Analysis
-
max time kernel
61s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 22:50
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/acastillorobles77/MalwareDatabase/tree/master/Windows
Resource
win10v2004-20240802-en
General
-
Target
https://github.com/acastillorobles77/MalwareDatabase/tree/master/Windows
Malware Config
Signatures
-
Processes:
wscript.exewscript.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Blocklisted process makes network request 8 IoCs
Processes:
wscript.exewscript.exeflow pid Process 77 3312 wscript.exe 78 3312 wscript.exe 80 3312 wscript.exe 83 3312 wscript.exe 85 3312 wscript.exe 89 3432 wscript.exe 95 3312 wscript.exe 100 3432 wscript.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid Process 4700 takeown.exe 1760 icacls.exe 984 takeown.exe 1620 icacls.exe 4232 takeown.exe 3572 icacls.exe 2164 takeown.exe 4812 icacls.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exewscript.exewscript.exeWScript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation WScript.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
Processes:
reg.exedescription ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power reg.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid Process 4812 icacls.exe 4700 takeown.exe 1760 icacls.exe 984 takeown.exe 1620 icacls.exe 4232 takeown.exe 3572 icacls.exe 2164 takeown.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe -
Processes:
wscript.exewscript.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc Process File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
wscript.exewscript.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe -
Drops file in Windows directory 2 IoCs
Processes:
wscript.exewscript.exedescription ioc Process File opened for modification C:\Windows\System32 wscript.exe File opened for modification C:\Windows\System32 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exeexplorer.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 5088 taskkill.exe 2444 taskkill.exe -
Modifies Control Panel 8 IoCs
Processes:
wscript.exewscript.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop wscript.exe -
Processes:
SearchApp.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
Processes:
cmd.exeexplorer.exeStartMenuExperienceHost.exeSearchApp.exeexplorer.exeexplorer.exeexplorer.execmd.exeStartMenuExperienceHost.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{1691AEDE-7926-494B-84A7-A395CB4254D8} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif cmd.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "dllfile" cmd.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.scr cmd.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{B253EDCC-2926-4839-B080-C6EEA0F04E8A} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "exefile" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "exefile" cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.scr cmd.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "dllfile" cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{89EF5951-1C37-4E1F-BAEE-32F7403136F9} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "dllfile" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "dllfile" cmd.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{6EE76766-A351-42A0-988C-F911CF4C5C63} explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid Process 3700 msedge.exe 3700 msedge.exe 1600 msedge.exe 1600 msedge.exe 2472 identity_helper.exe 2472 identity_helper.exe 1236 msedge.exe 1236 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exeexplorer.exepid Process 4924 explorer.exe 1680 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid Process 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetakeown.exeexplorer.exetakeown.exetaskkill.exeexplorer.exetakeown.exeexplorer.exedescription pid Process Token: SeDebugPrivilege 5088 taskkill.exe Token: SeTakeOwnershipPrivilege 2164 takeown.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeCreatePagefilePrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeCreatePagefilePrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeCreatePagefilePrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeCreatePagefilePrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeCreatePagefilePrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeCreatePagefilePrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeCreatePagefilePrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeCreatePagefilePrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeCreatePagefilePrivilege 1292 explorer.exe Token: SeTakeOwnershipPrivilege 4700 takeown.exe Token: SeDebugPrivilege 2444 taskkill.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeTakeOwnershipPrivilege 4232 takeown.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeShutdownPrivilege 4924 explorer.exe Token: SeCreatePagefilePrivilege 4924 explorer.exe Token: SeShutdownPrivilege 1680 explorer.exe Token: SeCreatePagefilePrivilege 1680 explorer.exe Token: SeShutdownPrivilege 1680 explorer.exe Token: SeCreatePagefilePrivilege 1680 explorer.exe Token: SeShutdownPrivilege 1680 explorer.exe Token: SeCreatePagefilePrivilege 1680 explorer.exe Token: SeShutdownPrivilege 1680 explorer.exe Token: SeCreatePagefilePrivilege 1680 explorer.exe Token: SeShutdownPrivilege 1680 explorer.exe Token: SeCreatePagefilePrivilege 1680 explorer.exe Token: SeShutdownPrivilege 1680 explorer.exe Token: SeCreatePagefilePrivilege 1680 explorer.exe Token: SeShutdownPrivilege 1680 explorer.exe Token: SeCreatePagefilePrivilege 1680 explorer.exe Token: SeShutdownPrivilege 1680 explorer.exe Token: SeCreatePagefilePrivilege 1680 explorer.exe Token: SeShutdownPrivilege 1680 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeexplorer.exeexplorer.exepid Process 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exeexplorer.exeexplorer.exeexplorer.exepid Process 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1600 msedge.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 4924 explorer.exe 1680 explorer.exe 1680 explorer.exe 1680 explorer.exe 1680 explorer.exe 1680 explorer.exe 1680 explorer.exe 1680 explorer.exe 1680 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
StartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exepid Process 4940 StartMenuExperienceHost.exe 3488 StartMenuExperienceHost.exe 3400 StartMenuExperienceHost.exe 2388 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 1600 wrote to memory of 1856 1600 msedge.exe 82 PID 1600 wrote to memory of 1856 1600 msedge.exe 82 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3804 1600 msedge.exe 83 PID 1600 wrote to memory of 3700 1600 msedge.exe 84 PID 1600 wrote to memory of 3700 1600 msedge.exe 84 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 PID 1600 wrote to memory of 2640 1600 msedge.exe 85 -
System policy modification 1 TTPs 44 IoCs
Processes:
wscript.exewscript.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPinningToTaskbar = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms, = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPinningToTaskbar = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms, = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/acastillorobles77/MalwareDatabase/tree/master/Windows1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb150c46f8,0x7ffb150c4708,0x7ffb150c47182⤵PID:1856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:22⤵PID:3804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:82⤵PID:528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5712 /prefetch:82⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1236
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1252
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1808
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:116
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Trojan.VBS.Bolbi\Bolbi.vbs"1⤵
- Checks computer location settings
PID:3052 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\Downloads\Trojan.VBS.Bolbi\Bolbi.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
PID:3432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
- Modifies registry class
PID:4472 -
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵PID:3436
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵PID:3144
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵PID:2980
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4924
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:984
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1620
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3572
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Trojan.VBS.Bolbi\Bolbi.vbs"1⤵
- Checks computer location settings
PID:1508 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\Downloads\Trojan.VBS.Bolbi\Bolbi.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
PID:3312 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
- Modifies registry class
PID:4320 -
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵PID:756
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
- Impair Defenses: Safe Mode Boot
PID:2612
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵PID:1336
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1292
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4812
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1760
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4940
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3488
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1680
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3400
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2388
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3928
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4800
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3436
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2184
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4964
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4900
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:208
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3612
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Public\ghostroot\Message.vbs explorer.exe1⤵PID:3912
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD500cd62d1c71f7cebc93821164f916e82
SHA1c6ef1580c902900947355be0fc19d24a1d9647da
SHA256b320f01682d14a9614da0691aee664c132abedf6e666189b3e53ca58e2247afb
SHA51280a0135269b76328d95257502b2524867a0f302e961560b164d8cacab397af248d772508050f80de4c99787abf4fa4838015e0d486adbfbe8171aae4d37b61bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD581b367accc8c5ed128132d4147c6a0c8
SHA1affc93d7d401e097740faf79dbd614a615fa0d3c
SHA2563d91eeee86ee95c772af9fc8199436b34fe0b5a207df2c66839555159b18f2a4
SHA512bba198b8b0a690a5da2f0d0eca3c524d2fbed158c84e7a793b910c468e8f833899cdf4b01e6840790427ba9c7c814c65e9560d7ca87a51d6b39855855982b2bc
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0060f07d-b90e-4b8d-b4c6-60e12219d538.tmp
Filesize6KB
MD57a4338e803c2e7c2f815a0bd44eb2b59
SHA15ca7c2bc5fc14c6e4f5d4db0e08c74ef6c7c4710
SHA256c2b06f685c726bc3ffd725d1f4679006fd6ed5dba710a0fe98cedb08ada777aa
SHA51283b7e4aa9f2303ea72971d7aba7f4360b64e1e236b3d0bea83b0638c339d8230bd644effd49a1d561e16965200ef9e5d3a5a9112b8469561d870539a825a6572
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5b03e2e0b060f87e98607f8e4c6616f7a
SHA1e50f1180acf93a9501fde9bc03fe2a47309fb7a7
SHA256f85d2567055d1fca59c00c6cb42c14a497b2f61821a1121ae595d38c66cee29a
SHA512d02c6d7c07a3d02acb98405d525367595d70861140379e077ad13b4984f8ee78402e8267b8701e48ee41de10e835d32029106ba121b4bfc46caec9fecac19ba5
-
Filesize
579B
MD5ed5f4213c17629776cd75510648fc019
SHA1ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9
SHA256e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87
SHA51271bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627
-
Filesize
5KB
MD57ce4d344c103254f65cd2ab26984f848
SHA13cb88af0f891195903b3b7d2f273b219494b0599
SHA2562f6be1dcfad18ca392213aa719fad7d6419190946f21b133d613b8a0f9a6012b
SHA512fd423ab708c2e8974d05f708231f2fff783e4bb13c93d57e764792fe6863eda77ca39bcc7a30408d0460a0eadac28db96ebedf221e90f6654fd1ba40a637a59f
-
Filesize
6KB
MD556865692170bc3be6e372779042f9ea0
SHA1453c10d2545aa9d2f899fefce5bf7c0a8e2ba527
SHA25659d0ba38dcd371adafcc115e7896a34aa58b66a20ce1f898e6d3d58838be5219
SHA5127af7dd844e4f247fd1e1d93a46634c696a3df542b63ff79ebab381c56e56f55edd04d300ab0c4754c23e34d79bd57a02de8ceebbb5bc06b73278651611e0d9d4
-
Filesize
1KB
MD5b31bd7369c63b819d0aacf13832a5cfc
SHA14844480bea7b6331e200e1f01f51d1449a584c96
SHA2565e71c9a892541a3594d4b50da7b5c3efe1085439d107a5aba16ae0d2a46bd53e
SHA512f0a7525ad4bea95f9179f24dbece1a6ccc94716ef94211a60b276731c470ac7adc915a758b269b48c306a5465459b5dd1848258097b9b35862be206365dc63ba
-
Filesize
874B
MD5c97d64142973348aca0af8c5d14fd87c
SHA19fcc0617774a007f2cba29833de6e1f312fa9a5e
SHA256c471dd77bc0fa0645c5468de16d6420efbcf00b6d1f01bb14c437ccaa6f9ee4d
SHA512be67187b8bafff08061ea628e2cb84a712f6a984c70682eccc419747be36c56965fd9efa51e79103ae5ad436fb47a1656d50a184e6d997ffd5f1061799de1097
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD558b2c4288323e60ef5502b9e27a2f719
SHA1dcf71352e249be57b5d230513466856707c86ad7
SHA256f282e87ebca8faa4bb691f04cd674646ce910275084061c3f5833e240950b005
SHA5128cf1487166380180b11e9fa7a43bebce8e794735c5538a8ff1b2982aca0f29db586d144a5065ecb33d7d1cec0018e1931ca55a8c57baf9415f02b80214cd7fda
-
Filesize
10KB
MD5f9204b9d8e7ab34c7d117c6ce7f6fff3
SHA1ce0a15ffe41a63bc1da222bf631a5ffbb5585e51
SHA256edf331dcf7c622664553d5d167c93e12e5f22c7523ecfdd1b39b9c0e743c09fd
SHA5128daf1b81ebdf3cedc409775190205cf646262a549c82b61b2318409f716b55b723227ba321fca2c8e8e31635c02e209613fc66703bf0d14ff385973c6519d9ec
-
Filesize
59KB
MD51e8cd861c7919b862a9c47abae3dcce3
SHA14d44512ae2da33a9355463231184bbbfdc4396f2
SHA256cba3db7504d0b98a3bc5bebc7d4479360f4535378a9ee113c2269811d0a8d6d9
SHA512ee06887355aeff3fe2865bcde6050d8d139668e78bb352a6a0f32b36446887dab78e50a88c0762e3b3d36dd3288546a6283e2f19a7873f01733666046be60e48
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize2KB
MD5d3b4e81a8be26565b0b54bc6b0d5689d
SHA1f0eb4ad6b62efc1bd61fb10c918b1a559b2e534b
SHA256c27cc2a2315ab6a0bb80acd660e7b1a91ff4551b4c5c2ec4dd3031e259af2c18
SHA512035f06851fcd4a7c6c6728f17b573519bf2f54c75900e75d54e48e89cf8e89d55aa3efeaa59d9127293876972b4b37ffd5ccdd6cb09d147a51a747c4128dc91b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\IHOCIHIW\microsoft.windows[1].xml
Filesize96B
MD510447c28373b986c3dce4e7f2156814c
SHA103a482fa42dea8871c350394101b11f341ef6762
SHA256376615a0b4dac87295162c3d924e67e4bf0dd77e02af1264c1520f22ec5378d8
SHA5124fab536505b12b462254a2cfad102fabf29161a25f824de2b0201265c406f6a14b13049767bb2a6afff5ffe5e7703be0b7906a1740fea3d0dc2d6d8c13459abd
-
Filesize
29B
MD5b37ed35ef479e43f406429bc36e68ec4
SHA15e3ec88d9d13d136af28dea0d3c2529f5b6e3b82
SHA256cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c
SHA512d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7
-
Filesize
46KB
MD599ec3237394257cb0b5c24affe458f48
SHA15300e68423da9712280e601b51622c4b567a23a4
SHA256ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51
SHA512af2394d18f672def6d5d7081def759093759205aac0390ca03591c58c15a02e463a68b583b6fc28ef1368922b4bd5f9072d570ee97a955250a478cdb093500cb
-
Filesize
482B
MD54f08159f1d70d41bf975e23230033a0f
SHA1ea88d6fbdcf218e0e04a650d947250d8a3dfad40
SHA256d6e7530e3879225bc21fc17859e5b5c71414375baac27bb361fd9162f4b49e0e
SHA512958ac467e54d35c4ca5459853d661e49ea81efaa1ce3044114d577fcb757343a40ddb30b9f540cf9c100f05958a843bf312fa879c43bda7513643c824b318d6a
-
Filesize
462B
MD5de41c9172365499ef98449023dd75699
SHA1f2a94f1ac182d9ecb0a3b3fc8e45540a9a46fb3e
SHA25667a66e2e73c7543b0ccc82a4f6892fb4669aa476cb654d3c597609ec16d1943e
SHA512335804bdbe623244b97eb687906808ad508ca6358457cfee89bb5b8cdbbee5399e38d71ed7c808b89f070671c52fa403c33adbd20871e6dd2e9ff079bd54076f
-
Filesize
55B
MD5302e08c86880a39ca55f21cabfa7c5de
SHA158d56c0eb14fc0401cda7c48d6df9d23f6e9b7e3
SHA25665cfb12baaa6f5891bcd7fda727933a4a12f6dbfa9a6717549eacc6dee9436c7
SHA5129aac68a57cea3d00b956ff82ce443600a969dbc3e4eb2b7b12902f70e318c7dbbf7378b375dd28c0d3be0a0515c5c69d4dd5610d5778f22c4e33765d704f8ff7
-
Filesize
19KB
MD558f48ec723d2b7e8d23ccdc9861250d7
SHA1d1e892ad5053506a1afdf24f5ab74eaf1c820e90
SHA256fc70c3dd4eee7bdda51f4a9af9e28292a1647e37d7d012aba5b01171d30077d4
SHA51264a05b98b50b99d03d84339465dfa830c396c77e42e2b3ba34592bc3efcdc258c5fcfd999ef4796d16657d2fd249a60a8b6e08ea4e246b51c17350f8f2ff9404
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e