Overview
overview
10Static
static
10Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...il.dll
windows7-x64
1Venom-Rat-...il.dll
windows10-2004-x64
1Venom-Rat-...at.dll
windows7-x64
1Venom-Rat-...at.dll
windows10-2004-x64
1Venom-Rat-...me.dll
windows7-x64
1Venom-Rat-...me.dll
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
8Venom-Rat-...ed.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
8Majid Z Hacker.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
10Majid Z Hacker.exe
windows10-2004-x64
10Windows Program.exe
windows7-x64
7Windows Program.exe
windows10-2004-x64
7script.vbs
windows7-x64
10script.vbs
windows10-2004-x64
10windows registry.exe
windows7-x64
10windows registry.exe
windows10-2004-x64
10firewall.exe
windows7-x64
8firewall.exe
windows10-2004-x64
Venom Cracked.exe
windows7-x64
1Venom Cracked.exe
windows10-2004-x64
1Venom-Rat-...er.exe
windows7-x64
1Venom-Rat-...er.exe
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
10Venom-Rat-...ed.exe
windows10-2004-x64
10Majid Z Ha...te.exe
windows7-x64
10Majid Z Ha...te.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 12:30
Behavioral task
behavioral1
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Majid Z Hacker.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Majid Z Hacker.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Windows Program.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Windows Program.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
script.vbs
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
script.vbs
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
windows registry.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
windows registry.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
firewall.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
firewall.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
Venom Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Venom Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
Majid Z Hacker Website.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
Majid Z Hacker Website.exe
Resource
win10v2004-20240508-en
General
-
Target
Majid Z Hacker Website.exe
-
Size
127KB
-
MD5
b4d0b69f3c391acca7128a66abd480f7
-
SHA1
8ccac1861f4c544c51a5c7d4a0fb32796ab30488
-
SHA256
349b87c3ebd55cab9daa375c468b62be416063af859a16bed78cf4bd06fb5c07
-
SHA512
9578df157aafc7740e12952d1abba08fa9e032fc73073e1787fffb7e24ce6963d98d7bdd4539297be0123626efdfccb63c7dea411d82ceef7bf6197ff2806ff1
-
SSDEEP
3072:iqRaMrUwmuvDWLcg0CmHmFXfy57jQtMrpGIXFb177dWVqu:inx1FWmxf87UIXpl7dWVR
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\script.vbs disable_win_def -
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" WScript.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 752 netsh.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Majid Z Hacker Website.exeWScript.exeWScript.exewindows.exemicrosoft corporation.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Majid Z Hacker Website.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation windows.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation microsoft corporation.exe -
Drops startup file 4 IoCs
Processes:
windows.exemicrosoft corporation.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe windows.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e23fc64d012fb66b44b10cd7ea0e2414.exe microsoft corporation.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e23fc64d012fb66b44b10cd7ea0e2414.exe microsoft corporation.exe -
Executes dropped EXE 4 IoCs
Processes:
microsoft corporation.exewindows.exewindows.exemicrosoft corporation.exepid process 3860 microsoft corporation.exe 3760 windows.exe 3640 windows.exe 3240 microsoft corporation.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
windows.exemicrosoft corporation.exewindows.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updates\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updates\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e23fc64d012fb66b44b10cd7ea0e2414 = "\"C:\\ProgramData\\microsoft corporation.exe\" .." microsoft corporation.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e23fc64d012fb66b44b10cd7ea0e2414 = "\"C:\\ProgramData\\microsoft corporation.exe\" .." microsoft corporation.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" windows.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
windows.exedescription ioc process File created C:\autorun.inf windows.exe File opened for modification C:\autorun.inf windows.exe File created F:\autorun.inf windows.exe File opened for modification F:\autorun.inf windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Majid Z Hacker Website.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings Majid Z Hacker Website.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemicrosoft corporation.exepid process 4028 powershell.exe 4028 powershell.exe 2368 powershell.exe 2368 powershell.exe 1080 powershell.exe 1080 powershell.exe 3684 powershell.exe 3684 powershell.exe 4508 powershell.exe 4508 powershell.exe 5104 powershell.exe 5104 powershell.exe 2736 powershell.exe 2736 powershell.exe 4620 powershell.exe 4620 powershell.exe 3272 powershell.exe 3272 powershell.exe 4228 powershell.exe 4228 powershell.exe 4028 powershell.exe 4028 powershell.exe 1080 powershell.exe 5104 powershell.exe 4508 powershell.exe 5112 powershell.exe 5112 powershell.exe 3684 powershell.exe 2368 powershell.exe 4228 powershell.exe 5112 powershell.exe 4620 powershell.exe 3272 powershell.exe 3860 microsoft corporation.exe 3860 microsoft corporation.exe 2736 powershell.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemicrosoft corporation.exemicrosoft corporation.exedescription pid process Token: SeDebugPrivilege 1080 powershell.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 3684 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeDebugPrivilege 4508 powershell.exe Token: SeDebugPrivilege 4228 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 4620 powershell.exe Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 3860 microsoft corporation.exe Token: SeDebugPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe Token: 33 3240 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3240 microsoft corporation.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
windows.exewindows.exepid process 3760 windows.exe 3640 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
windows.exewindows.exepid process 3760 windows.exe 3640 windows.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
Majid Z Hacker Website.exeWScript.exeWScript.exewindows.exemicrosoft corporation.exemicrosoft corporation.exedescription pid process target process PID 1616 wrote to memory of 3860 1616 Majid Z Hacker Website.exe microsoft corporation.exe PID 1616 wrote to memory of 3860 1616 Majid Z Hacker Website.exe microsoft corporation.exe PID 1616 wrote to memory of 3860 1616 Majid Z Hacker Website.exe microsoft corporation.exe PID 1616 wrote to memory of 3760 1616 Majid Z Hacker Website.exe windows.exe PID 1616 wrote to memory of 3760 1616 Majid Z Hacker Website.exe windows.exe PID 1616 wrote to memory of 436 1616 Majid Z Hacker Website.exe WScript.exe PID 1616 wrote to memory of 436 1616 Majid Z Hacker Website.exe WScript.exe PID 1616 wrote to memory of 436 1616 Majid Z Hacker Website.exe WScript.exe PID 436 wrote to memory of 1572 436 WScript.exe WScript.exe PID 436 wrote to memory of 1572 436 WScript.exe WScript.exe PID 436 wrote to memory of 1572 436 WScript.exe WScript.exe PID 1572 wrote to memory of 1080 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 1080 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 1080 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4028 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4028 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4028 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 2368 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 2368 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 2368 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 3684 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 3684 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 3684 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 5104 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 5104 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 5104 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 2736 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 2736 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 2736 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4228 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4228 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4228 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4508 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4508 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4508 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4620 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4620 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 4620 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 3272 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 3272 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 3272 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 5112 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 5112 1572 WScript.exe powershell.exe PID 1572 wrote to memory of 5112 1572 WScript.exe powershell.exe PID 3760 wrote to memory of 3640 3760 windows.exe windows.exe PID 3760 wrote to memory of 3640 3760 windows.exe windows.exe PID 3860 wrote to memory of 3240 3860 microsoft corporation.exe microsoft corporation.exe PID 3860 wrote to memory of 3240 3860 microsoft corporation.exe microsoft corporation.exe PID 3860 wrote to memory of 3240 3860 microsoft corporation.exe microsoft corporation.exe PID 3240 wrote to memory of 752 3240 microsoft corporation.exe netsh.exe PID 3240 wrote to memory of 752 3240 microsoft corporation.exe netsh.exe PID 3240 wrote to memory of 752 3240 microsoft corporation.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\microsoft corporation.exe"C:\ProgramData\microsoft corporation.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\microsoft corporation.exe" "microsoft corporation.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate3⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\windows.exe.logFilesize
860B
MD5c2dda6a07b935260fea374312f09cc1e
SHA1a0af418e7dc2b37f7b7712f1f866b6a8fb425f0a
SHA256e514619232e5f2a698f3e9bccdcff8b511ec262c562dc42926d00860bee769b4
SHA5127268d562f3c33ea05cd772e5c05d3819d7c6c42bf5bc33649c8c70d5a9fd3f9110aea4c8c8ebf7383525a480fc0fc4f92a65746ef267329e3806480410b05100
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD55905cb0e406e0e34449a81bcdc9731d1
SHA1578b42f61f8b1bca40cacd8dc25a1f62648ae4ac
SHA2568ec71e1dbf609709ab530ec6778ce1c47b6814a7ee081db81969ed68fb3ea7a9
SHA512f220af1635cfefb61742c2ecdec22debb87b494d2d6f9f720f7cf0f3cf29919bc336f838e41b963f69ae85361a49960370550ff968a81d72224fa4428c242cec
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD54522f098f6db1933f417365e18363e39
SHA1eeb2c0c4227c3505c88f28961feebc75e74bda27
SHA256ced1a391ec68da29459dd4e9dc62b3534a37ec3c235e0753c4139fccd9a2751f
SHA5125497f7feba87fc4a05df5bc7c9fc604fab12f2731c9e6da2461f0d49134f64da6b607c8791b17c112aa84fc8cb85fdc49856217568c382af000075920bc31826
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD58848bcccbfd0c7a301ce895f25d09838
SHA1b8045cf49df7f6aea86fd5a6e7bc57bca722706f
SHA25681df5c3e36a7cd874ae9a09f31de01a748cc6d9897e0375471d75f992bf91987
SHA512f179e7291d2aad739a7e4d665aaec508252229a6d08490ef3c5be672721ad0c8187f399ea9f804ffd37a4b3e42d3a052e9da3ff439d368a46f0fcf1f5372420f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD573dd75799de2b342a1df2dfc6a54319b
SHA1d8b2bbf143aa4e783cac26f0733e958bd0ee22a6
SHA256360748c5136395ae45195c8c1b756bf56aa09a928c12870c41d06e52d2ddfde3
SHA5128ec1d0858624a5bf6db6aee06ad1acdd850333990414497c4c88483090b67a35d9d53afd693ec1dd1966adaa09638f93f5a7a8faa5516ef1b44ffdd0975c1298
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5a123815f5b1ac24f83a6429a0877b435
SHA14d2ea47ee5022e7d5861688ad4e0791807f46db2
SHA256af7d1785013f2778adf581b2f6e4f17a9cdfee6b3242ef2c2e1b71cceaedda60
SHA512bb590cbd632eb8ef7ee83b2388bb6721c5f79088c6e03e6cb45553ba3bed38823623ef9df99da3e0b50fd1e60192173a9c34b9507b052f6dc98ca697b2e89f00
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlc4ihxe.x4x.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\melt.txtFilesize
45B
MD5c65dda57254957c2ad83b548c55b42a5
SHA1d88daf5dd37726325a30a3078c254128f5579f85
SHA256adae127291a1d4f70e9ff1258044a01d95176fd9bb2c303ab94f3e62db429a44
SHA512d74c977dd16046f024a6b012322dcfd0380fcc58a5db5e96d350852723bc1404d49a67d6185210711a24b9aeb94974212f4e056590e0742937821a459ba628b6
-
C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exeFilesize
33KB
MD523fb3146d1455b890afdbd9511b48351
SHA19e0118366167c76de2d88fb354606d5e58677eb7
SHA25658c8e3599d16762dfc51decf16c3d014cd8c8dd1aab59a0acff5372c5182bda7
SHA51292a816b16f854cb19a28a9bd186223dd3f7961800b6486b32be1f270b26a0240c0f68ebe0f6c555b72f0e3388f3aa1a061fad50c0b09aaec1af9de1185fc8cf4
-
C:\Users\Admin\AppData\Local\Temp\script.vbsFilesize
1KB
MD577a4da4863ffcaba51ce05d3c632158d
SHA1253f9a594a6ca3a7a23acb90f8dc81939215ba4b
SHA256ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f
SHA512ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf
-
C:\Users\Admin\AppData\Local\Temp\windows.exeFilesize
145KB
MD5aa4ba7df205e6f0dc8d847ab3c3681c2
SHA1bb8c96c2f736f1d5f1923fc3b20f53b890b98e46
SHA25659a0bd599e306457164b08b7fe23bbf4fe92b202beaad836d6faa28da61073ca
SHA5120f8f57de1251e3102d1db2c72ed7c3f7cc1d12c3ce561a275d4d280944f77952970464c553da3ce6ce88e9462033818ed186e83eba1b8853d16d28bcc7140450
-
memory/1080-179-0x0000000073E80000-0x0000000073ECC000-memory.dmpFilesize
304KB
-
memory/1080-156-0x0000000006120000-0x000000000616C000-memory.dmpFilesize
304KB
-
memory/1080-151-0x0000000006050000-0x000000000606E000-memory.dmpFilesize
120KB
-
memory/1080-209-0x00000000072E0000-0x0000000007383000-memory.dmpFilesize
652KB
-
memory/1080-36-0x0000000005250000-0x0000000005272000-memory.dmpFilesize
136KB
-
memory/1080-37-0x0000000005A30000-0x0000000005A96000-memory.dmpFilesize
408KB
-
memory/1080-38-0x0000000005AA0000-0x0000000005B06000-memory.dmpFilesize
408KB
-
memory/1080-40-0x0000000005B10000-0x0000000005E64000-memory.dmpFilesize
3.3MB
-
memory/2368-286-0x0000000007E40000-0x0000000007E4E000-memory.dmpFilesize
56KB
-
memory/2368-287-0x0000000007E50000-0x0000000007E64000-memory.dmpFilesize
80KB
-
memory/2368-288-0x0000000007F50000-0x0000000007F6A000-memory.dmpFilesize
104KB
-
memory/2368-34-0x0000000002FC0000-0x0000000002FF6000-memory.dmpFilesize
216KB
-
memory/2368-289-0x0000000007F30000-0x0000000007F38000-memory.dmpFilesize
32KB
-
memory/2368-189-0x0000000006E40000-0x0000000006E5E000-memory.dmpFilesize
120KB
-
memory/2368-169-0x0000000073E80000-0x0000000073ECC000-memory.dmpFilesize
304KB
-
memory/2368-168-0x0000000007AC0000-0x0000000007AF2000-memory.dmpFilesize
200KB
-
memory/2736-255-0x0000000073E80000-0x0000000073ECC000-memory.dmpFilesize
304KB
-
memory/3272-276-0x0000000073E80000-0x0000000073ECC000-memory.dmpFilesize
304KB
-
memory/3684-254-0x00000000077C0000-0x0000000007856000-memory.dmpFilesize
600KB
-
memory/3684-232-0x0000000007520000-0x000000000753A000-memory.dmpFilesize
104KB
-
memory/3684-275-0x0000000007740000-0x0000000007751000-memory.dmpFilesize
68KB
-
memory/3684-210-0x0000000073E80000-0x0000000073ECC000-memory.dmpFilesize
304KB
-
memory/3684-233-0x0000000004F70000-0x0000000004F7A000-memory.dmpFilesize
40KB
-
memory/3760-30-0x000000001C9F0000-0x000000001CA8C000-memory.dmpFilesize
624KB
-
memory/3760-27-0x00000000017A0000-0x00000000017B0000-memory.dmpFilesize
64KB
-
memory/3760-25-0x000000001BDB0000-0x000000001BE56000-memory.dmpFilesize
664KB
-
memory/3760-28-0x00007FFE7BCB5000-0x00007FFE7BCB6000-memory.dmpFilesize
4KB
-
memory/3760-145-0x00007FFE7BA00000-0x00007FFE7C3A1000-memory.dmpFilesize
9.6MB
-
memory/3760-29-0x000000001C480000-0x000000001C94E000-memory.dmpFilesize
4.8MB
-
memory/3760-31-0x00007FFE7BA00000-0x00007FFE7C3A1000-memory.dmpFilesize
9.6MB
-
memory/3760-39-0x000000001DCF0000-0x000000001DFFE000-memory.dmpFilesize
3.1MB
-
memory/3760-32-0x000000001BE60000-0x000000001BE68000-memory.dmpFilesize
32KB
-
memory/3760-33-0x000000001CBF0000-0x000000001CC3C000-memory.dmpFilesize
304KB
-
memory/3860-167-0x0000000074020000-0x00000000745D1000-memory.dmpFilesize
5.7MB
-
memory/3860-26-0x0000000074020000-0x00000000745D1000-memory.dmpFilesize
5.7MB
-
memory/3860-23-0x0000000074020000-0x00000000745D1000-memory.dmpFilesize
5.7MB
-
memory/3860-20-0x0000000074022000-0x0000000074023000-memory.dmpFilesize
4KB
-
memory/4028-211-0x0000000073E80000-0x0000000073ECC000-memory.dmpFilesize
304KB
-
memory/4028-35-0x00000000057D0000-0x0000000005DF8000-memory.dmpFilesize
6.2MB
-
memory/4228-234-0x0000000073E80000-0x0000000073ECC000-memory.dmpFilesize
304KB
-
memory/4508-199-0x0000000073E80000-0x0000000073ECC000-memory.dmpFilesize
304KB
-
memory/4620-244-0x0000000073E80000-0x0000000073ECC000-memory.dmpFilesize
304KB
-
memory/5104-231-0x0000000007C30000-0x00000000082AA000-memory.dmpFilesize
6.5MB
-
memory/5104-190-0x0000000073E80000-0x0000000073ECC000-memory.dmpFilesize
304KB
-
memory/5112-265-0x0000000073E80000-0x0000000073ECC000-memory.dmpFilesize
304KB