988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f

Analysis

max time kernel
147s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
Size

14.3MB
MD5

3f05981c960cbf724d8aec6ff2e5a66b
SHA1

d7e9338356e85a1824c76dfb10216bd84becb048
SHA256

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f
SHA512

e461cf6ba6ecc48d7644054b67157b239a627e1021f4b47ab1da806d941fef2e85321ca537fe6b9caf2c0db19aa03c0adc230da594ac224ac5a019ff73e92ffb
SSDEEP

393216:V9ugEkty7AD0/0kfMEs4nC+bCxxddPN4644jpXdyIuJR8s:VLEcpD0/rTTfCxxmqIIuws

Score

9^/10

bootkit evasion execution persistence trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

TigerHwidTool.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TigerHwidTool.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TigerHwidTool.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsdB1E3.tmp\SelfDel.dll	acprotect
behavioral1/memory/2244-32-0x0000000074A50000-0x0000000074A59000-memory.dmp	acprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TigerHwidTool.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TigerHwidTool.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TigerHwidTool.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

1036 explorer.exe
Executes dropped EXE 1 IoCs

Processes:

TigerHwidTool.exe

pid process

2440 TigerHwidTool.exe

pid	process
1036	explorer.exe

pid	process
2440	TigerHwidTool.exe

Loads dropped DLL 4 IoCs

Processes:

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe

pid	process
2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsdB1E3.tmp\SelfDel.dll	upx
behavioral1/memory/2244-32-0x0000000074A50000-0x0000000074A59000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

TigerHwidTool.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TigerHwidTool.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

TigerHwidTool.exe

description ioc process

File opened for modification \??\PhysicalDrive0 TigerHwidTool.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

TigerHwidTool.exe

pid process

2440 TigerHwidTool.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TigerHwidTool.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	TigerHwidTool.exe

pid	process
2440	TigerHwidTool.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe

description	pid	process	target process
PID 2244 set thread context of 1036	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe

description	ioc	process
File created	C:\Program Files (x86)\TigerHwidTool\spiderman.bat	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
File created	C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
File created	C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe.s	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe

Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2868 sc.exe
2536 sc.exe
2600 sc.exe
2592 sc.exe
2644 sc.exe
1748 sc.exe
3068 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2868	sc.exe
2536	sc.exe
2600	sc.exe
2592	sc.exe
2644	sc.exe
1748	sc.exe
3068	sc.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exereg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2944 ipconfig.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2612 taskkill.exe
1856 taskkill.exe

pid	process
2944	ipconfig.exe

pid	process
2612	taskkill.exe
1856	taskkill.exe

Modifies registry class 4 IoCs

Processes:

TigerHwidTool.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{9689eab6-ee9d-2386-376d-0410cd1a}	TigerHwidTool.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node	TigerHwidTool.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID	TigerHwidTool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{9689eab6-ee9d-2386-376d-0410cd1a}\SortOrderIndex = a2aafdb4aed713a3d55e5c99	TigerHwidTool.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

TigerHwidTool.exe

pid process

2440 TigerHwidTool.exe

pid	process
2440	TigerHwidTool.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1480	WMIC.exe
Token: SeSecurityPrivilege	1480	WMIC.exe
Token: SeTakeOwnershipPrivilege	1480	WMIC.exe
Token: SeLoadDriverPrivilege	1480	WMIC.exe
Token: SeSystemProfilePrivilege	1480	WMIC.exe
Token: SeSystemtimePrivilege	1480	WMIC.exe
Token: SeProfSingleProcessPrivilege	1480	WMIC.exe
Token: SeIncBasePriorityPrivilege	1480	WMIC.exe
Token: SeCreatePagefilePrivilege	1480	WMIC.exe
Token: SeBackupPrivilege	1480	WMIC.exe
Token: SeRestorePrivilege	1480	WMIC.exe
Token: SeShutdownPrivilege	1480	WMIC.exe
Token: SeDebugPrivilege	1480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1480	WMIC.exe
Token: SeRemoteShutdownPrivilege	1480	WMIC.exe
Token: SeUndockPrivilege	1480	WMIC.exe
Token: SeManageVolumePrivilege	1480	WMIC.exe
Token: 33	1480	WMIC.exe
Token: 34	1480	WMIC.exe
Token: 35	1480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1480	WMIC.exe
Token: SeSecurityPrivilege	1480	WMIC.exe
Token: SeTakeOwnershipPrivilege	1480	WMIC.exe
Token: SeLoadDriverPrivilege	1480	WMIC.exe
Token: SeSystemProfilePrivilege	1480	WMIC.exe
Token: SeSystemtimePrivilege	1480	WMIC.exe
Token: SeProfSingleProcessPrivilege	1480	WMIC.exe
Token: SeIncBasePriorityPrivilege	1480	WMIC.exe
Token: SeCreatePagefilePrivilege	1480	WMIC.exe
Token: SeBackupPrivilege	1480	WMIC.exe
Token: SeRestorePrivilege	1480	WMIC.exe
Token: SeShutdownPrivilege	1480	WMIC.exe
Token: SeDebugPrivilege	1480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1480	WMIC.exe
Token: SeRemoteShutdownPrivilege	1480	WMIC.exe
Token: SeUndockPrivilege	1480	WMIC.exe
Token: SeManageVolumePrivilege	1480	WMIC.exe
Token: 33	1480	WMIC.exe
Token: 34	1480	WMIC.exe
Token: 35	1480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe
Token: SeTakeOwnershipPrivilege	2360	WMIC.exe
Token: SeLoadDriverPrivilege	2360	WMIC.exe
Token: SeSystemProfilePrivilege	2360	WMIC.exe
Token: SeSystemtimePrivilege	2360	WMIC.exe
Token: SeProfSingleProcessPrivilege	2360	WMIC.exe
Token: SeIncBasePriorityPrivilege	2360	WMIC.exe
Token: SeCreatePagefilePrivilege	2360	WMIC.exe
Token: SeBackupPrivilege	2360	WMIC.exe
Token: SeRestorePrivilege	2360	WMIC.exe
Token: SeShutdownPrivilege	2360	WMIC.exe
Token: SeDebugPrivilege	2360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2360	WMIC.exe
Token: SeRemoteShutdownPrivilege	2360	WMIC.exe
Token: SeUndockPrivilege	2360	WMIC.exe
Token: SeManageVolumePrivilege	2360	WMIC.exe
Token: 33	2360	WMIC.exe
Token: 34	2360	WMIC.exe
Token: 35	2360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2244 wrote to memory of 2636	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 2244 wrote to memory of 2636	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 2244 wrote to memory of 2636	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 2244 wrote to memory of 2636	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 2636 wrote to memory of 3068	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 3068	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 3068	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 3068	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2868	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2868	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2868	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2868	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2536	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2536	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2536	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2536	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2600	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2600	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2600	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2600	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2612	2636	cmd.exe	taskkill.exe
PID 2636 wrote to memory of 2612	2636	cmd.exe	taskkill.exe
PID 2636 wrote to memory of 2612	2636	cmd.exe	taskkill.exe
PID 2636 wrote to memory of 2612	2636	cmd.exe	taskkill.exe
PID 2636 wrote to memory of 2592	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2592	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2592	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2592	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2644	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2644	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2644	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 2644	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 1748	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 1748	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 1748	2636	cmd.exe	sc.exe
PID 2636 wrote to memory of 1748	2636	cmd.exe	sc.exe
PID 2244 wrote to memory of 2440	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	TigerHwidTool.exe
PID 2244 wrote to memory of 2440	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	TigerHwidTool.exe
PID 2244 wrote to memory of 2440	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	TigerHwidTool.exe
PID 2244 wrote to memory of 2440	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	TigerHwidTool.exe
PID 2244 wrote to memory of 2468	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 2244 wrote to memory of 2468	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 2244 wrote to memory of 2468	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 2244 wrote to memory of 2468	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 2244 wrote to memory of 1036	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	explorer.exe
PID 2244 wrote to memory of 1036	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	explorer.exe
PID 2244 wrote to memory of 1036	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	explorer.exe
PID 2244 wrote to memory of 1036	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	explorer.exe
PID 2244 wrote to memory of 1036	2244	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	explorer.exe
PID 2468 wrote to memory of 1020	2468	cmd.exe	mode.com
PID 2468 wrote to memory of 1020	2468	cmd.exe	mode.com
PID 2468 wrote to memory of 1020	2468	cmd.exe	mode.com
PID 2468 wrote to memory of 1020	2468	cmd.exe	mode.com
PID 2468 wrote to memory of 1856	2468	cmd.exe	taskkill.exe
PID 2468 wrote to memory of 1856	2468	cmd.exe	taskkill.exe
PID 2468 wrote to memory of 1856	2468	cmd.exe	taskkill.exe
PID 2468 wrote to memory of 1856	2468	cmd.exe	taskkill.exe
PID 2468 wrote to memory of 2648	2468	cmd.exe	cmd.exe
PID 2468 wrote to memory of 2648	2468	cmd.exe	cmd.exe
PID 2468 wrote to memory of 2648	2468	cmd.exe	cmd.exe
PID 2468 wrote to memory of 2648	2468	cmd.exe	cmd.exe
PID 2648 wrote to memory of 2188	2648	cmd.exe	reg.exe
PID 2648 wrote to memory of 2188	2648	cmd.exe	reg.exe
PID 2648 wrote to memory of 2188	2648	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
"C:\Users\Admin\AppData\Local\Temp\988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\TigerHwidTool\spiderman.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\sc.exe
sc stop spidermansrv
3⤵
- Launches sc.exe
PID:3068

C:\Windows\SysWOW64\sc.exe
sc delete spidermansrv
3⤵
- Launches sc.exe
PID:2868

C:\Windows\SysWOW64\sc.exe
sc stop TigerServer
3⤵
- Launches sc.exe
PID:2536

C:\Windows\SysWOW64\sc.exe
sc delete TigerServer
3⤵
- Launches sc.exe
PID:2600

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\SysWOW64\sc.exe
sc stop stsrv
3⤵
- Launches sc.exe
PID:2592

C:\Windows\SysWOW64\sc.exe
sc delete stsrv
3⤵
- Launches sc.exe
PID:2644

C:\Windows\SysWOW64\sc.exe
sc create stsrv binPath="C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe" start=auto DisplayName="stsrv"
3⤵
- Launches sc.exe
PID:1748

C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe
"C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\Desktop\查看机器码.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\mode.com
mode con cols=85 lines=90
3⤵
PID:1020

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"
3⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\reg.exe
reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"
4⤵
- Enumerates system info in registry
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"
3⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"
4⤵
- Enumerates system info in registry
PID:2308

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get Name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic diskdrive get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get serialnumber
3⤵
PID:1616

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic bios get serialnumber
3⤵
PID:2128

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic baseboard get serialnumber
3⤵
PID:3016

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /all|findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"
3⤵
PID:2920

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:2944

C:\Windows\SysWOW64\findstr.exe
findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"
4⤵
PID:2928

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
3⤵
PID:3024

C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\explorer.exe
2⤵
- Deletes itself
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TigerHwidTool\spiderman.bat

Filesize
254B

MD5
2969a9253db05b47faa53ad2e95ed622

SHA1
172357e51f81b513769b39d1c92a25a4e2aa415d

SHA256
4c31e0eadcc1f277cea1124f4e6337665f2d195c781c556453db8a003a6fec7b

SHA512
1087ffe43314ce73c930538436a6de89339c21fc455d1e9e540ba06f9452d7d41bf843f181a28e6a2e2717a729222ee11325a3c8f6a4e22099c7abee20e94daa

Download Submit
C:\Users\Admin\Desktop\查看机器码.bat

Filesize
1KB

MD5
4a027f0c86eb9614e81af680b2475499

SHA1
ca79f5c7789ffd01af9c00d20f15b1077e55fc15

SHA256
6c198b42a0c464d602a4e1a46a7ec19cf2f635ae2b2de3c566f2c1bd57e7d050

SHA512
169190d40a3d177c51bd4033d6dd543c8170fa8d3ee343a61de3f7803afce472473e712f60bacd4f82c51e24fe01e2936eb7309f22b896bd35f985b272200c01

Download Submit
\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe

Filesize
14.2MB

MD5
a6244982dfd17611db5aa64be1d140b5

SHA1
7c1b3d4dd86459857d0e73812276e80ca83b260d

SHA256
fa0dd508bd819d5a96b8caf7c2ca69033ca74005ce830f432b012a21c37ab5d4

SHA512
0f5c22eda3da555037016c90f8ca510db9bb9fa405c1dfca8ba31088c461def47c25d12ac55e408f6e8c352f0c01bf65ef158d1d6dc5d3e7c5fcf160c17fb754

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB1E3.tmp\SelfDel.dll

Filesize
5KB

MD5
ca8bcdded6b265453cf68bae8bbd0b3a

SHA1
9dbe872ac53e075c0954c882d034aa009c733092

SHA256
299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184

SHA512
a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB1E3.tmp\rfshdktp.dll

Filesize
2KB

MD5
9410591a148871a6d0629cf25b94526f

SHA1
be1e8b0fe8327f185136a0d2460a68f720484535

SHA256
acc76e81f71e7f2ba58c36d678bc9ae4705e0187a3cdfa6d0025190467d9c0c7

SHA512
465d3e418e769b907262e07cbca3d2c5132bf328431d456be09c059821be20a6d30106562d7ef0bfa93ca219b2abe57ee891d937419fc4b8840987b184b45df0

Download Submit
memory/2244-32-0x0000000074A50000-0x0000000074A59000-memory.dmp

Filesize
36KB

Download
memory/2244-31-0x0000000003170000-0x0000000004CE9000-memory.dmp

Filesize
27.5MB

Download
memory/2440-51-0x0000000000B40000-0x00000000026B9000-memory.dmp

Filesize
27.5MB

Download
memory/2440-45-0x0000000000B40000-0x00000000026B9000-memory.dmp

Filesize
27.5MB

Download
memory/2440-50-0x0000000000B40000-0x00000000026B9000-memory.dmp

Filesize
27.5MB

Download
memory/2440-52-0x0000000000B40000-0x00000000026B9000-memory.dmp

Filesize
27.5MB

Download
memory/2440-53-0x0000000000B40000-0x00000000026B9000-memory.dmp

Filesize
27.5MB

Download
memory/2440-54-0x0000000000B40000-0x00000000026B9000-memory.dmp

Filesize
27.5MB

Download
memory/2440-55-0x0000000000B40000-0x00000000026B9000-memory.dmp

Filesize
27.5MB

Download
memory/2440-56-0x0000000000B40000-0x00000000026B9000-memory.dmp

Filesize
27.5MB

Download
memory/2440-57-0x0000000000B40000-0x00000000026B9000-memory.dmp

Filesize
27.5MB

Download
memory/2440-58-0x0000000000B40000-0x00000000026B9000-memory.dmp

Filesize
27.5MB

Download