7089a8179efa6c83ec6cac9f54648e85fb903e56a966c3a5874c5a95a81c3638

Analysis

max time kernel
229s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-08-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stealer tool + secret options/ADM Adrenaline Ultimate Edition.exe
Size

15.0MB
MD5

8f5a2b3154aba26acf5440fd3034326c
SHA1

b4d508ee783dc1f1a2cf9147cc1e5729470e773b
SHA256

fc7e799742a1c64361a8a9c3fecdf44f9db85f0bf57f4fb5712519d12ba4c5ac
SHA512

01c052c71a2f97daf76c91765e3ee6ec46ca7cb67b162c2fc668ef5ee35399622496c95568dedffbaf72524f70f6afcfe90f567fbb653a93d800664b046cd5f2
SSDEEP

393216:l2iLiU7VXd6AKprP7iJx4J20cQ3qpalJZfhxGWqIcckC:l2iNObp4x820AS7nj

Score

10^/10

bootkit discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
1284	icacls.exe
1304	takeown.exe
2404	takeown.exe
1760	icacls.exe

Executes dropped EXE 4 IoCs

pid	Process
2408	mbr.exe
2456	jeffpopup.exe
1224	bobcreep.exe
764	gdifuncs.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1284	icacls.exe
1304	takeown.exe
2404	takeown.exe
1760	icacls.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File created	C:\windows\WinAttr.gci	gdifuncs.exe
File opened for modification	\??\c:\windows\WinAttr.gci	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bobcreep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdifuncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADM Adrenaline Ultimate Edition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeffpopup.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1500	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2488	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe
764	gdifuncs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	gdifuncs.exe
Token: SeDebugPrivilege	764	gdifuncs.exe
Token: SeTakeOwnershipPrivilege	1304	takeown.exe
Token: SeTakeOwnershipPrivilege	2404	takeown.exe
Token: SeDebugPrivilege	2488	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2456	jeffpopup.exe
1224	bobcreep.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 980	484	ADM Adrenaline Ultimate Edition.exe	31
PID 484 wrote to memory of 980	484	ADM Adrenaline Ultimate Edition.exe	31
PID 484 wrote to memory of 980	484	ADM Adrenaline Ultimate Edition.exe	31
PID 484 wrote to memory of 980	484	ADM Adrenaline Ultimate Edition.exe	31
PID 980 wrote to memory of 2408	980	wscript.exe	32
PID 980 wrote to memory of 2408	980	wscript.exe	32
PID 980 wrote to memory of 2408	980	wscript.exe	32
PID 980 wrote to memory of 2408	980	wscript.exe	32
PID 980 wrote to memory of 2892	980	wscript.exe	33
PID 980 wrote to memory of 2892	980	wscript.exe	33
PID 980 wrote to memory of 2892	980	wscript.exe	33
PID 2892 wrote to memory of 2536	2892	cmd.exe	35
PID 2892 wrote to memory of 2536	2892	cmd.exe	35
PID 2892 wrote to memory of 2536	2892	cmd.exe	35
PID 2892 wrote to memory of 1776	2892	cmd.exe	36
PID 2892 wrote to memory of 1776	2892	cmd.exe	36
PID 2892 wrote to memory of 1776	2892	cmd.exe	36
PID 2892 wrote to memory of 1140	2892	cmd.exe	37
PID 2892 wrote to memory of 1140	2892	cmd.exe	37
PID 2892 wrote to memory of 1140	2892	cmd.exe	37
PID 2892 wrote to memory of 1536	2892	cmd.exe	38
PID 2892 wrote to memory of 1536	2892	cmd.exe	38
PID 2892 wrote to memory of 1536	2892	cmd.exe	38
PID 2892 wrote to memory of 1636	2892	cmd.exe	39
PID 2892 wrote to memory of 1636	2892	cmd.exe	39
PID 2892 wrote to memory of 1636	2892	cmd.exe	39
PID 2892 wrote to memory of 2404	2892	cmd.exe	40
PID 2892 wrote to memory of 2404	2892	cmd.exe	40
PID 2892 wrote to memory of 2404	2892	cmd.exe	40
PID 2892 wrote to memory of 1624	2892	cmd.exe	41
PID 2892 wrote to memory of 1624	2892	cmd.exe	41
PID 2892 wrote to memory of 1624	2892	cmd.exe	41
PID 2892 wrote to memory of 1780	2892	cmd.exe	42
PID 2892 wrote to memory of 1780	2892	cmd.exe	42
PID 2892 wrote to memory of 1780	2892	cmd.exe	42
PID 2892 wrote to memory of 1724	2892	cmd.exe	43
PID 2892 wrote to memory of 1724	2892	cmd.exe	43
PID 2892 wrote to memory of 1724	2892	cmd.exe	43
PID 2892 wrote to memory of 872	2892	cmd.exe	44
PID 2892 wrote to memory of 872	2892	cmd.exe	44
PID 2892 wrote to memory of 872	2892	cmd.exe	44
PID 2892 wrote to memory of 1284	2892	cmd.exe	45
PID 2892 wrote to memory of 1284	2892	cmd.exe	45
PID 2892 wrote to memory of 1284	2892	cmd.exe	45
PID 2892 wrote to memory of 324	2892	cmd.exe	46
PID 2892 wrote to memory of 324	2892	cmd.exe	46
PID 2892 wrote to memory of 324	2892	cmd.exe	46
PID 2892 wrote to memory of 3056	2892	cmd.exe	47
PID 2892 wrote to memory of 3056	2892	cmd.exe	47
PID 2892 wrote to memory of 3056	2892	cmd.exe	47
PID 2892 wrote to memory of 916	2892	cmd.exe	48
PID 2892 wrote to memory of 916	2892	cmd.exe	48
PID 2892 wrote to memory of 916	2892	cmd.exe	48
PID 2892 wrote to memory of 1680	2892	cmd.exe	49
PID 2892 wrote to memory of 1680	2892	cmd.exe	49
PID 2892 wrote to memory of 1680	2892	cmd.exe	49
PID 2892 wrote to memory of 304	2892	cmd.exe	50
PID 2892 wrote to memory of 304	2892	cmd.exe	50
PID 2892 wrote to memory of 304	2892	cmd.exe	50
PID 2892 wrote to memory of 784	2892	cmd.exe	51
PID 2892 wrote to memory of 784	2892	cmd.exe	51
PID 2892 wrote to memory of 784	2892	cmd.exe	51
PID 2892 wrote to memory of 2520	2892	cmd.exe	52
PID 2892 wrote to memory of 2520	2892	cmd.exe	52

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

C:\Users\Admin\AppData\Local\Temp\stealer tool + secret options\ADM Adrenaline Ultimate Edition.exe
"C:\Users\Admin\AppData\Local\Temp\stealer tool + secret options\ADM Adrenaline Ultimate Edition.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\E6E7.tmp\E6E8.vbs //Nologo
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2408
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\tools.cmd" "
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
      4⤵
      Sets desktop wallpaper using registry
      PID:2536
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1776
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1140
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1536
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1636
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2404
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1624
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1780
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1724
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:872
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1284
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:324
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3056
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:916
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1680
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:304
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:784
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2520
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:656
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1468
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1684
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1500
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1304
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:816
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2148
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1588
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:708
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1552
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2416
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2488
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2304
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2484
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2088
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:992
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1508
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2448
- - C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\jeffpopup.exe
    "C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\jeffpopup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\bobcreep.exe
    "C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\bobcreep.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\gdifuncs.exe
    "C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\gdifuncs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:764
  - - C:\windows\SysWOW64\takeown.exe
      "C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1304
  - - C:\windows\SysWOW64\icacls.exe
      "C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1284
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65&copy "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:844
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f LogonUI.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls LogonUI.exe /granted "Admin":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1760
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "tobi0a0c.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\E6E7.tmp\E6E8.vbs

Filesize
2KB

MD5
a0679dce64fcf875f4208b823d4b85c0

SHA1
85abe3673db82bfe5b2c207dc98648e32afffea0

SHA256
85a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1

SHA512
1e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\bg.bmp

Filesize
6.6MB

MD5
a605dbeda4f89c1569dd46221c5e85b5

SHA1
5f28ce1e1788a083552b9ac760e57d278467a1f9

SHA256
77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e

SHA512
e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\bobcreep.exe

Filesize
92KB

MD5
219cd85d93a4ed65a481f353a3de5376

SHA1
a38ab77caf5417765d5595b2fcd859c6354bf079

SHA256
00c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f

SHA512
367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\gdifuncs.exe

Filesize
5.0MB

MD5
c47c6a5111193af2c9337634b773d2d3

SHA1
036604921b67bbad60c7823482e5e6cb268ded14

SHA256
7c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585

SHA512
56698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\jeffpopup.exe

Filesize
780KB

MD5
4151b988c9d5c550ccb6c3b49bf551d4

SHA1
10ff979be4a5bbacaf208bdbb8236b940208eed1

SHA256
5ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e

SHA512
c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\mainbgtheme.wav

Filesize
19.0MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\mbr.exe

Filesize
1.3MB

MD5
74be3afd732dc010c8266326cc32127b

SHA1
a91802c200f10c09ff9a0679c274bbe55ecb7b41

SHA256
03fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c

SHA512
68fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6E6.tmp\tools.cmd

Filesize
2KB

MD5
288bebe9f904e6fabe4de67bd7897445

SHA1
0587ce2d936600a9eb142c6197fe12a0c3e8472f

SHA256
cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2

SHA512
7db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c

Download Submit
C:\Users\Admin\Desktop\YOUDIED 5.txt

Filesize
74B

MD5
05d30a59150a996af1258cdc6f388684

SHA1
c773b24888976c889284365dd0b584f003141f38

SHA256
c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9

SHA512
2144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a

Download Submit
memory/764-241-0x0000000000BA0000-0x00000000010A2000-memory.dmp

Filesize
5.0MB

Download
memory/2408-221-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download