Analysis
-
max time kernel
98s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 09:32
Behavioral task
behavioral1
Sample
153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe
Resource
win7-20240903-en
credential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealertrojanupx
windows7-x64
33 signatures
150 seconds
Behavioral task
behavioral2
Sample
153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe
Resource
win10v2004-20240802-en
credential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealertrojanupx
windows10-2004-x64
35 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe
-
Size
1.1MB
-
MD5
fb684a3f9bbd6b74e432a7ce5fba272b
-
SHA1
401906ba1767b901c4dfbeca1b786aceece5372a
-
SHA256
153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87
-
SHA512
2ba198fb88822d02b9586b847df42f82a58894c3a058bfc0de1b603da52470ec95cd8d37a34e8634bc225d0913891fec9bc498c49a314639768f10044b9192a2
-
SSDEEP
24576:5j8B3KleK6hPJ06jLEVPeTUlDKqVoNkU2uGp7mDYqwQeQFAtVqK0rU:Nw3KLAPJrjQeADK6oNGuqCvkQitEY
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2312-0-0x0000000001300000-0x0000000001556000-memory.dmp upx behavioral1/memory/2312-51-0x0000000001300000-0x0000000001556000-memory.dmp upx behavioral1/memory/2312-55-0x0000000001300000-0x0000000001556000-memory.dmp upx behavioral1/memory/2312-58-0x0000000001300000-0x0000000001556000-memory.dmp upx behavioral1/memory/2312-62-0x0000000001300000-0x0000000001556000-memory.dmp upx behavioral1/memory/2312-83-0x0000000001300000-0x0000000001556000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\SysWOW64\\ctfmon.exe" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Zdel2023 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe /desktop2" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\desktop.ini 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\o: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\q: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\s: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\x: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\b: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\g: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\m: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\w: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\y: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\e: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\i: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\l: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\n: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\p: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\r: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\u: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\v: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\a: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\k: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\z: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\h: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\t: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Indicator Removal: Clear Persistence 1 TTPs 9 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
pid Process 1768 cmd.exe 1576 cmd.exe 1772 cmd.exe 2360 cmd.exe 2300 cmd.exe 3024 cmd.exe 1752 cmd.exe 652 cmd.exe 1348 cmd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2312-51-0x0000000001300000-0x0000000001556000-memory.dmp autoit_exe behavioral1/memory/2312-55-0x0000000001300000-0x0000000001556000-memory.dmp autoit_exe behavioral1/memory/2312-58-0x0000000001300000-0x0000000001556000-memory.dmp autoit_exe behavioral1/memory/2312-62-0x0000000001300000-0x0000000001556000-memory.dmp autoit_exe behavioral1/memory/2312-83-0x0000000001300000-0x0000000001556000-memory.dmp autoit_exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\bdpic.ico 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Windows\SysWOW64\bdpic.ico 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Windows\SysWOW64\Qdpd2881.dll 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Windows\SysWOW64\LeaveExit.log 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\CrashReports 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Program Files (x86)\Google\Temp 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Program Files (x86)\Google\Update 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Program Files\Google 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Program Files\Google\Chrome 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Program Files (x86)\Google 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 42 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\First Home Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Download regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\First Home Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TypedURLs 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" regedit.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\.DEFAULT 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\.DEFAULT\Software 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer regedit.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer\Main 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\Start Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Link = 00000000 regedit.exe -
Modifies registry class 11 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Briefcase\ShellNew regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.rtf\ShellNew regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\ShellNew regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\{E82A1BA7-3493-47e1-A673-9277E8695AFA}\ = "百度一下(&B)" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\{E82A1BA7-3493-47e1-A673-9277E8695AFA}\icon = "C:\\Windows\\SysWow64\\bdpic.ico" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\{E82A1BA7-3493-47e1-A673-9277E8695AFA}\command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\{E82A1BA7-3493-47e1-A673-9277E8695AFA}\command\ = "explorer.exe http://bd.dh021.com" regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.contact\ShellNew regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\{E82A1BA7-3493-47e1-A673-9277E8695AFA} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Briefcase\ShellNew\Config regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\CompressedFolder\ShellNew regedit.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Runs .reg file with regedit 2 IoCs
pid Process 2780 regedit.exe 2796 regedit.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeShutdownPrivilege 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 9223372037280448447 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 98784247808 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 881712054238600110 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 1 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 668812578586632 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 668812578586632 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 0 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 22518169988113640 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 9508468532794181284 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 120311734976 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 8589934608 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 34360703081 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 562640717056 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 47245033472 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 8377827322849394688 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 224766736795500884 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 4058968558 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 25769803776 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 98784247808 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 0 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 14025314684346074753 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 9223372234849373667 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2612 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 30 PID 2312 wrote to memory of 2612 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 30 PID 2312 wrote to memory of 2612 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 30 PID 2312 wrote to memory of 2612 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 30 PID 2312 wrote to memory of 2976 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 32 PID 2312 wrote to memory of 2976 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 32 PID 2312 wrote to memory of 2976 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 32 PID 2312 wrote to memory of 2976 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 32 PID 2612 wrote to memory of 2744 2612 cmd.exe 34 PID 2612 wrote to memory of 2744 2612 cmd.exe 34 PID 2612 wrote to memory of 2744 2612 cmd.exe 34 PID 2612 wrote to memory of 2744 2612 cmd.exe 34 PID 2612 wrote to memory of 2772 2612 cmd.exe 35 PID 2612 wrote to memory of 2772 2612 cmd.exe 35 PID 2612 wrote to memory of 2772 2612 cmd.exe 35 PID 2612 wrote to memory of 2772 2612 cmd.exe 35 PID 2976 wrote to memory of 2780 2976 cmd.exe 36 PID 2976 wrote to memory of 2780 2976 cmd.exe 36 PID 2976 wrote to memory of 2780 2976 cmd.exe 36 PID 2976 wrote to memory of 2780 2976 cmd.exe 36 PID 2312 wrote to memory of 2932 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 37 PID 2312 wrote to memory of 2932 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 37 PID 2312 wrote to memory of 2932 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 37 PID 2312 wrote to memory of 2932 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 37 PID 2312 wrote to memory of 2720 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 38 PID 2312 wrote to memory of 2720 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 38 PID 2312 wrote to memory of 2720 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 38 PID 2312 wrote to memory of 2720 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 38 PID 2312 wrote to memory of 2600 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 40 PID 2312 wrote to memory of 2600 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 40 PID 2312 wrote to memory of 2600 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 40 PID 2312 wrote to memory of 2600 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 40 PID 2312 wrote to memory of 1908 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 42 PID 2312 wrote to memory of 1908 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 42 PID 2312 wrote to memory of 1908 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 42 PID 2312 wrote to memory of 1908 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 42 PID 2312 wrote to memory of 2684 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 44 PID 2312 wrote to memory of 2684 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 44 PID 2312 wrote to memory of 2684 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 44 PID 2312 wrote to memory of 2684 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 44 PID 2312 wrote to memory of 3064 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 46 PID 2312 wrote to memory of 3064 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 46 PID 2312 wrote to memory of 3064 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 46 PID 2312 wrote to memory of 3064 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 46 PID 2312 wrote to memory of 1724 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 49 PID 2312 wrote to memory of 1724 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 49 PID 2312 wrote to memory of 1724 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 49 PID 2312 wrote to memory of 1724 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 49 PID 1724 wrote to memory of 2796 1724 cmd.exe 51 PID 1724 wrote to memory of 2796 1724 cmd.exe 51 PID 1724 wrote to memory of 2796 1724 cmd.exe 51 PID 1724 wrote to memory of 2796 1724 cmd.exe 51 PID 2312 wrote to memory of 2852 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 52 PID 2312 wrote to memory of 2852 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 52 PID 2312 wrote to memory of 2852 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 52 PID 2312 wrote to memory of 2852 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 52 PID 2312 wrote to memory of 2008 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 54 PID 2312 wrote to memory of 2008 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 54 PID 2312 wrote to memory of 2008 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 54 PID 2312 wrote to memory of 2008 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 54 PID 2312 wrote to memory of 2128 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 60 PID 2312 wrote to memory of 2128 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 60 PID 2312 wrote to memory of 2128 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 60 PID 2312 wrote to memory of 2128 2312 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 60 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe"C:\Users\Admin\AppData\Local\Temp\153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies data under HKEY_USERS
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c (echo interface set interface "WLAN" enabled && echo interface set interface "±¾µØÍøÂç" enabled && echo interface set interface "±¾µØÍøÂç 2" enabled && echo interface set interface "ÒÔÌ«Íø" enabled ) | netsh2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ( echo interface set interface "WLAN" enabled && echo interface set interface "±¾µØÍøÂç" enabled && echo interface set interface "±¾µØÍøÂç 2" enabled && echo interface set interface "ÒÔÌ«Íø" enabled )"3⤵
- System Location Discovery: System Language Discovery
PID:2744
-
-
C:\Windows\SysWOW64\netsh.exenetsh3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c regedit /s C:\Users\Admin\AppData\Local\Temp\baidu.reg2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Users\Admin\AppData\Local\Temp\baidu.reg3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Runs .reg file with regedit
PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "%programfiles%\SysCeo";"%programfiles(x86)%\SysCeo"2⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del /s /q /f "%systemroot%\Help\dcold.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del /s /q /f "%userprofile%\Desktop\Çý¶¯×ܲÃ.lnk";"%homedrive%\Users\Public\Desktop\Çý¶¯×ܲÃ.lnk"2⤵
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del /s /q /f "%homedrive%\ProgramData\Microsoft\Windows\Start Menu\Çý¶¯ÏÂÔØ.lnk"2⤵
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "%homedrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Çý¶¯×ܲÃ"2⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "%homedrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Çý¶¯×ܲÃ2.0"2⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c regedit /s C:\Users\Admin\AppData\Local\Temp\Windows7_YH.REG2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Users\Admin\AppData\Local\Temp\Windows7_YH.REG3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Runs .reg file with regedit
PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt2⤵
- System Location Discovery: System Language Discovery
PID:2852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\AppData\Local\Temp\~DF946307F7E1CDAD29.TMP2⤵
- System Location Discovery: System Language Discovery
PID:2008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\AppData\Local\Temp\PVfxMILgMS\2⤵
- System Location Discovery: System Language Discovery
PID:2128
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\AppData\Local\Temp\PVfxMILgMS\2⤵
- System Location Discovery: System Language Discovery
PID:3012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\AppData\Local\Temp\PVfxMILgMS\2⤵
- System Location Discovery: System Language Discovery
PID:1356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "Upgrade 2345Explorer Task" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Upgrade 2345Explorer Task" /f3⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "Execute 2345Pinyin MiniPage Task" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Execute 2345Pinyin MiniPage Task" /f3⤵
- System Location Discovery: System Language Discovery
PID:2536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "Pinyin_2345Upgrade Task" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Pinyin_2345Upgrade Task" /f3⤵
- System Location Discovery: System Language Discovery
PID:976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "KuGou Service Task Scheduler" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "KuGou Service Task Scheduler" /f3⤵
- System Location Discovery: System Language Discovery
PID:864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "WpsUpdateTask_Administrator" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "WpsUpdateTask_Administrator" /f3⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "Pic_2345Upgrade Task" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Pic_2345Upgrade Task" /f3⤵
- System Location Discovery: System Language Discovery
PID:3020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "360ZipUpdater" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "360ZipUpdater" /f3⤵
- System Location Discovery: System Language Discovery
PID:2148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "QQBrowser Updater Task" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:652 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "QQBrowser Updater Task" /f3⤵
- System Location Discovery: System Language Discovery
PID:1008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "QQBrowser Updater Task(Core)" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "QQBrowser Updater Task(Core)" /f3⤵
- System Location Discovery: System Language Discovery
PID:1684
-
-
-
C:\Windows\SysWOW64\ctfmon.exeC:\Windows\SysWOW64\ctfmon.exe2⤵
- System Location Discovery: System Language Discovery
PID:1496
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\Favorites\Links for United States2⤵
- System Location Discovery: System Language Discovery
PID:2728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\Favorites\Microsoft Websites2⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\Favorites\MSN Websites2⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\Favorites\Windows Live2⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1724
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2452
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5f40d147c8a0028b0b6eb9ef26dd56a5e
SHA1a51a802b98bccb11e62d8dfd3ba8894342de1abf
SHA256760f22e3a1fa0b52a91a8a2b1a3b1c3c88a6cf3f52ac27f21f5f8abdd01c9ffa
SHA512b28149cdb19cb675499c65b214abb13d4a4d72369707617e360e3cafddfe7dd87aedd4aec7122b9ca4b92d1e448aa19d877053461e8c5355db4fb63c70073ab5
-
Filesize
74KB
MD539216a24e615a402304bfa1a77c6dffd
SHA171394af3279365d748d406671a825c8cced2eb60
SHA256acd117ae727666402e8fdfb29aec89abbd8341435bbea0f860d4210d52c50ef1
SHA512b8a71ded49ddfa2eaf1cf5d8d61125092f6ad94f09eaa89091fa81cd966018f31b8b399feaea401caf2e93998d8f8376038637171e34dafcaae07a64f8da1c7f
-
Filesize
5KB
MD5642733a7bd04b267df22f128f54c6ed3
SHA12dc5d38b0155092c5883cee66884eb10adc4a5f3
SHA256fa8dc47742ee0190c8c7f2cc35f92793b3f142e5994f58d08610b51e2184c611
SHA51232efccc39b7f822ae30e7dcc47ce6b5391002caa503328a46aecf32dc8fd050acb18414d4aa76198ef40531315f3b56fa10b8e6b7176f26ef4b3e1ba55a64c30
-
Filesize
1KB
MD5a0f4d266b566cc51131170a6d9d303f7
SHA1b5fa5636d518a10ea062cc9c5c17c9e7e343ce63
SHA2565fd3973a56ca89d237e47fa2c6a9976650dcc71dc2256cad07977484429575c6
SHA512d25dfede4790148f55589e39d66540a6affc606302290051f2c2c289f8037f56125164b37f126ff60266285267154189357d22b7dc8ea6e42a7ced57f522bc1b
-
Filesize
752B
MD5f4a0f95f1785a0f1b2f83d04abd37e4a
SHA1794ef0460cc1f55cbde0bb74c74b991eee153cbb
SHA256f18ada26b94f662da2e3a9b800a851d86e9450d25cdcc2e8ea84565c803b59fa
SHA512e1f5e3f4b3fd1af418624047b530a4eedfa42011b3788fa7d7d305f3b1484caabcfedfbcb66972eec16e1e4786b6eb2ac0f8382562a70aa12dd3d4dc16250aa7
