11c712b2b16eeb1652793fc8bad16d9177ef161398dceb95e136f8f2a349e56c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OHT1k0.exe
Size

13.7MB
MD5

deeb1ac61b724f2298efedccc11e550f
SHA1

46aa7dd63305dbce00f8949991ffb23f18abdfc2
SHA256

85b2e9865d7382519e64d6c8f4c828b9fcf384d8db988af14ba172fb3704c857
SHA512

0300b978bb01ea09b66577558a810276a5d18a3643ed3dc322d4ed17043da7e49db64d2bfbbee38a33b37924262fbe3d0c5de4bc2de63e688b6ecd24467eef58
SSDEEP

393216:tiGxXoBUjMI4XFCyhJmM1WJ1ckpXeeKeKapRCe:tim3jP4wyjvUckh3K2RCe

Score

7^/10

bootkit defense_evasion persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	OHT1k0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	H40Z.exe

Deletes itself 1 IoCs

pid	Process
4012	H40Z.exe

Executes dropped EXE 2 IoCs

pid	Process
4012	H40Z.exe
2252	H40Z.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	OHT1k0.exe
File opened for modification	\??\PhysicalDrive0	H40Z.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3728	OHT1k0.exe
3728	OHT1k0.exe
4012	H40Z.exe
4012	H40Z.exe
2252	H40Z.exe
2252	H40Z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
3576	timeout.exe
4512	timeout.exe
2892	timeout.exe
3244	timeout.exe
1404	timeout.exe
4440	timeout.exe
3640	timeout.exe
3756	timeout.exe
3048	timeout.exe
2092	timeout.exe
684	timeout.exe
2004	timeout.exe
1248	timeout.exe
4364	timeout.exe
4988	timeout.exe
2152	timeout.exe
4376	timeout.exe
4052	timeout.exe
1724	timeout.exe
760	timeout.exe
3976	timeout.exe
4064	timeout.exe
624	timeout.exe
968	timeout.exe
4052	timeout.exe
868	timeout.exe
664	timeout.exe
4456	timeout.exe
4276	timeout.exe
4040	timeout.exe
1516	timeout.exe
1656	timeout.exe
2120	timeout.exe
3656	timeout.exe
1964	timeout.exe
3148	timeout.exe
3668	timeout.exe
3504	timeout.exe
2988	timeout.exe
640	timeout.exe
3716	timeout.exe
636	timeout.exe
1248	timeout.exe
2496	timeout.exe
3676	timeout.exe
2216	timeout.exe
2396	timeout.exe
2752	timeout.exe
4028	timeout.exe
2000	timeout.exe
1724	timeout.exe
1076	timeout.exe
3460	timeout.exe
3900	timeout.exe
4112	timeout.exe
4384	timeout.exe
1108	timeout.exe
4616	timeout.exe
3816	timeout.exe
4620	timeout.exe
4648	timeout.exe
4604	timeout.exe
4484	timeout.exe
4624	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	H40Z.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3728	OHT1k0.exe
4012	H40Z.exe
2252	H40Z.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
3728	OHT1k0.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
3092	powershell.exe
3092	powershell.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe
4012	H40Z.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4012	H40Z.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3728	OHT1k0.exe
4012	H40Z.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2252	H40Z.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4012	3728	OHT1k0.exe	88
PID 3728 wrote to memory of 4012	3728	OHT1k0.exe	88
PID 4012 wrote to memory of 1532	4012	H40Z.exe	89
PID 4012 wrote to memory of 1532	4012	H40Z.exe	89
PID 4012 wrote to memory of 3092	4012	H40Z.exe	90
PID 4012 wrote to memory of 3092	4012	H40Z.exe	90
PID 1532 wrote to memory of 1404	1532	cmd.exe	93
PID 1532 wrote to memory of 1404	1532	cmd.exe	93
PID 4012 wrote to memory of 4604	4012	H40Z.exe	94
PID 4012 wrote to memory of 4604	4012	H40Z.exe	94
PID 4604 wrote to memory of 4736	4604	cmd.exe	96
PID 4604 wrote to memory of 4736	4604	cmd.exe	96
PID 4604 wrote to memory of 2848	4604	cmd.exe	97
PID 4604 wrote to memory of 2848	4604	cmd.exe	97
PID 1532 wrote to memory of 968	1532	cmd.exe	98
PID 1532 wrote to memory of 968	1532	cmd.exe	98
PID 1532 wrote to memory of 4384	1532	cmd.exe	99
PID 1532 wrote to memory of 4384	1532	cmd.exe	99
PID 1532 wrote to memory of 2120	1532	cmd.exe	100
PID 1532 wrote to memory of 2120	1532	cmd.exe	100
PID 1532 wrote to memory of 5076	1532	cmd.exe	101
PID 1532 wrote to memory of 5076	1532	cmd.exe	101
PID 1532 wrote to memory of 1248	1532	cmd.exe	103
PID 1532 wrote to memory of 1248	1532	cmd.exe	103
PID 1532 wrote to memory of 4364	1532	cmd.exe	106
PID 1532 wrote to memory of 4364	1532	cmd.exe	106
PID 1532 wrote to memory of 4456	1532	cmd.exe	107
PID 1532 wrote to memory of 4456	1532	cmd.exe	107
PID 1532 wrote to memory of 4052	1532	cmd.exe	108
PID 1532 wrote to memory of 4052	1532	cmd.exe	108
PID 1532 wrote to memory of 2216	1532	cmd.exe	110
PID 1532 wrote to memory of 2216	1532	cmd.exe	110
PID 1532 wrote to memory of 2396	1532	cmd.exe	112
PID 1532 wrote to memory of 2396	1532	cmd.exe	112
PID 1532 wrote to memory of 1724	1532	cmd.exe	113
PID 1532 wrote to memory of 1724	1532	cmd.exe	113
PID 1532 wrote to memory of 4440	1532	cmd.exe	114
PID 1532 wrote to memory of 4440	1532	cmd.exe	114
PID 1532 wrote to memory of 3816	1532	cmd.exe	115
PID 1532 wrote to memory of 3816	1532	cmd.exe	115
PID 1532 wrote to memory of 4276	1532	cmd.exe	116
PID 1532 wrote to memory of 4276	1532	cmd.exe	116
PID 1532 wrote to memory of 760	1532	cmd.exe	117
PID 1532 wrote to memory of 760	1532	cmd.exe	117
PID 1532 wrote to memory of 2752	1532	cmd.exe	118
PID 1532 wrote to memory of 2752	1532	cmd.exe	118
PID 1532 wrote to memory of 3656	1532	cmd.exe	119
PID 1532 wrote to memory of 3656	1532	cmd.exe	119
PID 1532 wrote to memory of 640	1532	cmd.exe	120
PID 1532 wrote to memory of 640	1532	cmd.exe	120
PID 1532 wrote to memory of 868	1532	cmd.exe	121
PID 1532 wrote to memory of 868	1532	cmd.exe	121
PID 1532 wrote to memory of 3668	1532	cmd.exe	122
PID 1532 wrote to memory of 3668	1532	cmd.exe	122
PID 1532 wrote to memory of 1964	1532	cmd.exe	123
PID 1532 wrote to memory of 1964	1532	cmd.exe	123
PID 1532 wrote to memory of 4028	1532	cmd.exe	124
PID 1532 wrote to memory of 4028	1532	cmd.exe	124
PID 1532 wrote to memory of 664	1532	cmd.exe	125
PID 1532 wrote to memory of 664	1532	cmd.exe	125
PID 1532 wrote to memory of 4988	1532	cmd.exe	126
PID 1532 wrote to memory of 4988	1532	cmd.exe	126
PID 1532 wrote to memory of 3640	1532	cmd.exe	127
PID 1532 wrote to memory of 3640	1532	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\OHT1k0.exe
"C:\Users\Admin\AppData\Local\Temp\OHT1k0.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\H40Z.exe
  C:\Users\Admin\AppData\Local\Temp\H40Z.exe -asec -upd -rmf=433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f4f4854316b302e657865
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /k "(for /L %n in () do (if exist "C:\Users\Admin\AppData\Local\Temp\H40Z.exe" (del /f "C:\Users\Admin\AppData\Local\Temp\H40Z.exe" && timeout /t 2 /nobreak >nul) else (exit)))"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1404
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:968
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4384
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2120
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      PID:5076
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1248
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4364
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4456
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4052
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2216
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2396
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1724
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4440
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3816
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4276
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:760
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2752
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3656
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:640
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:868
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3668
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1964
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4028
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:664
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4988
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3640
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3756
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1108
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3504
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4620
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3148
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2152
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4624
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1076
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4648
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4604
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2988
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3976
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3716
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4040
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4064
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2000
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4616
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4376
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1516
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3460
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      PID:4980
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4484
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3576
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1248
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:636
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2092
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:684
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1656
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3900
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4512
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:624
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2004
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3048
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4052
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2892
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      PID:232
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3244
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1724
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4112
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2496
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      PID:4924
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3676
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      PID:1616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "while ($true) { if (Test-Path 'C:\Users\Admin\AppData\Local\Temp\H40Z.exe') { Remove-Item -Force 'C:\Users\Admin\AppData\Local\Temp\H40Z.exe'; Start-Sleep -Seconds 2 } else { exit } }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3092
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /k "(reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Users\Admin\AppData\Local\Temp\H40Z.exe" >nul 2>&1 || reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\Hfref\Nqzva\NccQngn\Ybpny\Grzc\U40M.rkr" >nul 2>&1) && (for /L %n in () do (tasklist | find "4012" >nul && timeout /t 5 /nobreak >nul || (timeout /t 8 /nobreak >nul & reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Users\Admin\AppData\Local\Temp\H40Z.exe" /f >nul 2>&1 & reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\Hfref\Nqzva\NccQngn\Ybpny\Grzc\U40M.rkr" /f >nul 2>&1 & exit))) || exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Users\Admin\AppData\Local\Temp\H40Z.exe"
      4⤵
      PID:4736
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\Hfref\Nqzva\NccQngn\Ybpny\Grzc\U40M.rkr"
      4⤵
      PID:2848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\loMfkeb08UrS\H40Z.exe
"C:\Users\Admin\AppData\Local\Temp\loMfkeb08UrS\H40Z.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
79d269e973fc80891bc4b0ddb9b0b51f

SHA1
2920d80daef10d16445bdac822bfb0f83439de59

SHA256
e68169e24da6f511ad91f2893f1298b7b9f7d1003da064b1e94124c68e4a2475

SHA512
f0f435c8ac673436a3b720c5c596c46a071c342d2b34184c37688206c6a151eb90b817ad70ad32b7fac3ec1bf4ef1ba3502476dd2b8117a9071b02df21687aed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
fb6226cb878963c5fd83d3658a809624

SHA1
0eb9828769420917190e11619e797e2d666f497c

SHA256
850b4e2d71692667e30e8f7d7142a661ab8c207804f80eab0eb75f6b6354cc34

SHA512
8240bd567b0cdd0e8ca0e13102c8899882820e986f05f75f34c3abbf2a946eb88be5c4a5a8690cebf7845b687cdceff55712cd3a0bd4782f1e5ac480dd63e56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\H40Z.exe

Filesize
15.0MB

MD5
e751efac04e0a992c11cd2caab9bbcb0

SHA1
188c727a77f2de65e0e07cad1ce1ff4e1315bc13

SHA256
27f396e6abd2077f40b9c47d77f01f7796def10d16f7b5f058cc1f3ee791f3b4

SHA512
f41e25113762fccf76d28c246dd8f73693659189f66e9e366a82f88d5647a3061b5058b59dcdc86667ad116b4a48170a68e5c7f1bf8b2910c5557c2f326e33a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjlnhvqe.baz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3092-388-0x000002196A6A0000-0x000002196A6C2000-memory.dmp

Filesize
136KB

Download
memory/3728-41-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-64-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3728-38-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-16-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-37-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-63-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3728-62-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3728-61-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3728-60-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3728-59-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-58-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3728-56-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3728-55-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3728-54-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3728-53-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3728-52-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3728-51-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3728-50-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3728-48-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-47-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-46-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-45-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-44-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-43-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-36-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-1-0x0000000140000000-0x0000000143726000-memory.dmp

Filesize
55.1MB

Download
memory/3728-40-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-39-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-7-0x0000000003160000-0x00000000035A2000-memory.dmp

Filesize
4.3MB

Download
memory/3728-9-0x00000000035B0000-0x00000000037B2000-memory.dmp

Filesize
2.0MB

Download
memory/3728-42-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-35-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-34-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-33-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-32-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3728-30-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-29-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-28-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-27-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-26-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-25-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-24-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-23-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-22-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-21-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-20-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-19-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-18-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-17-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-15-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-14-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-13-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-2-0x00000001427B1000-0x000000014297B000-memory.dmp

Filesize
1.8MB

Download
memory/3728-0-0x00007FF90AE30000-0x00007FF90AE32000-memory.dmp

Filesize
8KB

Download
memory/3728-12-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-11-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3728-366-0x00000001427B1000-0x000000014297B000-memory.dmp

Filesize
1.8MB

Download
memory/3728-367-0x0000000140000000-0x0000000143726000-memory.dmp

Filesize
55.1MB

Download