Overview
overview
10Static
static
10Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...il.dll
windows7-x64
1Venom-Rat-...il.dll
windows10-2004-x64
1Venom-Rat-...at.dll
windows7-x64
1Venom-Rat-...at.dll
windows10-2004-x64
1Venom-Rat-...me.dll
windows7-x64
1Venom-Rat-...me.dll
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
8Venom-Rat-...ed.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
8Majid Z Hacker.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
10Majid Z Hacker.exe
windows10-2004-x64
10Windows Program.exe
windows7-x64
7Windows Program.exe
windows10-2004-x64
7script.vbs
windows7-x64
10script.vbs
windows10-2004-x64
10windows registry.exe
windows7-x64
10windows registry.exe
windows10-2004-x64
10firewall.exe
windows7-x64
8firewall.exe
windows10-2004-x64
Venom Cracked.exe
windows7-x64
1Venom Cracked.exe
windows10-2004-x64
1Venom-Rat-...er.exe
windows7-x64
1Venom-Rat-...er.exe
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
10Venom-Rat-...ed.exe
windows10-2004-x64
10Majid Z Ha...te.exe
windows7-x64
10Majid Z Ha...te.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 12:30
Behavioral task
behavioral1
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Majid Z Hacker.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Majid Z Hacker.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Windows Program.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Windows Program.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
script.vbs
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
script.vbs
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
windows registry.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
windows registry.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
firewall.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
firewall.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
Venom Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Venom Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
Majid Z Hacker Website.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
Majid Z Hacker Website.exe
Resource
win10v2004-20240508-en
General
-
Target
Majid Z Hacker.exe
-
Size
413KB
-
MD5
d546dc22ad3450598ab32de298a72a80
-
SHA1
6c0b509488bdb86a679a4499e6ebf276ac9d8ea1
-
SHA256
b29885d1b7a7710d0bb85861609520cc7bd53524ab5525cd9b9c47690f0103a2
-
SHA512
79e5bca20e23b0cff3d7d98003ae6d69d8932a75eeff23f31ec4c0aae93a02d41593c60d3a6fcb8a06600e21bfa7190210e4842bcba3ba8e9a7d62f344b48980
-
SSDEEP
12288:6+81qE0efXk6XLUwx7YfR43JDOpedYhN7zf+:6o5yU6XIGYqJDOpJPzf+
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\script.vbs disable_win_def -
Processes:
WScript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection WScript.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 5704 netsh.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Majid Z Hacker.exeWScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Majid Z Hacker.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 3 IoCs
Processes:
Windows Program.exewindows registry.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DNLEWE.lnk Windows Program.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b3c87226fd3a4e8b8191141ea7a593c.exe windows registry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b3c87226fd3a4e8b8191141ea7a593c.exe windows registry.exe -
Executes dropped EXE 2 IoCs
Processes:
windows registry.exeWindows Program.exepid process 4256 windows registry.exe 2608 Windows Program.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Windows Program.exe upx behavioral16/memory/2608-22-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-251-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-293-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-294-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-296-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-297-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-299-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-300-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-301-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-302-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-303-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-304-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-305-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-306-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral16/memory/2608-307-0x0000000000400000-0x00000000004CA000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Windows Program.exewindows registry.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DNLEWE = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Windows Program.exe\"" Windows Program.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b3c87226fd3a4e8b8191141ea7a593c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows registry.exe\" .." windows registry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8b3c87226fd3a4e8b8191141ea7a593c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows registry.exe\" .." windows registry.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ipapi.co 8 ipapi.co -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral16/memory/2608-251-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-293-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-294-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-296-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-297-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-299-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-300-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-301-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-302-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-303-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-304-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-305-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-306-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral16/memory/2608-307-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Majid Z Hacker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings Majid Z Hacker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Program.exepid process 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe 2608 Windows Program.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Windows Program.exepid process 2608 Windows Program.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewindows registry.exedescription pid process Token: SeDebugPrivilege 3564 powershell.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeDebugPrivilege 4228 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 3100 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe Token: 33 4256 windows registry.exe Token: SeIncBasePriorityPrivilege 4256 windows registry.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
Majid Z Hacker.exeWScript.exeWScript.exeWindows Program.exewindows registry.exedescription pid process target process PID 2460 wrote to memory of 2768 2460 Majid Z Hacker.exe WScript.exe PID 2460 wrote to memory of 2768 2460 Majid Z Hacker.exe WScript.exe PID 2460 wrote to memory of 2768 2460 Majid Z Hacker.exe WScript.exe PID 2460 wrote to memory of 4256 2460 Majid Z Hacker.exe windows registry.exe PID 2460 wrote to memory of 4256 2460 Majid Z Hacker.exe windows registry.exe PID 2460 wrote to memory of 4256 2460 Majid Z Hacker.exe windows registry.exe PID 2460 wrote to memory of 2608 2460 Majid Z Hacker.exe Windows Program.exe PID 2460 wrote to memory of 2608 2460 Majid Z Hacker.exe Windows Program.exe PID 2460 wrote to memory of 2608 2460 Majid Z Hacker.exe Windows Program.exe PID 2768 wrote to memory of 4384 2768 WScript.exe WScript.exe PID 2768 wrote to memory of 4384 2768 WScript.exe WScript.exe PID 2768 wrote to memory of 4384 2768 WScript.exe WScript.exe PID 4384 wrote to memory of 3564 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 3564 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 3564 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 4732 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 4732 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 4732 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 4228 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 4228 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 4228 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 3100 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 3100 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 3100 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 1664 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 1664 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 1664 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 2752 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 2752 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 2752 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 2968 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 2968 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 2968 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 4680 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 4680 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 4680 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 2528 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 2528 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 2528 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 1760 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 1760 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 1760 4384 WScript.exe powershell.exe PID 2608 wrote to memory of 1444 2608 Windows Program.exe WSCript.exe PID 2608 wrote to memory of 1444 2608 Windows Program.exe WSCript.exe PID 2608 wrote to memory of 1444 2608 Windows Program.exe WSCript.exe PID 4384 wrote to memory of 2804 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 2804 4384 WScript.exe powershell.exe PID 4384 wrote to memory of 2804 4384 WScript.exe powershell.exe PID 4256 wrote to memory of 5704 4256 windows registry.exe netsh.exe PID 4256 wrote to memory of 5704 4256 windows registry.exe netsh.exe PID 4256 wrote to memory of 5704 4256 windows registry.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate3⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\windows registry.exe"C:\Users\Admin\AppData\Local\Temp\windows registry.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\windows registry.exe" "windows registry.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\Windows Program.exe"C:\Users\Admin\AppData\Local\Temp\Windows Program.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WSCript.exeWSCript C:\Users\Admin\AppData\Local\Temp\DNLEWE.vbs3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4428,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5ce221cd35edbe5f5d1db41f2d4bcf327
SHA1954f33756b950f367615102c945e6e0a720ee839
SHA256a948e910770a7d4ad6f02b0b7c5c2545388ed122dc02672662ac3627f1a52488
SHA5129a2dc78d3098b7dd19fe07822736bc201877bec03bbdd214aac3cac41a4ff091f8c2576cf0021cea6bbe0a40ac2a0e95adb9ec0fc299ff3ad64801c1a8b41d93
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5b17b16513c34f224212c0eae920629da
SHA1327bf5363b000d64e976302b6462ac63edcbc2f7
SHA256c3193bbcf57ed3e1d6db1502f6b53735ed846f0a5171abede45462132cb3da9c
SHA512c8507d0c628776059a411bf822192a26f9b2d0d53827b518503ff2d9618bdfb48b1275013edbbe853e47b5d32d0356a5c670857c41af5abed905f24f1a22c75d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD55d0f74edf0581a5bf63061c8e5026952
SHA16dbe619d6f098bfdf84a041cc556a4b7b3bc66c7
SHA25612614810d501bf836392a0d6357ff7a69daea59df6ff4c11b9fb4a6e37787987
SHA51250a073a9a33523505370e610ec2571ce76ab7d01462b06888e0edeb23db8382f29ca9026ddb61d01c01fe8ad64fcee225c9269f6fd3fbc441b80ee504701efcd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5bab4ec488ff7c6b226542a903be028e9
SHA1bf0fb2a23820c68a586e95e1f9985bbe8d10a4f3
SHA256c4d0adfa97bede5d005544f92aaccce9c4ae102fae15dba0a1e038542e0b886a
SHA512ad827848752bbf26490317b08801a2092a100938bd99071c7130e0786abf11306d3e5d404e49aee288dd493ae6a9be537e103737e69fdfd0869bd5fc9f86da50
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5ba109f5d0bc2559abb83c96c7ed1b64d
SHA1be025fcfd76b6e334e7dad594a4139d8c0faea05
SHA25616826b1e5df4f0e3e6f2e89f35563c57eb84d9af7962661a378288ae703b4b22
SHA512c4f44a3f859cb6d9d003fee307259518a82860c77c6b0596077b4cabc9488070d233e046b27be481366470d6fffdd8d65842615a136007796921dfcbb34bb23f
-
C:\Users\Admin\AppData\Local\Temp\DNLEWE.vbsFilesize
850B
MD559ccb6ffd3155d4e1e16509c1d2b424b
SHA1c4b3aaa2e1f972aa6f1ae4a1543452d93bf1491c
SHA256ba844c991f9fc79f240573cf20e975ac60ae70adc4f45298059e53474df49d1c
SHA5128b1f99c486b756305dc3480182e2b6a37454e156050da9a3e2ff21ce131e7a34a3ebe740f7f07ed17e79e79a5ddf4213e509d009391d69c317b643b5f183b053
-
C:\Users\Admin\AppData\Local\Temp\Windows Program.exeFilesize
356KB
MD5470c1aaa600dfd81af4cfb23bee7490c
SHA117cc0969b22f293b9bab656da3c9e4e4f6a3dbd0
SHA256438c6c0291603bd92a66731abcf32e478dc19093c1c0f3c75ee5117192913809
SHA5129a9927ce72abab495474fcc153dc65fcbe15f46cd08e03e892f05b1ad2025d80301b40cf922fee9bbfb4cc2aeffe867a772bc381c1694289e13cf1fde591fbee
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_thvdctmy.uo4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\script.vbsFilesize
1KB
MD577a4da4863ffcaba51ce05d3c632158d
SHA1253f9a594a6ca3a7a23acb90f8dc81939215ba4b
SHA256ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f
SHA512ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf
-
C:\Users\Admin\AppData\Local\Temp\windows registry.exeFilesize
23KB
MD50e61e56cab42baa9ac421252c13809ed
SHA1f058e2efd1181d5285eef36fa2bae9658ccc20f9
SHA2566f788d9f8b51ba8321f1837e02d10c5d94efc74c7be26f734c34a4d602b8d1bc
SHA512e5cd90240468d86f5230d1c9f7c355c32cdbf3b5a0c041914d009c8145d260f469f75cf28e2b307964c64b6c6255a6fc6e258b5bb6525b50824365227c38e624
-
memory/1664-189-0x000000006DFE0000-0x000000006E02C000-memory.dmpFilesize
304KB
-
memory/1664-264-0x0000000007750000-0x0000000007761000-memory.dmpFilesize
68KB
-
memory/1664-262-0x00000000075C0000-0x00000000075CA000-memory.dmpFilesize
40KB
-
memory/1760-252-0x000000006DFE0000-0x000000006E02C000-memory.dmpFilesize
304KB
-
memory/2528-219-0x000000006DFE0000-0x000000006E02C000-memory.dmpFilesize
304KB
-
memory/2608-251-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-302-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-307-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-306-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-305-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-304-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-303-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-22-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-301-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-300-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-293-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-299-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-297-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-296-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2608-294-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2752-209-0x000000006DFE0000-0x000000006E02C000-memory.dmpFilesize
304KB
-
memory/2804-229-0x000000006DFE0000-0x000000006E02C000-memory.dmpFilesize
304KB
-
memory/2968-235-0x0000000008100000-0x000000000877A000-memory.dmpFilesize
6.5MB
-
memory/2968-179-0x000000006DFE0000-0x000000006E02C000-memory.dmpFilesize
304KB
-
memory/3100-268-0x00000000074E0000-0x00000000074E8000-memory.dmpFilesize
32KB
-
memory/3100-265-0x00000000073F0000-0x00000000073FE000-memory.dmpFilesize
56KB
-
memory/3100-169-0x000000006DFE0000-0x000000006E02C000-memory.dmpFilesize
304KB
-
memory/3100-266-0x0000000007400000-0x0000000007414000-memory.dmpFilesize
80KB
-
memory/3100-267-0x0000000007500000-0x000000000751A000-memory.dmpFilesize
104KB
-
memory/3564-34-0x0000000005100000-0x0000000005136000-memory.dmpFilesize
216KB
-
memory/3564-144-0x00000000066C0000-0x00000000066DE000-memory.dmpFilesize
120KB
-
memory/3564-199-0x000000006DFE0000-0x000000006E02C000-memory.dmpFilesize
304KB
-
memory/3564-35-0x00000000058A0000-0x0000000005EC8000-memory.dmpFilesize
6.2MB
-
memory/3564-263-0x0000000007C80000-0x0000000007D16000-memory.dmpFilesize
600KB
-
memory/3564-145-0x0000000006780000-0x00000000067CC000-memory.dmpFilesize
304KB
-
memory/4228-146-0x0000000006EA0000-0x0000000006ED2000-memory.dmpFilesize
200KB
-
memory/4228-147-0x000000006DFE0000-0x000000006E02C000-memory.dmpFilesize
304KB
-
memory/4228-158-0x0000000006EE0000-0x0000000006F83000-memory.dmpFilesize
652KB
-
memory/4228-157-0x0000000006210000-0x000000000622E000-memory.dmpFilesize
120KB
-
memory/4256-25-0x0000000073880000-0x0000000073E31000-memory.dmpFilesize
5.7MB
-
memory/4256-295-0x0000000073880000-0x0000000073E31000-memory.dmpFilesize
5.7MB
-
memory/4256-24-0x0000000073882000-0x0000000073883000-memory.dmpFilesize
4KB
-
memory/4256-27-0x0000000073880000-0x0000000073E31000-memory.dmpFilesize
5.7MB
-
memory/4680-241-0x000000006DFE0000-0x000000006E02C000-memory.dmpFilesize
304KB
-
memory/4732-236-0x0000000007520000-0x000000000753A000-memory.dmpFilesize
104KB
-
memory/4732-49-0x0000000005B40000-0x0000000005E94000-memory.dmpFilesize
3.3MB
-
memory/4732-159-0x000000006DFE0000-0x000000006E02C000-memory.dmpFilesize
304KB
-
memory/4732-43-0x0000000005AD0000-0x0000000005B36000-memory.dmpFilesize
408KB
-
memory/4732-41-0x0000000005330000-0x0000000005352000-memory.dmpFilesize
136KB
-
memory/4732-42-0x0000000005A60000-0x0000000005AC6000-memory.dmpFilesize
408KB