Analysis Overview
SHA256
000ad60fb69e0b29422ff2f87b6baaa94d9554f7749c52e22535ee7f61fafe80
Threat Level: Likely malicious
The file b31a379b337187128978e8971757239e_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Modifies boot configuration data using bcdedit
Drops file in Drivers directory
Stops running service(s)
Possible privilege escalation attempt
UPX packed file
Modifies file permissions
Checks BIOS information in registry
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates system info in registry
Runs net.exe
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Modifies registry class
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Modifies registry key
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-16 10:44
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 10:44
Reported
2024-06-16 10:45
Platform
win7-20240220-en
Max time kernel
26s
Max time network
28s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\WAT Fix.exe | N/A |
Possible privilege escalation attempt
Stops running service(s)
Modifies file permissions
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.VBS | C:\Users\Admin\AppData\Local\Temp\WAT Fix.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" | C:\Users\Admin\AppData\Local\Temp\WAT Fix.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\WAT Fix.exe
"C:\Users\Admin\AppData\Local\Temp\WAT Fix.exe"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "taskkill /im hale.exe /f 2>NUL>NUL"
C:\Windows\system32\taskkill.exe
taskkill /im hale.exe /f
C:\Windows\system32\cmd.exe
cmd.exe /A /C "attrib -r -a -s -h %SystemRoot%\system32\hale.exe 2>NUL>NUL"
C:\Windows\system32\attrib.exe
attrib -r -a -s -h C:\Windows\system32\hale.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "del /f %SystemRoot%\system32\hale.exe 2>NUL>NUL"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\servicing\TrustedInstaller.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\servicing\TrustedInstaller.exe /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\servicing\TrustedInstaller.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "bcdedit.exe -set testsigning off 2>NUL>NUL"
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set testsigning off
C:\Windows\system32\cmd.exe
cmd.exe /A /C "sc config sppsvc start= delayed-auto 2>NUL>NUL"
C:\Windows\system32\sc.exe
sc config sppsvc start= delayed-auto
C:\Windows\system32\cmd.exe
cmd.exe /A /C "sc config sppuinotify start= demand 2>NUL>NUL"
C:\Windows\system32\sc.exe
sc config sppuinotify start= demand
C:\Windows\system32\cmd.exe
cmd.exe /A /C "net start sppsvc 2>NUL>NUL"
C:\Windows\system32\net.exe
net start sppsvc
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start sppsvc
C:\Windows\system32\cmd.exe
cmd.exe /A /C "net start sppuinotify 2>NUL>NUL"
C:\Windows\system32\net.exe
net start sppuinotify
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start sppuinotify
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "cscript.exe //nologo %SystemRoot%\system32\slmgr.vbs -rilc 2>NUL>NUL"
C:\Windows\system32\cscript.exe
cscript.exe //nologo C:\Windows\system32\slmgr.vbs -rilc
C:\Windows\system32\cmd.exe
cmd.exe /A /C "sc stop uodin86 2>NUL>NUL"
C:\Windows\system32\sc.exe
sc stop uodin86
C:\Windows\system32\cmd.exe
cmd.exe /A /C "sc delete uodin86 2>NUL>NUL"
C:\Windows\system32\sc.exe
sc delete uodin86
C:\Windows\system32\cmd.exe
cmd.exe /A /C "sc stop uodin64 2>NUL>NUL"
C:\Windows\system32\sc.exe
sc stop uodin64
C:\Windows\system32\cmd.exe
cmd.exe /A /C "sc delete uodin64 2>NUL>NUL"
C:\Windows\system32\sc.exe
sc delete uodin64
C:\Windows\system32\cmd.exe
cmd.exe /A /C "net stop sppsvc 2>NUL>NUL"
C:\Windows\system32\net.exe
net stop sppsvc
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sppsvc
C:\Windows\system32\cmd.exe
cmd.exe /A /C "net stop sppuinotify 2>NUL>NUL"
C:\Windows\system32\net.exe
net stop sppuinotify
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sppuinotify
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\drivers\uodin86.sys"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\drivers\uodin86.sys
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\drivers\uodin64.sys"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\drivers\uodin64.sys
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin86.sys /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\drivers\uodin86.sys /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin64.sys /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\drivers\uodin64.sys /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin86.sys 2>NUL>NUL"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin64.sys 2>NUL>NUL"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slmgr.vbs"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\slmgr.vbs
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slmgr.vbs /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\slmgr.vbs /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs slmgr.vbs.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\user32.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\user32.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\user32.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\user32.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\user32.dll user32.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slwga.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\slwga.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slwga.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\slwga.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slwga.dll slwga.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcomapi.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\sppcomapi.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcomapi.dll sppcomapi.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcommdlg.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\sppcommdlg.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcommdlg.dll sppcommdlg.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppuinotify.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\sppuinotify.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppuinotify.dll sppuinotify.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppwmi.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\sppwmi.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppwmi.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\sppwmi.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppwmi.dll sppwmi.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\systemcpl.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\systemcpl.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\systemcpl.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\systemcpl.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\systemcpl.dll systemcpl.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winlogon.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\winlogon.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winlogon.exe /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\winlogon.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winlogon.exe winlogon.exe.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winver.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\winver.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winver.exe /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\winver.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winver.exe winver.exe.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slui.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\slui.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slui.exe /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\slui.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slui.exe slui.exe.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntkrnlpa.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\ntkrnlpa.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntkrnlpa.exe ntkrnlpa.exe.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntoskrnl.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\ntoskrnl.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntoskrnl.exe ntoskrnl.exe.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\Wat\*"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\Wat\*
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\Wat\* /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\Wat\* /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\slmgr.vbs"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\slmgr.vbs
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\slmgr.vbs /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\slmgr.vbs /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs slmgr.vbs.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\user32.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\user32.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\user32.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\user32.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\user32.dll user32.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\slwga.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\slwga.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\slwga.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\slwga.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\slwga.dll slwga.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcomapi.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\sppcomapi.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\sppcomapi.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\sppcomapi.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\sppcomapi.dll sppcomapi.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcommdlg.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\sppcommdlg.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\sppcommdlg.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\sppcommdlg.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\sppcommdlg.dll sppcommdlg.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppuinotify.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\sppuinotify.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\sppuinotify.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\sppuinotify.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\sppuinotify.dll sppuinotify.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppwmi.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\sppwmi.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\sppwmi.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\sppwmi.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\sppwmi.dll sppwmi.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\systemcpl.dll"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\systemcpl.dll
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\systemcpl.dll /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\systemcpl.dll /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\systemcpl.dll systemcpl.dll.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\winlogon.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\winlogon.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\winlogon.exe /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\winlogon.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\winlogon.exe winlogon.exe.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\winver.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\winver.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\winver.exe /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\winver.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\winver.exe winver.exe.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\slui.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\slui.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\slui.exe /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\slui.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\slui.exe slui.exe.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntkrnlpa.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\ntkrnlpa.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\ntkrnlpa.exe /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\ntkrnlpa.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\ntkrnlpa.exe ntkrnlpa.exe.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntoskrnl.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\ntoskrnl.exe
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\ntoskrnl.exe /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\ntoskrnl.exe /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\ntoskrnl.exe ntoskrnl.exe.izuaf"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "takeown /f %SystemRoot%\system32\Wat\*"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\Wat\*
C:\Windows\system32\cmd.exe
cmd.exe /A /C "icacls %SystemRoot%\system32\Wat\* /grant *S-1-1-0:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\Wat\* /grant *S-1-1-0:F
C:\Windows\system32\cmd.exe
cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\RAI 2>NUL>NUL"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\SXS 2>NUL>NUL"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "reg delete HKLM\SOFTWARE\HAL7600 /f 2>NUL>NUL"
C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\HAL7600 /f
C:\Windows\system32\cmd.exe
cmd.exe /A /C "reg delete HKLM\SOFTWARE\Chew7 /f 2>NUL>NUL"
C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Chew7 /f
C:\Windows\system32\cmd.exe
cmd.exe /A /C "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f 2>NUL>NUL"
C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f
C:\Windows\system32\cmd.exe
cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f 2>NUL>NUL"
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f
C:\Windows\system32\cmd.exe
cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f 2>NUL>NUL"
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f
C:\Windows\system32\cmd.exe
cmd.exe /A /C "NET START "Windows Modules Installer" 2>NUL>NUL"
C:\Windows\system32\net.exe
NET START "Windows Modules Installer"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 START "Windows Modules Installer"
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\slmgr.vbs
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\slmgr.vbs
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\user32.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\user32.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\slwga.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\slwga.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\sppcomapi.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\sppcomapi.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\sppcommdlg.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\sppcommdlg.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\sppuinotify.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\sppuinotify.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\sppwmi.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\sppwmi.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\systemcpl.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\systemcpl.dll
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\winlogon.exe
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\winlogon.exe
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\winver.exe
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\winver.exe
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\slui.exe
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\slui.exe
C:\Windows\System32\sfc.exe
/scannow
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\ntoskrnl
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\SysWOW64\ntkrnlpa
C:\Windows\System32\sfc.exe
/scanfile=C:\Windows\System32\ntoskrnl
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\system32\*.izuaf *."
C:\Windows\system32\cmd.exe
cmd.exe /A /C "ren %SystemRoot%\SysWOW64\*.izuaf *."
C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "shutdown -r -t 0"
C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/3068-0-0x0000000000400000-0x000000000058A000-memory.dmp
memory/3068-9-0x00000000005C0000-0x00000000005D0000-memory.dmp
memory/3068-17-0x00000000003B0000-0x00000000003EF000-memory.dmp
memory/3068-1-0x0000000010000000-0x0000000010011000-memory.dmp
memory/2180-20-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2920-21-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1732-22-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2960-23-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1628-24-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2704-25-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2604-26-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1720-27-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2564-28-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2616-29-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2936-30-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2668-31-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2952-32-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2456-33-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2580-34-0x0000000077180000-0x000000007727A000-memory.dmp
memory/3068-35-0x0000000000400000-0x000000000058A000-memory.dmp
memory/2444-37-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2908-38-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2468-40-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2588-39-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2680-41-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2432-42-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1916-43-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2876-44-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1448-45-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1368-46-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2396-47-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1124-48-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1596-49-0x0000000077180000-0x000000007727A000-memory.dmp
memory/892-50-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1588-51-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2600-52-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2168-53-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1336-54-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1580-56-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1224-55-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2224-57-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1484-58-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2348-60-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1804-59-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2860-61-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2136-62-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1600-63-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1888-64-0x0000000077180000-0x000000007727A000-memory.dmp
memory/2340-65-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1216-66-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1236-67-0x0000000077180000-0x000000007727A000-memory.dmp
memory/1240-68-0x0000000077180000-0x000000007727A000-memory.dmp
memory/3068-110-0x0000000000400000-0x000000000058A000-memory.dmp
memory/3068-112-0x0000000000400000-0x000000000058A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 10:44
Reported
2024-06-16 10:47
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
161s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\WAT Fix.exe
"C:\Users\Admin\AppData\Local\Temp\WAT Fix.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
memory/4740-0-0x0000000000400000-0x000000000058A000-memory.dmp
memory/4740-1-0x0000000002350000-0x000000000238F000-memory.dmp
memory/4740-2-0x0000000010000000-0x0000000010011000-memory.dmp
memory/4740-10-0x0000000000A80000-0x0000000000A90000-memory.dmp
memory/4740-18-0x0000000000400000-0x000000000058A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-16 10:44
Reported
2024-06-16 10:47
Platform
win7-20240508-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"
Network
Files
memory/2408-0-0x0000000000400000-0x0000000000623000-memory.dmp
memory/2408-14-0x0000000000890000-0x00000000008A2000-memory.dmp
memory/2408-54-0x0000000000A00000-0x0000000000A20000-memory.dmp
memory/2408-62-0x0000000000400000-0x0000000000623000-memory.dmp
memory/2408-46-0x00000000009F0000-0x0000000000A00000-memory.dmp
memory/2408-38-0x00000000008D0000-0x00000000008E0000-memory.dmp
memory/2408-30-0x00000000008B0000-0x00000000008C1000-memory.dmp
memory/2408-22-0x0000000010000000-0x0000000010021000-memory.dmp
memory/2408-9-0x00000000007F0000-0x0000000000800000-memory.dmp
memory/2408-1-0x00000000007D0000-0x00000000007E3000-memory.dmp
memory/2408-64-0x0000000000400000-0x0000000000623000-memory.dmp
memory/2408-65-0x0000000000400000-0x0000000000623000-memory.dmp
memory/2408-66-0x0000000000400000-0x0000000000623000-memory.dmp
memory/2408-67-0x0000000000400000-0x0000000000623000-memory.dmp
memory/2408-68-0x0000000000400000-0x0000000000623000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-16 10:44
Reported
2024-06-16 10:47
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
53s
Command Line
Signatures
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"
Network
Files
memory/1816-0-0x0000000000400000-0x0000000000623000-memory.dmp
memory/1816-1-0x0000000002480000-0x0000000002493000-memory.dmp
memory/1816-54-0x00000000024F0000-0x0000000002510000-memory.dmp
memory/1816-46-0x00000000024E0000-0x00000000024F0000-memory.dmp
memory/1816-62-0x0000000002650000-0x00000000027F3000-memory.dmp
memory/1816-38-0x0000000002460000-0x0000000002470000-memory.dmp
memory/1816-30-0x00000000024C0000-0x00000000024D1000-memory.dmp
memory/1816-22-0x0000000010000000-0x0000000010021000-memory.dmp
memory/1816-14-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/1816-9-0x0000000002410000-0x0000000002420000-memory.dmp
memory/1816-63-0x0000000000400000-0x0000000000623000-memory.dmp