d8c159d2b08f67e7bedefbbd2f96e03563ccd65fed72f9f27383a08dcbfba20e

Analysis

max time kernel
85s
max time network
16s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file01.vbs
Size

1KB
MD5

ac74f4410482c655f5f633164bc24d4a
SHA1

083d14cd9967820eac4943a259e773f685c41198
SHA256

d8c159d2b08f67e7bedefbbd2f96e03563ccd65fed72f9f27383a08dcbfba20e
SHA512

10cb234c6cc09666456fcd37acc4692ddf9f7d6aefd28264d60c958867ec0140aeb7cc336e05f13c98627f78443b11f2830e1f3bd5c304f51fe465a4eb90ca8d

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 36 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	reg.exe

Modifies security service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\MpsSvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	reg.exe

Registers new Print Monitor 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Local Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Microsoft Shared Fax Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\USB Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\WSD Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port\Ports	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port	reg.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2680	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeShutdownPrivilege	356	shutdown.exe
Token: SeRemoteShutdownPrivilege	356	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2496	1848	WScript.exe	29
PID 1848 wrote to memory of 2496	1848	WScript.exe	29
PID 1848 wrote to memory of 2496	1848	WScript.exe	29
PID 1848 wrote to memory of 2644	1848	WScript.exe	31
PID 1848 wrote to memory of 2644	1848	WScript.exe	31
PID 1848 wrote to memory of 2644	1848	WScript.exe	31
PID 1848 wrote to memory of 2792	1848	WScript.exe	33
PID 1848 wrote to memory of 2792	1848	WScript.exe	33
PID 1848 wrote to memory of 2792	1848	WScript.exe	33
PID 1848 wrote to memory of 2480	1848	WScript.exe	35
PID 1848 wrote to memory of 2480	1848	WScript.exe	35
PID 1848 wrote to memory of 2480	1848	WScript.exe	35
PID 1848 wrote to memory of 2376	1848	WScript.exe	37
PID 1848 wrote to memory of 2376	1848	WScript.exe	37
PID 1848 wrote to memory of 2376	1848	WScript.exe	37
PID 1848 wrote to memory of 1692	1848	WScript.exe	39
PID 1848 wrote to memory of 1692	1848	WScript.exe	39
PID 1848 wrote to memory of 1692	1848	WScript.exe	39
PID 1848 wrote to memory of 2412	1848	WScript.exe	41
PID 1848 wrote to memory of 2412	1848	WScript.exe	41
PID 1848 wrote to memory of 2412	1848	WScript.exe	41
PID 1848 wrote to memory of 2820	1848	WScript.exe	43
PID 1848 wrote to memory of 2820	1848	WScript.exe	43
PID 1848 wrote to memory of 2820	1848	WScript.exe	43
PID 1848 wrote to memory of 632	1848	WScript.exe	45
PID 1848 wrote to memory of 632	1848	WScript.exe	45
PID 1848 wrote to memory of 632	1848	WScript.exe	45
PID 1848 wrote to memory of 1368	1848	WScript.exe	47
PID 1848 wrote to memory of 1368	1848	WScript.exe	47
PID 1848 wrote to memory of 1368	1848	WScript.exe	47
PID 1848 wrote to memory of 2348	1848	WScript.exe	49
PID 1848 wrote to memory of 2348	1848	WScript.exe	49
PID 1848 wrote to memory of 2348	1848	WScript.exe	49
PID 1848 wrote to memory of 2660	1848	WScript.exe	51
PID 1848 wrote to memory of 2660	1848	WScript.exe	51
PID 1848 wrote to memory of 2660	1848	WScript.exe	51
PID 1848 wrote to memory of 1800	1848	WScript.exe	53
PID 1848 wrote to memory of 1800	1848	WScript.exe	53
PID 1848 wrote to memory of 1800	1848	WScript.exe	53
PID 1848 wrote to memory of 2104	1848	WScript.exe	55
PID 1848 wrote to memory of 2104	1848	WScript.exe	55
PID 1848 wrote to memory of 2104	1848	WScript.exe	55
PID 1848 wrote to memory of 300	1848	WScript.exe	57
PID 1848 wrote to memory of 300	1848	WScript.exe	57
PID 1848 wrote to memory of 300	1848	WScript.exe	57
PID 1848 wrote to memory of 1620	1848	WScript.exe	59
PID 1848 wrote to memory of 1620	1848	WScript.exe	59
PID 1848 wrote to memory of 1620	1848	WScript.exe	59
PID 1848 wrote to memory of 2100	1848	WScript.exe	61
PID 1848 wrote to memory of 2100	1848	WScript.exe	61
PID 1848 wrote to memory of 2100	1848	WScript.exe	61
PID 1848 wrote to memory of 1764	1848	WScript.exe	63
PID 1848 wrote to memory of 1764	1848	WScript.exe	63
PID 1848 wrote to memory of 1764	1848	WScript.exe	63
PID 1848 wrote to memory of 2124	1848	WScript.exe	65
PID 1848 wrote to memory of 2124	1848	WScript.exe	65
PID 1848 wrote to memory of 2124	1848	WScript.exe	65
PID 1848 wrote to memory of 688	1848	WScript.exe	67
PID 1848 wrote to memory of 688	1848	WScript.exe	67
PID 1848 wrote to memory of 688	1848	WScript.exe	67
PID 1848 wrote to memory of 2044	1848	WScript.exe	69
PID 1848 wrote to memory of 2044	1848	WScript.exe	69
PID 1848 wrote to memory of 2044	1848	WScript.exe	69
PID 1848 wrote to memory of 1036	1848	WScript.exe	71

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2496
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2644
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2792
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2480
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2376
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:1692
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2412
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2820
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:632
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:1368
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2348
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2660
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:1800
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2104
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:300
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:1620
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2100
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:1764
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2124
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:688
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2044
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:1036
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2796
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:3028
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:2704
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:1972
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:1204
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:3064
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:592
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\justsomething.bat" "
  2⤵
  PID:1308
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im cmd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /s /t 1 /c "BYE SYSTEM"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:356
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_LOCAL_MACHINE\SYSTEM /f
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - Registers new Print Monitor
  - Maps connected drives based on registry
  PID:1552

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:808

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:772

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2832

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\justsomething.bat

Filesize
131B

MD5
98522217327e248a4a3f84589a4b4c0b

SHA1
1c9f31141650919875457e3c0b453a4117e6af24

SHA256
17a88bbb2f1d7130b0986d1c5b0856f681a0e75c19c4535b07e0ff45ecf34b70

SHA512
919dc24902154795c93497c22f62056b4a7846a9dab1b38b101cc6b29fda859ad89e30a1beb28c108ed89ff0e9102f69bab4a1446530af693b0a8a380df12280

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads