Overview
overview
9Static
static
7988f5cc56c...4f.exe
windows7-x64
9988f5cc56c...4f.exe
windows10-2004-x64
9$DESKTOP/�...��.bat
windows7-x64
1$DESKTOP/�...��.bat
windows10-2004-x64
1$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...tp.dll
windows7-x64
1$PLUGINSDI...tp.dll
windows10-2004-x64
1TigerHwidTool.exe
windows7-x64
9TigerHwidTool.exe
windows10-2004-x64
9spiderman.bat
windows7-x64
8spiderman.bat
windows10-2004-x64
8Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 16:20
Behavioral task
behavioral1
Sample
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$DESKTOP/查看机器码.bat
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$DESKTOP/查看机器码.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/rfshdktp.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/rfshdktp.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
TigerHwidTool.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
TigerHwidTool.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
spiderman.bat
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
spiderman.bat
Resource
win10v2004-20240508-en
General
-
Target
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
-
Size
14.3MB
-
MD5
3f05981c960cbf724d8aec6ff2e5a66b
-
SHA1
d7e9338356e85a1824c76dfb10216bd84becb048
-
SHA256
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f
-
SHA512
e461cf6ba6ecc48d7644054b67157b239a627e1021f4b47ab1da806d941fef2e85321ca537fe6b9caf2c0db19aa03c0adc230da594ac224ac5a019ff73e92ffb
-
SSDEEP
393216:V9ugEkty7AD0/0kfMEs4nC+bCxxddPN4644jpXdyIuJR8s:VLEcpD0/rTTfCxxmqIIuws
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
TigerHwidTool.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TigerHwidTool.exe -
Creates new service(s) 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\nsdB1E3.tmp\SelfDel.dll acprotect behavioral1/memory/2244-32-0x0000000074A50000-0x0000000074A59000-memory.dmp acprotect -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
TigerHwidTool.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TigerHwidTool.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TigerHwidTool.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1036 explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
TigerHwidTool.exepid process 2440 TigerHwidTool.exe -
Loads dropped DLL 4 IoCs
Processes:
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exepid process 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\nsdB1E3.tmp\SelfDel.dll upx behavioral1/memory/2244-32-0x0000000074A50000-0x0000000074A59000-memory.dmp upx -
Processes:
TigerHwidTool.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TigerHwidTool.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
TigerHwidTool.exedescription ioc process File opened for modification \??\PhysicalDrive0 TigerHwidTool.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
TigerHwidTool.exepid process 2440 TigerHwidTool.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exedescription pid process target process PID 2244 set thread context of 1036 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exedescription ioc process File created C:\Program Files (x86)\TigerHwidTool\spiderman.bat 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe File created C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe File created C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe.s 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2868 sc.exe 2536 sc.exe 2600 sc.exe 2592 sc.exe 2644 sc.exe 1748 sc.exe 3068 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reg.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2944 ipconfig.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2612 taskkill.exe 1856 taskkill.exe -
Modifies registry class 4 IoCs
Processes:
TigerHwidTool.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{9689eab6-ee9d-2386-376d-0410cd1a} TigerHwidTool.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node TigerHwidTool.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID TigerHwidTool.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{9689eab6-ee9d-2386-376d-0410cd1a}\SortOrderIndex = a2aafdb4aed713a3d55e5c99 TigerHwidTool.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
TigerHwidTool.exepid process 2440 TigerHwidTool.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2612 taskkill.exe Token: SeDebugPrivilege 1856 taskkill.exe Token: SeIncreaseQuotaPrivilege 1480 WMIC.exe Token: SeSecurityPrivilege 1480 WMIC.exe Token: SeTakeOwnershipPrivilege 1480 WMIC.exe Token: SeLoadDriverPrivilege 1480 WMIC.exe Token: SeSystemProfilePrivilege 1480 WMIC.exe Token: SeSystemtimePrivilege 1480 WMIC.exe Token: SeProfSingleProcessPrivilege 1480 WMIC.exe Token: SeIncBasePriorityPrivilege 1480 WMIC.exe Token: SeCreatePagefilePrivilege 1480 WMIC.exe Token: SeBackupPrivilege 1480 WMIC.exe Token: SeRestorePrivilege 1480 WMIC.exe Token: SeShutdownPrivilege 1480 WMIC.exe Token: SeDebugPrivilege 1480 WMIC.exe Token: SeSystemEnvironmentPrivilege 1480 WMIC.exe Token: SeRemoteShutdownPrivilege 1480 WMIC.exe Token: SeUndockPrivilege 1480 WMIC.exe Token: SeManageVolumePrivilege 1480 WMIC.exe Token: 33 1480 WMIC.exe Token: 34 1480 WMIC.exe Token: 35 1480 WMIC.exe Token: SeIncreaseQuotaPrivilege 1480 WMIC.exe Token: SeSecurityPrivilege 1480 WMIC.exe Token: SeTakeOwnershipPrivilege 1480 WMIC.exe Token: SeLoadDriverPrivilege 1480 WMIC.exe Token: SeSystemProfilePrivilege 1480 WMIC.exe Token: SeSystemtimePrivilege 1480 WMIC.exe Token: SeProfSingleProcessPrivilege 1480 WMIC.exe Token: SeIncBasePriorityPrivilege 1480 WMIC.exe Token: SeCreatePagefilePrivilege 1480 WMIC.exe Token: SeBackupPrivilege 1480 WMIC.exe Token: SeRestorePrivilege 1480 WMIC.exe Token: SeShutdownPrivilege 1480 WMIC.exe Token: SeDebugPrivilege 1480 WMIC.exe Token: SeSystemEnvironmentPrivilege 1480 WMIC.exe Token: SeRemoteShutdownPrivilege 1480 WMIC.exe Token: SeUndockPrivilege 1480 WMIC.exe Token: SeManageVolumePrivilege 1480 WMIC.exe Token: 33 1480 WMIC.exe Token: 34 1480 WMIC.exe Token: 35 1480 WMIC.exe Token: SeIncreaseQuotaPrivilege 2360 WMIC.exe Token: SeSecurityPrivilege 2360 WMIC.exe Token: SeTakeOwnershipPrivilege 2360 WMIC.exe Token: SeLoadDriverPrivilege 2360 WMIC.exe Token: SeSystemProfilePrivilege 2360 WMIC.exe Token: SeSystemtimePrivilege 2360 WMIC.exe Token: SeProfSingleProcessPrivilege 2360 WMIC.exe Token: SeIncBasePriorityPrivilege 2360 WMIC.exe Token: SeCreatePagefilePrivilege 2360 WMIC.exe Token: SeBackupPrivilege 2360 WMIC.exe Token: SeRestorePrivilege 2360 WMIC.exe Token: SeShutdownPrivilege 2360 WMIC.exe Token: SeDebugPrivilege 2360 WMIC.exe Token: SeSystemEnvironmentPrivilege 2360 WMIC.exe Token: SeRemoteShutdownPrivilege 2360 WMIC.exe Token: SeUndockPrivilege 2360 WMIC.exe Token: SeManageVolumePrivilege 2360 WMIC.exe Token: 33 2360 WMIC.exe Token: 34 2360 WMIC.exe Token: 35 2360 WMIC.exe Token: SeIncreaseQuotaPrivilege 2360 WMIC.exe Token: SeSecurityPrivilege 2360 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.execmd.execmd.execmd.exedescription pid process target process PID 2244 wrote to memory of 2636 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 2244 wrote to memory of 2636 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 2244 wrote to memory of 2636 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 2244 wrote to memory of 2636 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 2636 wrote to memory of 3068 2636 cmd.exe sc.exe PID 2636 wrote to memory of 3068 2636 cmd.exe sc.exe PID 2636 wrote to memory of 3068 2636 cmd.exe sc.exe PID 2636 wrote to memory of 3068 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2868 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2868 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2868 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2868 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2536 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2536 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2536 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2536 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2600 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2600 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2600 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2600 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2612 2636 cmd.exe taskkill.exe PID 2636 wrote to memory of 2612 2636 cmd.exe taskkill.exe PID 2636 wrote to memory of 2612 2636 cmd.exe taskkill.exe PID 2636 wrote to memory of 2612 2636 cmd.exe taskkill.exe PID 2636 wrote to memory of 2592 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2592 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2592 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2592 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2644 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2644 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2644 2636 cmd.exe sc.exe PID 2636 wrote to memory of 2644 2636 cmd.exe sc.exe PID 2636 wrote to memory of 1748 2636 cmd.exe sc.exe PID 2636 wrote to memory of 1748 2636 cmd.exe sc.exe PID 2636 wrote to memory of 1748 2636 cmd.exe sc.exe PID 2636 wrote to memory of 1748 2636 cmd.exe sc.exe PID 2244 wrote to memory of 2440 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe TigerHwidTool.exe PID 2244 wrote to memory of 2440 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe TigerHwidTool.exe PID 2244 wrote to memory of 2440 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe TigerHwidTool.exe PID 2244 wrote to memory of 2440 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe TigerHwidTool.exe PID 2244 wrote to memory of 2468 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 2244 wrote to memory of 2468 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 2244 wrote to memory of 2468 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 2244 wrote to memory of 2468 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 2244 wrote to memory of 1036 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe explorer.exe PID 2244 wrote to memory of 1036 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe explorer.exe PID 2244 wrote to memory of 1036 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe explorer.exe PID 2244 wrote to memory of 1036 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe explorer.exe PID 2244 wrote to memory of 1036 2244 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe explorer.exe PID 2468 wrote to memory of 1020 2468 cmd.exe mode.com PID 2468 wrote to memory of 1020 2468 cmd.exe mode.com PID 2468 wrote to memory of 1020 2468 cmd.exe mode.com PID 2468 wrote to memory of 1020 2468 cmd.exe mode.com PID 2468 wrote to memory of 1856 2468 cmd.exe taskkill.exe PID 2468 wrote to memory of 1856 2468 cmd.exe taskkill.exe PID 2468 wrote to memory of 1856 2468 cmd.exe taskkill.exe PID 2468 wrote to memory of 1856 2468 cmd.exe taskkill.exe PID 2468 wrote to memory of 2648 2468 cmd.exe cmd.exe PID 2468 wrote to memory of 2648 2468 cmd.exe cmd.exe PID 2468 wrote to memory of 2648 2468 cmd.exe cmd.exe PID 2468 wrote to memory of 2648 2468 cmd.exe cmd.exe PID 2648 wrote to memory of 2188 2648 cmd.exe reg.exe PID 2648 wrote to memory of 2188 2648 cmd.exe reg.exe PID 2648 wrote to memory of 2188 2648 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe"C:\Users\Admin\AppData\Local\Temp\988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\TigerHwidTool\spiderman.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\sc.exesc stop spidermansrv3⤵
- Launches sc.exe
PID:3068 -
C:\Windows\SysWOW64\sc.exesc delete spidermansrv3⤵
- Launches sc.exe
PID:2868 -
C:\Windows\SysWOW64\sc.exesc stop TigerServer3⤵
- Launches sc.exe
PID:2536 -
C:\Windows\SysWOW64\sc.exesc delete TigerServer3⤵
- Launches sc.exe
PID:2600 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM mc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\SysWOW64\sc.exesc stop stsrv3⤵
- Launches sc.exe
PID:2592 -
C:\Windows\SysWOW64\sc.exesc delete stsrv3⤵
- Launches sc.exe
PID:2644 -
C:\Windows\SysWOW64\sc.exesc create stsrv binPath="C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe" start=auto DisplayName="stsrv"3⤵
- Launches sc.exe
PID:1748 -
C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe"C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2440 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\Desktop\查看机器码.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\mode.commode con cols=85 lines=903⤵PID:1020
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM WmiPrvSE.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"3⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\reg.exereg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"4⤵
- Enumerates system info in registry
PID:2188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"3⤵PID:2348
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"4⤵
- Enumerates system info in registry
PID:2308 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get Name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get serialnumber3⤵PID:1616
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic bios get serialnumber3⤵PID:2128
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic baseboard get serialnumber3⤵PID:3016
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:2140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all|findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"3⤵PID:2920
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:2944 -
C:\Windows\SysWOW64\findstr.exefindstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"4⤵PID:2928
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress3⤵PID:3024
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe2⤵
- Deletes itself
PID:1036
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Defense Evasion
Impair Defenses
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254B
MD52969a9253db05b47faa53ad2e95ed622
SHA1172357e51f81b513769b39d1c92a25a4e2aa415d
SHA2564c31e0eadcc1f277cea1124f4e6337665f2d195c781c556453db8a003a6fec7b
SHA5121087ffe43314ce73c930538436a6de89339c21fc455d1e9e540ba06f9452d7d41bf843f181a28e6a2e2717a729222ee11325a3c8f6a4e22099c7abee20e94daa
-
Filesize
1KB
MD54a027f0c86eb9614e81af680b2475499
SHA1ca79f5c7789ffd01af9c00d20f15b1077e55fc15
SHA2566c198b42a0c464d602a4e1a46a7ec19cf2f635ae2b2de3c566f2c1bd57e7d050
SHA512169190d40a3d177c51bd4033d6dd543c8170fa8d3ee343a61de3f7803afce472473e712f60bacd4f82c51e24fe01e2936eb7309f22b896bd35f985b272200c01
-
Filesize
14.2MB
MD5a6244982dfd17611db5aa64be1d140b5
SHA17c1b3d4dd86459857d0e73812276e80ca83b260d
SHA256fa0dd508bd819d5a96b8caf7c2ca69033ca74005ce830f432b012a21c37ab5d4
SHA5120f5c22eda3da555037016c90f8ca510db9bb9fa405c1dfca8ba31088c461def47c25d12ac55e408f6e8c352f0c01bf65ef158d1d6dc5d3e7c5fcf160c17fb754
-
Filesize
5KB
MD5ca8bcdded6b265453cf68bae8bbd0b3a
SHA19dbe872ac53e075c0954c882d034aa009c733092
SHA256299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184
SHA512a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c
-
Filesize
2KB
MD59410591a148871a6d0629cf25b94526f
SHA1be1e8b0fe8327f185136a0d2460a68f720484535
SHA256acc76e81f71e7f2ba58c36d678bc9ae4705e0187a3cdfa6d0025190467d9c0c7
SHA512465d3e418e769b907262e07cbca3d2c5132bf328431d456be09c059821be20a6d30106562d7ef0bfa93ca219b2abe57ee891d937419fc4b8840987b184b45df0