R\bat\*.bat
  2⤵
  PID:3052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\S\bat\*.dll
  2⤵
  PID:4756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\S\bat\*.txt
  2⤵
  PID:3420
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\S\bat\*.bat
  2⤵
  PID:1888
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\T\bat\*.dll
  2⤵
  PID:4768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\T\bat\*.txt
  2⤵
  PID:4644
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\T\bat\*.bat
  2⤵
  PID:1020
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\U\bat\*.dll
  2⤵
  PID:4220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\U\bat\*.txt
  2⤵
  PID:3432
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\U\bat\*.bat
  2⤵
  PID:3904
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\W\bat\*.dll
  2⤵
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\W\bat\*.txt
  2⤵
  PID:3916
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\W\bat\*.bat
  2⤵
  PID:2000
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\I\bat\*.dll
  2⤵
  PID:4024
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic computersystem get name >C:\Sfero\Sfero365\I\bat\11name.dll
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic computersystem get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic logicaldisk where "DeviceID='c:'" get VolumeSerialNumber >C:\Sfero\Sfero365\I\bat\12id.dll
  2⤵
  PID:4652
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk where "DeviceID='c:'" get VolumeSerialNumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:372
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic baseboard get Product,serialnumber,status,tag >C:\Sfero\Sfero365\I\bat\21pb.dll
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic baseboard get Product,serialnumber,status,tag
    3⤵
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic baseboard get Manufacturer >C:\Sfero\Sfero365\I\bat\22marca.dll
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic baseboard get Manufacturer
    3⤵
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic cpu get name, NumberOfCores, NumberOfLogicalProcessors, Status, StatusInfo >C:\Sfero\Sfero365\I\bat\23cpu.dll
  2⤵
  PID:528
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name, NumberOfCores, NumberOfLogicalProcessors, Status, StatusInfo
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic memorychip get devicelocator, manufacturer, partnumber, serialnumber, capacity, speed, formfactor, BankLabel, Status, Tag >C:\Sfero\Sfero365\I\bat\24memory.dll
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic memorychip get devicelocator, manufacturer, partnumber, serialnumber, capacity, speed, formfactor, BankLabel, Status, Tag
    3⤵
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net use >C:\Sfero\Sfero365\I\bat\31unidadesred.dll
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\net.exe
    net use
    3⤵
    PID:3600
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic logicaldisk list brief >C:\Sfero\Sfero365\I\bat\31unidades.dll
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk list brief
    3⤵
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic logicaldisk where "DeviceID='c:'" get Size >C:\Sfero\Sfero365\I\bat\32sizec.dll
  2⤵
  PID:628
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk where "DeviceID='c:'" get Size
    3⤵
    PID:4816
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic logicaldisk where "DeviceID='c:'" get FreeSpace >C:\Sfero\Sfero365\I\bat\32sizecfree.dll
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk where "DeviceID='c:'" get FreeSpace
    3⤵
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic logicaldisk where "DeviceID='c:'" get filesystem >C:\Sfero\Sfero365\I\bat\32systemc.dll
  2⤵
  PID:4620
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk where "DeviceID='c:'" get filesystem
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic path win32_VideoController get AdapterRAM,Caption,CurrentHorizontalResolution,CurrentVerticalResolution,MaxRefreshRate,Status > C:\Sfero\Sfero365\I\bat\25gpu.dll
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get AdapterRAM,Caption,CurrentHorizontalResolution,CurrentVerticalResolution,MaxRefreshRate,Status
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic printer get Default, DriverName, Name, Portname, Status > C:\Sfero\Sfero365\I\bat\26printers.dll
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic printer get Default, DriverName, Name, Portname, Status
    3⤵
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c PowerShell "Get-PhysicalDisk" >C:\Sfero\Sfero365\I\bat\33discos.dll
  2⤵
  PID:1020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Get-PhysicalDisk"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\K\bat\*.dll
  2⤵
  PID:4908
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c TREE c:\sfero\sfero365\ >C:\Sfero\Sfero365\K\bat\arbol.dll
  2⤵
  PID:448
- - C:\Windows\SysWOW64\tree.com
    TREE c:\sfero\sfero365\
    3⤵
    PID:3340
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\W\bat\*.dll
  2⤵
  PID:5040
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c winget list >C:\Sfero\Sfero365\W\bat\81wglist.dll
  2⤵
  PID:2944
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c TREE C:\Sfero\Sfero365\ >C:\Sfero\Sfero365\W\bat\99ok.dll
  2⤵
  PID:60
- - C:\Windows\SysWOW64\tree.com
    TREE C:\Sfero\Sfero365\
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\R\bat\*.dll
  2⤵
  PID:4584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\R\bat\*.txt
  2⤵
  PID:868
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\R\bat\*.bat
  2⤵
  PID:4328
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Sfero\Sfero365\F\bat\F365.bat
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface show interface
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Sfero\Sfero365\F\bat\F365.bat
  2⤵
  PID:4656
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface show interface
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Sfero\Sfero365\B\config\COPY002\xto.dll

Filesize
345B

MD5
54e0512709c1cdd831225f67ab0eba2c

SHA1
e29720bea5bd973eba1ef08e85b183772da17a4f

SHA256
82c167ab84f5b4f0b5122bff017318b05db7d4358bc66f1b4c7e782f3960f439

SHA512
c8c97b3099fad7440ea4c29bd87ea4bf817d97a9dce13d42fbaa62f5a0fc97f48a0c22bc78e929a430563a5527bb4ea06a1a48e466efa57cf1ed8529ff43b15f

Download Submit
C:\Sfero\Sfero365\B\config\COPY005\xfrom.dll

Filesize
3B

MD5
af2f1f9437740d350345348cb663809c

SHA1
0f7e2419b55ac43f0bc6c486538371c5f0ae7d7e

SHA256
d26a7528134491bbe88c1c728df61f64d493faf74932d00ea636567fb5a91fb9

SHA512
36be2df57543155330f7218766f0cf0d6ba06a05b060c74a2857519a7b4f15cfe5eefbaf1a19c2c725e898ad229d0d77cdbe68cbc2bc3d87612270c9162b2609

Download Submit
C:\Sfero\Sfero365\B\config\COPY007\xto.dll

Filesize
230B

MD5
704913446121bd9a8be8b0576ba84229

SHA1
80a0162d877c489445f389787ab0844e99be6107

SHA256
7ffc94e012e26b0d23f98aab62919f0852702d10fe778b7dfd6ce7905bbedb05

SHA512
3c36570eaec51e30f31ad4989a414f5c9f3d861c1cba81d8fae4fe592da35ffa4badd08c2b9bfc9352fad1df404da340ca8651b995655a2a6c644a31ffe33047

Download Submit
C:\Sfero\Sfero365\F\bat\11ip.dll

Filesize
1022B

MD5
f7faa2420e88b517753c684816bbf1cc

SHA1
3ec5cab97cdceb6f08bddc72ea93c890c799dcf4

SHA256
dbae814324c9a3f37a162c66b9722bf9c0c658d1b035669dd12a84e34c98eedc

SHA512
232f4a707a90474de381560308f6d16072b1b9097355b8e5bcd4ba3cc237f105df5ed5daf415f93db7429b3a640023b9d844b888cfa129d194c3f128aeb44da2

Download Submit
C:\Sfero\Sfero365\F\bat\11xnetsh.dll

Filesize
199B

MD5
22eece2415fb6277100b7076718c03a3

SHA1
d7a052f2d61d97d967c0ae0ee4193f3d0a4ae651

SHA256
d91bbff2766f226886d4b7009f0f750249e84782d479da0b5c9c101938304a36

SHA512
312d13ded236e2665c80fb105e0ba4e6e13fae8805472680025cbc12cb0cdd076d2da7dae688784139e39e7711f7c17af6704de74e1033d2245daf9bc03bdedb

Download Submit
C:\Sfero\Sfero365\F\bat\F365.bat

Filesize
158B

MD5
e62b0feef270f3edd9b77363ea0fb337

SHA1
8de9fdcf0ab48ac7de2f47bc14b0663a52f0551b

SHA256
4bce5734654c35b5c9cbf787fc406348ab73b9e7646cf180ff745cf18fe667c4

SHA512
a9457846e1cd312915477b1c9c96761ad1d32a33e668f8fe5c1107357f0be9401f68a1a20d70ee72a271acda0dda40082174b4add18a0094def144f577a49a14

Download Submit
C:\Sfero\Sfero365\I\bat\11name.dll

Filesize
50B

MD5
88485ad359608e1db02958f545daf39f

SHA1
93938065917c694f621a0d34988803605b958f90

SHA256
49bf252e4e60c9957446feebbba0688cfef3222d278ee2612fa21d62c5125ba9

SHA512
84b6e780b3c51664abe75d8b9c74e819b46e8acadc68f13805becae59e1b82beb9b9499e75f57bb4afc775eebf5cd1ae205e62d637b326344978352dcf42646a

Download Submit
C:\Sfero\Sfero365\I\bat\12id.dll

Filesize
90B

MD5
fe7bbd5b959aca93b0568733355a6dcf

SHA1
9e93f784e1263a5c7fcf5cfa6dcf517917a6896d

SHA256
9b77a84cd303c5c010b63de2b397af10f4f63c75e548dcdedbe7bc24d2fee26b

SHA512
d7978dc620ecca721cb5a2c5c6bf74c33479f8a646e5bb6d63ef02ee1662190774cb03be381289c8209a242b24f8c60a1c9f6337df8761f79f13ee44f29d637f

Download Submit
C:\Sfero\Sfero365\I\bat\21pb.dll

Filesize
6B

MD5
bea07e6d2b8dce396fe21baa61b34956

SHA1
665332b36fc8fa1ed11210cdee83b639b451e592

SHA256
2e08d1f6000aef541797d008c05ac36f4dbebfb36cbac5615788e6fcc5b300a7

SHA512
4ad82fbef6d8d3f4d0b90a9399c8b405674bad0c750e385fb034e57895838fd26d7926f6ed0ccab2e2afcaf4a23613ed8f16d909bff870b40187e22e0a6362c1

Download Submit
C:\Sfero\Sfero365\Z\bat\Z365.bat

Filesize
760B

MD5
e244a9dff36d37cdecc8b8bf1db83c8d

SHA1
6c4cc2bb2f2fcf5667f5d9126afb4e000d3371f0

SHA256
548ebbec289485aa4283a5364f6d9a72390a2281e54b9ab51663c96ed8033c88

SHA512
126aca5e9ca6fca97819e98f13df25af86ff1b4aa93d935d6efd91402b873fbcad1c6d0157442c6a07430e9b60dd8d8182fa5225384da9d81b47dc5be406e42e

Download Submit
C:\Sfero\Sfero365\Z\bat\Z365.bat

Filesize
1KB

MD5
d4338cee69907d8a8b668746fec5c9bf

SHA1
ffd22089ccbcbb3e5179a8e845b29e256993d1b5

SHA256
43a766e3a89314ef66f91e067d979e178a9039f2a0aae5691e88efa61beb5d8b

SHA512
92148d89e95a3cd3b5a81a6c007b915aa9edc06f58ec6adcb3c769b99bbe16532b43f32aaeb0b1481f894fedb297f439bdeac6c98009a2fd396291c117c26b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xv11v3lx.soo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1368-7-0x0000000005090000-0x00000000050E6000-memory.dmp

Filesize
344KB

Download
memory/1368-168-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/1368-6-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/1368-5-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/1368-165-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/1368-164-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/1368-0-0x00000000003C0000-0x000000000051A000-memory.dmp

Filesize
1.4MB

Download
memory/1368-162-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/1368-4-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/1368-3-0x00000000054A0000-0x0000000005A44000-memory.dmp

Filesize
5.6MB

Download
memory/1368-1-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/1368-2-0x0000000004E50000-0x0000000004EEC000-memory.dmp

Filesize
624KB

Download
memory/3540-76-0x000000006F7E0000-0x000000006F82C000-memory.dmp

Filesize
304KB

Download
memory/3540-75-0x0000000006B10000-0x0000000006B42000-memory.dmp

Filesize
200KB

Download
memory/3540-87-0x0000000007730000-0x00000000077D3000-memory.dmp

Filesize
652KB

Download
memory/3540-88-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3540-89-0x0000000007EA0000-0x000000000851A000-memory.dmp

Filesize
6.5MB

Download
memory/3540-90-0x0000000007860000-0x000000000787A000-memory.dmp

Filesize
104KB

Download
memory/3540-91-0x00000000078C0000-0x00000000078CA000-memory.dmp

Filesize
40KB

Download
memory/3540-92-0x0000000007AF0000-0x0000000007B86000-memory.dmp

Filesize
600KB

Download
memory/3540-93-0x0000000007A60000-0x0000000007A71000-memory.dmp

Filesize
68KB

Download
memory/3540-94-0x0000000007A90000-0x0000000007A9E000-memory.dmp

Filesize
56KB

Download
memory/3540-95-0x0000000007C50000-0x0000000007C7A000-memory.dmp

Filesize
168KB

Download
memory/3540-96-0x0000000007C80000-0x0000000007CA4000-memory.dmp

Filesize
144KB

Download
memory/3540-99-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3540-86-0x0000000007700000-0x000000000771E000-memory.dmp

Filesize
120KB

Download
memory/3540-74-0x000000007F600000-0x000000007F610000-memory.dmp

Filesize
64KB

Download
memory/3540-73-0x00000000065D0000-0x000000000661C000-memory.dmp

Filesize
304KB

Download
memory/3540-72-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/3540-71-0x0000000006040000-0x0000000006394000-memory.dmp

Filesize
3.3MB

Download
memory/3540-61-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/3540-60-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/3540-59-0x0000000005580000-0x00000000055A2000-memory.dmp

Filesize
136KB

Download
memory/3540-58-0x0000000005600000-0x0000000005C28000-memory.dmp

Filesize
6.2MB

Download
memory/3540-57-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3540-55-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3540-56-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3540-54-0x0000000004F60000-0x0000000004F96000-memory.dmp

Filesize
216KB

Download