988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f

Analysis

max time kernel
146s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
Size

14.3MB
MD5

3f05981c960cbf724d8aec6ff2e5a66b
SHA1

d7e9338356e85a1824c76dfb10216bd84becb048
SHA256

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f
SHA512

e461cf6ba6ecc48d7644054b67157b239a627e1021f4b47ab1da806d941fef2e85321ca537fe6b9caf2c0db19aa03c0adc230da594ac224ac5a019ff73e92ffb
SSDEEP

393216:V9ugEkty7AD0/0kfMEs4nC+bCxxddPN4644jpXdyIuJR8s:VLEcpD0/rTTfCxxmqIIuws

Score

9^/10

bootkit evasion execution persistence trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

TigerHwidTool.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TigerHwidTool.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TigerHwidTool.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsh4BB1.tmp\SelfDel.dll	acprotect
behavioral2/memory/3620-19-0x0000000074690000-0x0000000074699000-memory.dmp	acprotect

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TigerHwidTool.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TigerHwidTool.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TigerHwidTool.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	TigerHwidTool.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

4876 explorer.exe
Executes dropped EXE 1 IoCs

Processes:

TigerHwidTool.exe

pid process

2128 TigerHwidTool.exe

pid	process
4876	explorer.exe

pid	process
2128	TigerHwidTool.exe

Loads dropped DLL 3 IoCs

Processes:

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe

pid	process
3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsh4BB1.tmp\SelfDel.dll	upx
behavioral2/memory/3620-19-0x0000000074690000-0x0000000074699000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

TigerHwidTool.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TigerHwidTool.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

TigerHwidTool.exe

description ioc process

File opened for modification \??\PhysicalDrive0 TigerHwidTool.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

TigerHwidTool.exe

pid process

2128 TigerHwidTool.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TigerHwidTool.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	TigerHwidTool.exe

pid	process
2128	TigerHwidTool.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe

description	pid	process	target process
PID 3620 set thread context of 4876	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe

description	ioc	process
File created	C:\Program Files (x86)\TigerHwidTool\spiderman.bat	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
File created	C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
File created	C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe.s	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe

Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1752 sc.exe
452 sc.exe
4992 sc.exe
3692 sc.exe
640 sc.exe
4512 sc.exe
3776 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1752	sc.exe
452	sc.exe
4992	sc.exe
3692	sc.exe
640	sc.exe
4512	sc.exe
3776	sc.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

3784 ipconfig.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1904 taskkill.exe
2256 taskkill.exe

pid	process
3784	ipconfig.exe

pid	process
1904	taskkill.exe
2256	taskkill.exe

Modifies registry class 2 IoCs

Processes:

TigerHwidTool.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{9689eab6-ee9d-2386-376d-0410cd1a}\SortOrderIndex = a25254b0aed713a3d55e5c99	TigerHwidTool.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{9689eab6-ee9d-2386-376d-0410cd1a}	TigerHwidTool.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

TigerHwidTool.exe

pid process

2128 TigerHwidTool.exe
2128 TigerHwidTool.exe

pid	process
2128	TigerHwidTool.exe
2128	TigerHwidTool.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4616	WMIC.exe
Token: SeSecurityPrivilege	4616	WMIC.exe
Token: SeTakeOwnershipPrivilege	4616	WMIC.exe
Token: SeLoadDriverPrivilege	4616	WMIC.exe
Token: SeSystemProfilePrivilege	4616	WMIC.exe
Token: SeSystemtimePrivilege	4616	WMIC.exe
Token: SeProfSingleProcessPrivilege	4616	WMIC.exe
Token: SeIncBasePriorityPrivilege	4616	WMIC.exe
Token: SeCreatePagefilePrivilege	4616	WMIC.exe
Token: SeBackupPrivilege	4616	WMIC.exe
Token: SeRestorePrivilege	4616	WMIC.exe
Token: SeShutdownPrivilege	4616	WMIC.exe
Token: SeDebugPrivilege	4616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4616	WMIC.exe
Token: SeRemoteShutdownPrivilege	4616	WMIC.exe
Token: SeUndockPrivilege	4616	WMIC.exe
Token: SeManageVolumePrivilege	4616	WMIC.exe
Token: 33	4616	WMIC.exe
Token: 34	4616	WMIC.exe
Token: 35	4616	WMIC.exe
Token: 36	4616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4616	WMIC.exe
Token: SeSecurityPrivilege	4616	WMIC.exe
Token: SeTakeOwnershipPrivilege	4616	WMIC.exe
Token: SeLoadDriverPrivilege	4616	WMIC.exe
Token: SeSystemProfilePrivilege	4616	WMIC.exe
Token: SeSystemtimePrivilege	4616	WMIC.exe
Token: SeProfSingleProcessPrivilege	4616	WMIC.exe
Token: SeIncBasePriorityPrivilege	4616	WMIC.exe
Token: SeCreatePagefilePrivilege	4616	WMIC.exe
Token: SeBackupPrivilege	4616	WMIC.exe
Token: SeRestorePrivilege	4616	WMIC.exe
Token: SeShutdownPrivilege	4616	WMIC.exe
Token: SeDebugPrivilege	4616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4616	WMIC.exe
Token: SeRemoteShutdownPrivilege	4616	WMIC.exe
Token: SeUndockPrivilege	4616	WMIC.exe
Token: SeManageVolumePrivilege	4616	WMIC.exe
Token: 33	4616	WMIC.exe
Token: 34	4616	WMIC.exe
Token: 35	4616	WMIC.exe
Token: 36	4616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2912	WMIC.exe
Token: SeSecurityPrivilege	2912	WMIC.exe
Token: SeTakeOwnershipPrivilege	2912	WMIC.exe
Token: SeLoadDriverPrivilege	2912	WMIC.exe
Token: SeSystemProfilePrivilege	2912	WMIC.exe
Token: SeSystemtimePrivilege	2912	WMIC.exe
Token: SeProfSingleProcessPrivilege	2912	WMIC.exe
Token: SeIncBasePriorityPrivilege	2912	WMIC.exe
Token: SeCreatePagefilePrivilege	2912	WMIC.exe
Token: SeBackupPrivilege	2912	WMIC.exe
Token: SeRestorePrivilege	2912	WMIC.exe
Token: SeShutdownPrivilege	2912	WMIC.exe
Token: SeDebugPrivilege	2912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2912	WMIC.exe
Token: SeRemoteShutdownPrivilege	2912	WMIC.exe
Token: SeUndockPrivilege	2912	WMIC.exe
Token: SeManageVolumePrivilege	2912	WMIC.exe
Token: 33	2912	WMIC.exe
Token: 34	2912	WMIC.exe
Token: 35	2912	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3620 wrote to memory of 1864	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 3620 wrote to memory of 1864	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 3620 wrote to memory of 1864	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 1864 wrote to memory of 640	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 640	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 640	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 4512	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 4512	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 4512	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 3776	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 3776	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 3776	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 1752	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 1752	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 1752	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 1904	1864	cmd.exe	taskkill.exe
PID 1864 wrote to memory of 1904	1864	cmd.exe	taskkill.exe
PID 1864 wrote to memory of 1904	1864	cmd.exe	taskkill.exe
PID 1864 wrote to memory of 452	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 452	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 452	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 4992	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 4992	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 4992	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 3692	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 3692	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 3692	1864	cmd.exe	sc.exe
PID 3620 wrote to memory of 2128	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	TigerHwidTool.exe
PID 3620 wrote to memory of 2128	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	TigerHwidTool.exe
PID 3620 wrote to memory of 2128	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	TigerHwidTool.exe
PID 3620 wrote to memory of 1208	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 3620 wrote to memory of 1208	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 3620 wrote to memory of 1208	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	cmd.exe
PID 3620 wrote to memory of 4876	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	explorer.exe
PID 3620 wrote to memory of 4876	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	explorer.exe
PID 3620 wrote to memory of 4876	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	explorer.exe
PID 1208 wrote to memory of 1304	1208	cmd.exe	mode.com
PID 1208 wrote to memory of 1304	1208	cmd.exe	mode.com
PID 1208 wrote to memory of 1304	1208	cmd.exe	mode.com
PID 1208 wrote to memory of 2256	1208	cmd.exe	taskkill.exe
PID 1208 wrote to memory of 2256	1208	cmd.exe	taskkill.exe
PID 1208 wrote to memory of 2256	1208	cmd.exe	taskkill.exe
PID 3620 wrote to memory of 4876	3620	988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe	explorer.exe
PID 1208 wrote to memory of 892	1208	cmd.exe	cmd.exe
PID 1208 wrote to memory of 892	1208	cmd.exe	cmd.exe
PID 1208 wrote to memory of 892	1208	cmd.exe	cmd.exe
PID 892 wrote to memory of 4692	892	cmd.exe	reg.exe
PID 892 wrote to memory of 4692	892	cmd.exe	reg.exe
PID 892 wrote to memory of 4692	892	cmd.exe	reg.exe
PID 1208 wrote to memory of 4740	1208	cmd.exe	cmd.exe
PID 1208 wrote to memory of 4740	1208	cmd.exe	cmd.exe
PID 1208 wrote to memory of 4740	1208	cmd.exe	cmd.exe
PID 4740 wrote to memory of 4488	4740	cmd.exe	reg.exe
PID 4740 wrote to memory of 4488	4740	cmd.exe	reg.exe
PID 4740 wrote to memory of 4488	4740	cmd.exe	reg.exe
PID 1208 wrote to memory of 4616	1208	cmd.exe	WMIC.exe
PID 1208 wrote to memory of 4616	1208	cmd.exe	WMIC.exe
PID 1208 wrote to memory of 4616	1208	cmd.exe	WMIC.exe
PID 1208 wrote to memory of 2912	1208	cmd.exe	WMIC.exe
PID 1208 wrote to memory of 2912	1208	cmd.exe	WMIC.exe
PID 1208 wrote to memory of 2912	1208	cmd.exe	WMIC.exe
PID 1208 wrote to memory of 1804	1208	cmd.exe	WMIC.exe
PID 1208 wrote to memory of 1804	1208	cmd.exe	WMIC.exe
PID 1208 wrote to memory of 1804	1208	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe
"C:\Users\Admin\AppData\Local\Temp\988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\TigerHwidTool\spiderman.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\sc.exe
sc stop spidermansrv
3⤵
- Launches sc.exe
PID:640

C:\Windows\SysWOW64\sc.exe
sc delete spidermansrv
3⤵
- Launches sc.exe
PID:4512

C:\Windows\SysWOW64\sc.exe
sc stop TigerServer
3⤵
- Launches sc.exe
PID:3776

C:\Windows\SysWOW64\sc.exe
sc delete TigerServer
3⤵
- Launches sc.exe
PID:1752

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\SysWOW64\sc.exe
sc stop stsrv
3⤵
- Launches sc.exe
PID:452

C:\Windows\SysWOW64\sc.exe
sc delete stsrv
3⤵
- Launches sc.exe
PID:4992

C:\Windows\SysWOW64\sc.exe
sc create stsrv binPath="C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe" start=auto DisplayName="stsrv"
3⤵
- Launches sc.exe
PID:3692

C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe
"C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\查看机器码.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\mode.com
mode con cols=85 lines=90
3⤵
PID:1304

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"
3⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\reg.exe
reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"
4⤵
- Enumerates system info in registry
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"
3⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\reg.exe
reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"
4⤵
- Enumerates system info in registry
PID:4488

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get Name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic diskdrive get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get serialnumber
3⤵
PID:1804

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic bios get serialnumber
3⤵
PID:3724

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic baseboard get serialnumber
3⤵
PID:3548

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /all|findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"
3⤵
PID:2684

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:3784

C:\Windows\SysWOW64\findstr.exe
findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"
4⤵
PID:2552

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
3⤵
PID:1760

C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\explorer.exe
2⤵
- Deletes itself
PID:4876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TigerHwidTool\TigerHwidTool.exe
Filesize
14.2MB

MD5
a6244982dfd17611db5aa64be1d140b5

SHA1
7c1b3d4dd86459857d0e73812276e80ca83b260d

SHA256
fa0dd508bd819d5a96b8caf7c2ca69033ca74005ce830f432b012a21c37ab5d4

SHA512
0f5c22eda3da555037016c90f8ca510db9bb9fa405c1dfca8ba31088c461def47c25d12ac55e408f6e8c352f0c01bf65ef158d1d6dc5d3e7c5fcf160c17fb754

Download Submit
C:\Program Files (x86)\TigerHwidTool\spiderman.bat
Filesize
254B

MD5
2969a9253db05b47faa53ad2e95ed622

SHA1
172357e51f81b513769b39d1c92a25a4e2aa415d

SHA256
4c31e0eadcc1f277cea1124f4e6337665f2d195c781c556453db8a003a6fec7b

SHA512
1087ffe43314ce73c930538436a6de89339c21fc455d1e9e540ba06f9452d7d41bf843f181a28e6a2e2717a729222ee11325a3c8f6a4e22099c7abee20e94daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4BB1.tmp\SelfDel.dll
Filesize
5KB

MD5
ca8bcdded6b265453cf68bae8bbd0b3a

SHA1
9dbe872ac53e075c0954c882d034aa009c733092

SHA256
299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184

SHA512
a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4BB1.tmp\rfshdktp.dll
Filesize
2KB

MD5
9410591a148871a6d0629cf25b94526f

SHA1
be1e8b0fe8327f185136a0d2460a68f720484535

SHA256
acc76e81f71e7f2ba58c36d678bc9ae4705e0187a3cdfa6d0025190467d9c0c7

SHA512
465d3e418e769b907262e07cbca3d2c5132bf328431d456be09c059821be20a6d30106562d7ef0bfa93ca219b2abe57ee891d937419fc4b8840987b184b45df0

Download Submit
C:\Users\Admin\Desktop\查看机器码.bat
Filesize
1KB

MD5
4a027f0c86eb9614e81af680b2475499

SHA1
ca79f5c7789ffd01af9c00d20f15b1077e55fc15

SHA256
6c198b42a0c464d602a4e1a46a7ec19cf2f635ae2b2de3c566f2c1bd57e7d050

SHA512
169190d40a3d177c51bd4033d6dd543c8170fa8d3ee343a61de3f7803afce472473e712f60bacd4f82c51e24fe01e2936eb7309f22b896bd35f985b272200c01

Download Submit
memory/2128-39-0x0000000000D70000-0x00000000028E9000-memory.dmp

Filesize
27.5MB

Download
memory/2128-18-0x0000000000D70000-0x00000000028E9000-memory.dmp

Filesize
27.5MB

Download
memory/2128-33-0x0000000000D70000-0x00000000028E9000-memory.dmp

Filesize
27.5MB

Download
memory/2128-34-0x0000000000D70000-0x00000000028E9000-memory.dmp

Filesize
27.5MB

Download
memory/2128-35-0x0000000000D70000-0x00000000028E9000-memory.dmp

Filesize
27.5MB

Download
memory/2128-36-0x0000000000D70000-0x00000000028E9000-memory.dmp

Filesize
27.5MB

Download
memory/2128-37-0x0000000000D70000-0x00000000028E9000-memory.dmp

Filesize
27.5MB

Download
memory/2128-38-0x0000000000D70000-0x00000000028E9000-memory.dmp

Filesize
27.5MB

Download
memory/2128-40-0x0000000000D70000-0x00000000028E9000-memory.dmp

Filesize
27.5MB

Download
memory/2128-41-0x0000000000D70000-0x00000000028E9000-memory.dmp

Filesize
27.5MB

Download
memory/3620-19-0x0000000074690000-0x0000000074699000-memory.dmp

Filesize
36KB

Download