Overview
overview
9Static
static
7988f5cc56c...4f.exe
windows7-x64
9988f5cc56c...4f.exe
windows10-2004-x64
9$DESKTOP/�...��.bat
windows7-x64
1$DESKTOP/�...��.bat
windows10-2004-x64
1$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...tp.dll
windows7-x64
1$PLUGINSDI...tp.dll
windows10-2004-x64
1TigerHwidTool.exe
windows7-x64
9TigerHwidTool.exe
windows10-2004-x64
9spiderman.bat
windows7-x64
8spiderman.bat
windows10-2004-x64
8Analysis
-
max time kernel
146s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 16:20
Behavioral task
behavioral1
Sample
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$DESKTOP/查看机器码.bat
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$DESKTOP/查看机器码.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/rfshdktp.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/rfshdktp.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
TigerHwidTool.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
TigerHwidTool.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
spiderman.bat
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
spiderman.bat
Resource
win10v2004-20240508-en
General
-
Target
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
-
Size
14.3MB
-
MD5
3f05981c960cbf724d8aec6ff2e5a66b
-
SHA1
d7e9338356e85a1824c76dfb10216bd84becb048
-
SHA256
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f
-
SHA512
e461cf6ba6ecc48d7644054b67157b239a627e1021f4b47ab1da806d941fef2e85321ca537fe6b9caf2c0db19aa03c0adc230da594ac224ac5a019ff73e92ffb
-
SSDEEP
393216:V9ugEkty7AD0/0kfMEs4nC+bCxxddPN4644jpXdyIuJR8s:VLEcpD0/rTTfCxxmqIIuws
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
TigerHwidTool.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TigerHwidTool.exe -
Creates new service(s) 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nsh4BB1.tmp\SelfDel.dll acprotect behavioral2/memory/3620-19-0x0000000074690000-0x0000000074699000-memory.dmp acprotect -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
TigerHwidTool.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TigerHwidTool.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TigerHwidTool.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate TigerHwidTool.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 4876 explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
TigerHwidTool.exepid process 2128 TigerHwidTool.exe -
Loads dropped DLL 3 IoCs
Processes:
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exepid process 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nsh4BB1.tmp\SelfDel.dll upx behavioral2/memory/3620-19-0x0000000074690000-0x0000000074699000-memory.dmp upx -
Processes:
TigerHwidTool.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TigerHwidTool.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
TigerHwidTool.exedescription ioc process File opened for modification \??\PhysicalDrive0 TigerHwidTool.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
TigerHwidTool.exepid process 2128 TigerHwidTool.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exedescription pid process target process PID 3620 set thread context of 4876 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exedescription ioc process File created C:\Program Files (x86)\TigerHwidTool\spiderman.bat 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe File created C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe File created C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe.s 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1752 sc.exe 452 sc.exe 4992 sc.exe 3692 sc.exe 640 sc.exe 4512 sc.exe 3776 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct reg.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3784 ipconfig.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1904 taskkill.exe 2256 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
TigerHwidTool.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{9689eab6-ee9d-2386-376d-0410cd1a}\SortOrderIndex = a25254b0aed713a3d55e5c99 TigerHwidTool.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{9689eab6-ee9d-2386-376d-0410cd1a} TigerHwidTool.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
TigerHwidTool.exepid process 2128 TigerHwidTool.exe 2128 TigerHwidTool.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1904 taskkill.exe Token: SeDebugPrivilege 2256 taskkill.exe Token: SeIncreaseQuotaPrivilege 4616 WMIC.exe Token: SeSecurityPrivilege 4616 WMIC.exe Token: SeTakeOwnershipPrivilege 4616 WMIC.exe Token: SeLoadDriverPrivilege 4616 WMIC.exe Token: SeSystemProfilePrivilege 4616 WMIC.exe Token: SeSystemtimePrivilege 4616 WMIC.exe Token: SeProfSingleProcessPrivilege 4616 WMIC.exe Token: SeIncBasePriorityPrivilege 4616 WMIC.exe Token: SeCreatePagefilePrivilege 4616 WMIC.exe Token: SeBackupPrivilege 4616 WMIC.exe Token: SeRestorePrivilege 4616 WMIC.exe Token: SeShutdownPrivilege 4616 WMIC.exe Token: SeDebugPrivilege 4616 WMIC.exe Token: SeSystemEnvironmentPrivilege 4616 WMIC.exe Token: SeRemoteShutdownPrivilege 4616 WMIC.exe Token: SeUndockPrivilege 4616 WMIC.exe Token: SeManageVolumePrivilege 4616 WMIC.exe Token: 33 4616 WMIC.exe Token: 34 4616 WMIC.exe Token: 35 4616 WMIC.exe Token: 36 4616 WMIC.exe Token: SeIncreaseQuotaPrivilege 4616 WMIC.exe Token: SeSecurityPrivilege 4616 WMIC.exe Token: SeTakeOwnershipPrivilege 4616 WMIC.exe Token: SeLoadDriverPrivilege 4616 WMIC.exe Token: SeSystemProfilePrivilege 4616 WMIC.exe Token: SeSystemtimePrivilege 4616 WMIC.exe Token: SeProfSingleProcessPrivilege 4616 WMIC.exe Token: SeIncBasePriorityPrivilege 4616 WMIC.exe Token: SeCreatePagefilePrivilege 4616 WMIC.exe Token: SeBackupPrivilege 4616 WMIC.exe Token: SeRestorePrivilege 4616 WMIC.exe Token: SeShutdownPrivilege 4616 WMIC.exe Token: SeDebugPrivilege 4616 WMIC.exe Token: SeSystemEnvironmentPrivilege 4616 WMIC.exe Token: SeRemoteShutdownPrivilege 4616 WMIC.exe Token: SeUndockPrivilege 4616 WMIC.exe Token: SeManageVolumePrivilege 4616 WMIC.exe Token: 33 4616 WMIC.exe Token: 34 4616 WMIC.exe Token: 35 4616 WMIC.exe Token: 36 4616 WMIC.exe Token: SeIncreaseQuotaPrivilege 2912 WMIC.exe Token: SeSecurityPrivilege 2912 WMIC.exe Token: SeTakeOwnershipPrivilege 2912 WMIC.exe Token: SeLoadDriverPrivilege 2912 WMIC.exe Token: SeSystemProfilePrivilege 2912 WMIC.exe Token: SeSystemtimePrivilege 2912 WMIC.exe Token: SeProfSingleProcessPrivilege 2912 WMIC.exe Token: SeIncBasePriorityPrivilege 2912 WMIC.exe Token: SeCreatePagefilePrivilege 2912 WMIC.exe Token: SeBackupPrivilege 2912 WMIC.exe Token: SeRestorePrivilege 2912 WMIC.exe Token: SeShutdownPrivilege 2912 WMIC.exe Token: SeDebugPrivilege 2912 WMIC.exe Token: SeSystemEnvironmentPrivilege 2912 WMIC.exe Token: SeRemoteShutdownPrivilege 2912 WMIC.exe Token: SeUndockPrivilege 2912 WMIC.exe Token: SeManageVolumePrivilege 2912 WMIC.exe Token: 33 2912 WMIC.exe Token: 34 2912 WMIC.exe Token: 35 2912 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3620 wrote to memory of 1864 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 3620 wrote to memory of 1864 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 3620 wrote to memory of 1864 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 1864 wrote to memory of 640 1864 cmd.exe sc.exe PID 1864 wrote to memory of 640 1864 cmd.exe sc.exe PID 1864 wrote to memory of 640 1864 cmd.exe sc.exe PID 1864 wrote to memory of 4512 1864 cmd.exe sc.exe PID 1864 wrote to memory of 4512 1864 cmd.exe sc.exe PID 1864 wrote to memory of 4512 1864 cmd.exe sc.exe PID 1864 wrote to memory of 3776 1864 cmd.exe sc.exe PID 1864 wrote to memory of 3776 1864 cmd.exe sc.exe PID 1864 wrote to memory of 3776 1864 cmd.exe sc.exe PID 1864 wrote to memory of 1752 1864 cmd.exe sc.exe PID 1864 wrote to memory of 1752 1864 cmd.exe sc.exe PID 1864 wrote to memory of 1752 1864 cmd.exe sc.exe PID 1864 wrote to memory of 1904 1864 cmd.exe taskkill.exe PID 1864 wrote to memory of 1904 1864 cmd.exe taskkill.exe PID 1864 wrote to memory of 1904 1864 cmd.exe taskkill.exe PID 1864 wrote to memory of 452 1864 cmd.exe sc.exe PID 1864 wrote to memory of 452 1864 cmd.exe sc.exe PID 1864 wrote to memory of 452 1864 cmd.exe sc.exe PID 1864 wrote to memory of 4992 1864 cmd.exe sc.exe PID 1864 wrote to memory of 4992 1864 cmd.exe sc.exe PID 1864 wrote to memory of 4992 1864 cmd.exe sc.exe PID 1864 wrote to memory of 3692 1864 cmd.exe sc.exe PID 1864 wrote to memory of 3692 1864 cmd.exe sc.exe PID 1864 wrote to memory of 3692 1864 cmd.exe sc.exe PID 3620 wrote to memory of 2128 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe TigerHwidTool.exe PID 3620 wrote to memory of 2128 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe TigerHwidTool.exe PID 3620 wrote to memory of 2128 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe TigerHwidTool.exe PID 3620 wrote to memory of 1208 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 3620 wrote to memory of 1208 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 3620 wrote to memory of 1208 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe cmd.exe PID 3620 wrote to memory of 4876 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe explorer.exe PID 3620 wrote to memory of 4876 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe explorer.exe PID 3620 wrote to memory of 4876 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe explorer.exe PID 1208 wrote to memory of 1304 1208 cmd.exe mode.com PID 1208 wrote to memory of 1304 1208 cmd.exe mode.com PID 1208 wrote to memory of 1304 1208 cmd.exe mode.com PID 1208 wrote to memory of 2256 1208 cmd.exe taskkill.exe PID 1208 wrote to memory of 2256 1208 cmd.exe taskkill.exe PID 1208 wrote to memory of 2256 1208 cmd.exe taskkill.exe PID 3620 wrote to memory of 4876 3620 988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe explorer.exe PID 1208 wrote to memory of 892 1208 cmd.exe cmd.exe PID 1208 wrote to memory of 892 1208 cmd.exe cmd.exe PID 1208 wrote to memory of 892 1208 cmd.exe cmd.exe PID 892 wrote to memory of 4692 892 cmd.exe reg.exe PID 892 wrote to memory of 4692 892 cmd.exe reg.exe PID 892 wrote to memory of 4692 892 cmd.exe reg.exe PID 1208 wrote to memory of 4740 1208 cmd.exe cmd.exe PID 1208 wrote to memory of 4740 1208 cmd.exe cmd.exe PID 1208 wrote to memory of 4740 1208 cmd.exe cmd.exe PID 4740 wrote to memory of 4488 4740 cmd.exe reg.exe PID 4740 wrote to memory of 4488 4740 cmd.exe reg.exe PID 4740 wrote to memory of 4488 4740 cmd.exe reg.exe PID 1208 wrote to memory of 4616 1208 cmd.exe WMIC.exe PID 1208 wrote to memory of 4616 1208 cmd.exe WMIC.exe PID 1208 wrote to memory of 4616 1208 cmd.exe WMIC.exe PID 1208 wrote to memory of 2912 1208 cmd.exe WMIC.exe PID 1208 wrote to memory of 2912 1208 cmd.exe WMIC.exe PID 1208 wrote to memory of 2912 1208 cmd.exe WMIC.exe PID 1208 wrote to memory of 1804 1208 cmd.exe WMIC.exe PID 1208 wrote to memory of 1804 1208 cmd.exe WMIC.exe PID 1208 wrote to memory of 1804 1208 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe"C:\Users\Admin\AppData\Local\Temp\988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\TigerHwidTool\spiderman.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop spidermansrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete spidermansrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop TigerServer3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete TigerServer3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM mc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc stop stsrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete stsrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc create stsrv binPath="C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe" start=auto DisplayName="stsrv"3⤵
- Launches sc.exe
-
C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe"C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\查看机器码.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mode.commode con cols=85 lines=903⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM WmiPrvSE.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"4⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"4⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get Name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get serialnumber3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic bios get serialnumber3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic baseboard get serialnumber3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all|findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"3⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\SysWOW64\findstr.exefindstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress3⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
System Services
2Service Execution
2Command and Scripting Interpreter
1Persistence
Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Defense Evasion
Virtualization/Sandbox Evasion
1Impair Defenses
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exeFilesize
14.2MB
MD5a6244982dfd17611db5aa64be1d140b5
SHA17c1b3d4dd86459857d0e73812276e80ca83b260d
SHA256fa0dd508bd819d5a96b8caf7c2ca69033ca74005ce830f432b012a21c37ab5d4
SHA5120f5c22eda3da555037016c90f8ca510db9bb9fa405c1dfca8ba31088c461def47c25d12ac55e408f6e8c352f0c01bf65ef158d1d6dc5d3e7c5fcf160c17fb754
-
C:\Program Files (x86)\TigerHwidTool\spiderman.batFilesize
254B
MD52969a9253db05b47faa53ad2e95ed622
SHA1172357e51f81b513769b39d1c92a25a4e2aa415d
SHA2564c31e0eadcc1f277cea1124f4e6337665f2d195c781c556453db8a003a6fec7b
SHA5121087ffe43314ce73c930538436a6de89339c21fc455d1e9e540ba06f9452d7d41bf843f181a28e6a2e2717a729222ee11325a3c8f6a4e22099c7abee20e94daa
-
C:\Users\Admin\AppData\Local\Temp\nsh4BB1.tmp\SelfDel.dllFilesize
5KB
MD5ca8bcdded6b265453cf68bae8bbd0b3a
SHA19dbe872ac53e075c0954c882d034aa009c733092
SHA256299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184
SHA512a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c
-
C:\Users\Admin\AppData\Local\Temp\nsh4BB1.tmp\rfshdktp.dllFilesize
2KB
MD59410591a148871a6d0629cf25b94526f
SHA1be1e8b0fe8327f185136a0d2460a68f720484535
SHA256acc76e81f71e7f2ba58c36d678bc9ae4705e0187a3cdfa6d0025190467d9c0c7
SHA512465d3e418e769b907262e07cbca3d2c5132bf328431d456be09c059821be20a6d30106562d7ef0bfa93ca219b2abe57ee891d937419fc4b8840987b184b45df0
-
C:\Users\Admin\Desktop\查看机器码.batFilesize
1KB
MD54a027f0c86eb9614e81af680b2475499
SHA1ca79f5c7789ffd01af9c00d20f15b1077e55fc15
SHA2566c198b42a0c464d602a4e1a46a7ec19cf2f635ae2b2de3c566f2c1bd57e7d050
SHA512169190d40a3d177c51bd4033d6dd543c8170fa8d3ee343a61de3f7803afce472473e712f60bacd4f82c51e24fe01e2936eb7309f22b896bd35f985b272200c01
-
memory/2128-39-0x0000000000D70000-0x00000000028E9000-memory.dmpFilesize
27.5MB
-
memory/2128-18-0x0000000000D70000-0x00000000028E9000-memory.dmpFilesize
27.5MB
-
memory/2128-33-0x0000000000D70000-0x00000000028E9000-memory.dmpFilesize
27.5MB
-
memory/2128-34-0x0000000000D70000-0x00000000028E9000-memory.dmpFilesize
27.5MB
-
memory/2128-35-0x0000000000D70000-0x00000000028E9000-memory.dmpFilesize
27.5MB
-
memory/2128-36-0x0000000000D70000-0x00000000028E9000-memory.dmpFilesize
27.5MB
-
memory/2128-37-0x0000000000D70000-0x00000000028E9000-memory.dmpFilesize
27.5MB
-
memory/2128-38-0x0000000000D70000-0x00000000028E9000-memory.dmpFilesize
27.5MB
-
memory/2128-40-0x0000000000D70000-0x00000000028E9000-memory.dmpFilesize
27.5MB
-
memory/2128-41-0x0000000000D70000-0x00000000028E9000-memory.dmpFilesize
27.5MB
-
memory/3620-19-0x0000000074690000-0x0000000074699000-memory.dmpFilesize
36KB