b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510

Analysis

max time kernel
77s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe
Size

2.1MB
MD5

7846bac09fcd1f8aa00a0f2158f2f2b0
SHA1

3ecb42a880c4afba0bfc7c903bdfde9699b1c848
SHA256

b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510
SHA512

9fff0c83e3e672573484cda242d5298350e647479a018bd4468242510267e561a0cd59346e5be75229e6e509eb409790627e48a7c8981d192e5d074052c97c5c
SSDEEP

49152:zvGF72mgjLUNUUU2xOqrA+GAxHX7n7V2WJxa0pDRoOw3AZEHtQMTf:zvICH8NM2MUf30WJwulZMA0mMTf

Score

10^/10

discovery evasion execution persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\smss.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\smss.exe\", \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\winlogon.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\smss.exe\", \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\System.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\smss.exe\", \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\smss.exe\", \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Windows\\addins\\spoolsv.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\smss.exe\", \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\winlogon.exe\", \"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Windows\\addins\\spoolsv.exe\", \"C:\\comFontReview\\HyperBlockserverdriver.exe\""	HyperBlockserverdriver.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	360	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	360	schtasks.exe	37

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1680	powershell.exe
764	powershell.exe
996	powershell.exe
1728	powershell.exe
2452	powershell.exe
1268	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 4 IoCs

pid	Process
2648	Injector.exe
2704	Nova Macro.exe
2956	HyperBlockserverdriver.exe
2572	HyperBlockserverdriver.exe

Loads dropped DLL 4 IoCs

pid	Process
2148	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe
2148	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe
2576	cmd.exe
2576	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\winlogon.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\System.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HyperBlockserverdriver = "\"C:\\comFontReview\\HyperBlockserverdriver.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\smss.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\winlogon.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\System.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\addins\\spoolsv.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\addins\\spoolsv.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HyperBlockserverdriver = "\"C:\\comFontReview\\HyperBlockserverdriver.exe\""	HyperBlockserverdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\53190a62-69f6-11ef-9f57-62cb582c238c\\smss.exe\""	HyperBlockserverdriver.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB6F7A97425734C1A9DF4AAD6A5EC3A8.TMP	csc.exe
File created	\??\c:\Windows\System32\se6s8b.exe	csc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\addins\spoolsv.exe	HyperBlockserverdriver.exe
File opened for modification	C:\Windows\addins\spoolsv.exe	HyperBlockserverdriver.exe
File created	C:\Windows\addins\f3b6ecef712a24	HyperBlockserverdriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nova Macro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2820	PING.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2632	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2820	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2100	schtasks.exe
2220	schtasks.exe
1796	schtasks.exe
1688	schtasks.exe
1592	schtasks.exe
2968	schtasks.exe
568	schtasks.exe
788	schtasks.exe
872	schtasks.exe
1156	schtasks.exe
3048	schtasks.exe
1380	schtasks.exe
1084	schtasks.exe
2408	schtasks.exe
2060	schtasks.exe
1384	schtasks.exe
2184	schtasks.exe
336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe
2956	HyperBlockserverdriver.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	Injector.exe
Token: SeDebugPrivilege	2956	HyperBlockserverdriver.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2572	HyperBlockserverdriver.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2648	2148	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	30
PID 2148 wrote to memory of 2648	2148	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	30
PID 2148 wrote to memory of 2648	2148	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	30
PID 2148 wrote to memory of 2648	2148	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	30
PID 2148 wrote to memory of 2704	2148	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	31
PID 2148 wrote to memory of 2704	2148	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	31
PID 2148 wrote to memory of 2704	2148	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	31
PID 2148 wrote to memory of 2704	2148	b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe	31
PID 2704 wrote to memory of 2828	2704	Nova Macro.exe	32
PID 2704 wrote to memory of 2828	2704	Nova Macro.exe	32
PID 2704 wrote to memory of 2828	2704	Nova Macro.exe	32
PID 2704 wrote to memory of 2828	2704	Nova Macro.exe	32
PID 2828 wrote to memory of 2576	2828	WScript.exe	33
PID 2828 wrote to memory of 2576	2828	WScript.exe	33
PID 2828 wrote to memory of 2576	2828	WScript.exe	33
PID 2828 wrote to memory of 2576	2828	WScript.exe	33
PID 2576 wrote to memory of 2632	2576	cmd.exe	35
PID 2576 wrote to memory of 2632	2576	cmd.exe	35
PID 2576 wrote to memory of 2632	2576	cmd.exe	35
PID 2576 wrote to memory of 2632	2576	cmd.exe	35
PID 2576 wrote to memory of 2956	2576	cmd.exe	36
PID 2576 wrote to memory of 2956	2576	cmd.exe	36
PID 2576 wrote to memory of 2956	2576	cmd.exe	36
PID 2576 wrote to memory of 2956	2576	cmd.exe	36
PID 2956 wrote to memory of 1656	2956	HyperBlockserverdriver.exe	41
PID 2956 wrote to memory of 1656	2956	HyperBlockserverdriver.exe	41
PID 2956 wrote to memory of 1656	2956	HyperBlockserverdriver.exe	41
PID 1656 wrote to memory of 2216	1656	csc.exe	43
PID 1656 wrote to memory of 2216	1656	csc.exe	43
PID 1656 wrote to memory of 2216	1656	csc.exe	43
PID 2956 wrote to memory of 1680	2956	HyperBlockserverdriver.exe	59
PID 2956 wrote to memory of 1680	2956	HyperBlockserverdriver.exe	59
PID 2956 wrote to memory of 1680	2956	HyperBlockserverdriver.exe	59
PID 2956 wrote to memory of 764	2956	HyperBlockserverdriver.exe	60
PID 2956 wrote to memory of 764	2956	HyperBlockserverdriver.exe	60
PID 2956 wrote to memory of 764	2956	HyperBlockserverdriver.exe	60
PID 2956 wrote to memory of 996	2956	HyperBlockserverdriver.exe	61
PID 2956 wrote to memory of 996	2956	HyperBlockserverdriver.exe	61
PID 2956 wrote to memory of 996	2956	HyperBlockserverdriver.exe	61
PID 2956 wrote to memory of 1728	2956	HyperBlockserverdriver.exe	62
PID 2956 wrote to memory of 1728	2956	HyperBlockserverdriver.exe	62
PID 2956 wrote to memory of 1728	2956	HyperBlockserverdriver.exe	62
PID 2956 wrote to memory of 2452	2956	HyperBlockserverdriver.exe	63
PID 2956 wrote to memory of 2452	2956	HyperBlockserverdriver.exe	63
PID 2956 wrote to memory of 2452	2956	HyperBlockserverdriver.exe	63
PID 2956 wrote to memory of 1268	2956	HyperBlockserverdriver.exe	64
PID 2956 wrote to memory of 1268	2956	HyperBlockserverdriver.exe	64
PID 2956 wrote to memory of 1268	2956	HyperBlockserverdriver.exe	64
PID 2956 wrote to memory of 1612	2956	HyperBlockserverdriver.exe	71
PID 2956 wrote to memory of 1612	2956	HyperBlockserverdriver.exe	71
PID 2956 wrote to memory of 1612	2956	HyperBlockserverdriver.exe	71
PID 1612 wrote to memory of 2768	1612	cmd.exe	73
PID 1612 wrote to memory of 2768	1612	cmd.exe	73
PID 1612 wrote to memory of 2768	1612	cmd.exe	73
PID 1612 wrote to memory of 2820	1612	cmd.exe	74
PID 1612 wrote to memory of 2820	1612	cmd.exe	74
PID 1612 wrote to memory of 2820	1612	cmd.exe	74
PID 1612 wrote to memory of 2572	1612	cmd.exe	75
PID 1612 wrote to memory of 2572	1612	cmd.exe	75
PID 1612 wrote to memory of 2572	1612	cmd.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe
"C:\Users\Admin\AppData\Local\Temp\b55628770517145bc846b092889e6d96d8bc7c82c5e3704d53ee693101bfe510.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\Nova Macro.exe
  "C:\Users\Admin\AppData\Local\Temp\Nova Macro.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\comFontReview\pDpwbgC2n534IANqb9lIDALTNScTRw1GBAFWj2ApKGvsZHWtLodVpG.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\comFontReview\iUOjS1Og3UipXS4E1ruQAsS9xlrCAkx7Mb2JhpVQwjLu4pYgOUiTjhny.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2632
    - - C:\comFontReview\HyperBlockserverdriver.exe
        
        "C:\comFontReview/HyperBlockserverdriver.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l2zekf01\l2zekf01.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE36C.tmp" "c:\Windows\System32\CSCB6F7A97425734C1A9DF4AAD6A5EC3A8.TMP"
        7⤵
        
        PID:2216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comFontReview\HyperBlockserverdriver.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uPa26nKEOD.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2820
        
        C:\comFontReview\HyperBlockserverdriver.exe
        
        "C:\comFontReview\HyperBlockserverdriver.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperBlockserverdriverH" /sc MINUTE /mo 6 /tr "'C:\comFontReview\HyperBlockserverdriver.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperBlockserverdriver" /sc ONLOGON /tr "'C:\comFontReview\HyperBlockserverdriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperBlockserverdriverH" /sc MINUTE /mo 13 /tr "'C:\comFontReview\HyperBlockserverdriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE36C.tmp

Filesize
1KB

MD5
6e4fbe706fcafa5cd3254f5e458edb5c

SHA1
ef6068044882eb4f37112f7453c106d2de64c6d7

SHA256
8041fd9a368954c607560f26c710e043d8b277d75ccecd3b2c9b4c2e0c2bbd4b

SHA512
bd202485f2c647796b0c7f9d3d39cb78ac94fc7888d3f07917590e6cbf026be120534c305cdb410337f96444448a17aa210f0f09059e5c4d4c8b8c7fd5ebbb14

Download Submit
C:\Users\Admin\AppData\Local\Temp\uPa26nKEOD.bat

Filesize
171B

MD5
55fe6f39c2625265a0190667ccaf2ee7

SHA1
7eb86d2cb481d70478186a7facbd67f06f2a99d2

SHA256
307c9a460f78594f25b7bf0932ca5fa46865cfe58c4b4409a6b1d94fbece94dc

SHA512
3e4c87260c5b59b2281e37574183b63a6750a9b2813d103af3e67a5c93d9fbe2844202d60ea9ef5e3a72cb8fb8461c0cc4e8bcecf947638f61e2d53493fc9725

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6fd665eb043bf89550e0730daf5e52ce

SHA1
5794fbe922b89aefeff8ee11bef0322567620e26

SHA256
f1af4c92e066315fd60a146ab4f96755dcdbda81ce51eea005d772e13d9f69cc

SHA512
7789a7cd125ceded6250117946e66073c70e764d0db1304378d6fe6283851d8602069a8f5c13a58ac74ee1affdec4ae903b6eb2c513b9f0f0d2c0cfe10da9770

Download Submit
C:\comFontReview\iUOjS1Og3UipXS4E1ruQAsS9xlrCAkx7Mb2JhpVQwjLu4pYgOUiTjhny.bat

Filesize
206B

MD5
18f0cf86410a6a1a3636765ac694fd11

SHA1
5d3d6ad05e884f1a89a7c9594eb7a1bdda528b76

SHA256
13fd3ef4d744e2dc48d109825a2c9c20202f312bfe91ea109878511a3056e2e2

SHA512
e2de3b7ff094cd887e62ec63df113145719c125c57bbffa2704e0f794e06580d859ae0a988af15d7aa224d1fcb8fcc64273b38b72c106c2d6c26e412484641af

Download Submit
C:\comFontReview\pDpwbgC2n534IANqb9lIDALTNScTRw1GBAFWj2ApKGvsZHWtLodVpG.vbe

Filesize
248B

MD5
86f80d9922a0bd0a56debc6660a43742

SHA1
78dd265b26ab0c6fba286a45f6a4e88e26f87324

SHA256
99412fe1b4aef78865c6a58f17ca45e1feb975a825a3692fadf7858960e67430

SHA512
ac590b74c6e302f35a814565bbd1f7513bc9cbaa18a0df8a316371e307eecfe27d55b36334a1434b64b4264f2ba0e4279d4480f458f04230ecdc1404fc87a82d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2zekf01\l2zekf01.0.cs

Filesize
389B

MD5
b46fbd977f02e4567431592720ee4d2e

SHA1
6e736afa97f95d7ff7c08f3cff90f91e9ab205e3

SHA256
bb7f453202710047628971888954083e4ad48c7c8c0edc69e529ab416cb69996

SHA512
5deb4c25c6c2d7665bf8a142a32ad94cf396b513e6a66679dd46615a480e5ef42c75f814de3d3a6eb47210a8f1633d3e0ed55363f4eee1092060b91b17de0a91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2zekf01\l2zekf01.cmdline

Filesize
235B

MD5
021a1d06d19cf752a1c519aadd004715

SHA1
09b9ce5f73b9cc2e27edb9ca855671f3cfc97f5f

SHA256
44917f26cd6d97bc387dc8fdb015d4306c54aa6d65920f02a6bc064b328c888f

SHA512
80378d1a3491a96152ddf5a604ac35926942b7561e699428ec966f0a1a7d84aa8cd8a6255bda8a0273f3cc6d840b456a77c1391b137f09d996f84dede96479ca

Download Submit
\??\c:\Windows\System32\CSCB6F7A97425734C1A9DF4AAD6A5EC3A8.TMP

Filesize
1KB

MD5
5140e68cf918fa33b25b58e398ed5f96

SHA1
684cad676ae206d2b97ac9bcb73a9aceb98364ff

SHA256
49b21daa362f8f342c11fb58f281bf9360517ba405109045e777dc70c58030fe

SHA512
85d027d03ba0fbbb756fb8ed70705ad509010411bf8c2b3c478d710070ca07153f1b5d60c53661813740d603957ab654b2bd81f4d5fe0535263176ec85cfe848

Download Submit
\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
346KB

MD5
9cc81858e05c07ae20d6f1e7313c73ec

SHA1
91d66dfad4cf181203cc44ca21f1241d73b53b52

SHA256
5d68c9e6c7a0d2068dbec8c4cf17a290bb36c58558add86f1a81bd2c2b641197

SHA512
208e668d244c05cbf2cf2d3617aa18ab258b423ba612453b5ea993af606829398c8c8ff88fd7bcef0395dcb11497254570732b949a62b2098e443bcb6fb5b912

Download Submit
\Users\Admin\AppData\Local\Temp\Nova Macro.exe

Filesize
2.1MB

MD5
ff8c730c1e0b87896e9a51a254146215

SHA1
2ec8ef4b9e2529eba0b721ffa86b45da68f1e016

SHA256
46b9b94f1c4df6d83f923100156b1f86ab2add026aaa4030cf6ee0dc70bcf40f

SHA512
bfee27faed1aba6b33ba40252a11d6da4ce4b51e13cac3ca58d7da66ca30d0bdac01217c447af64ab338b45fe374e266d574ca7be33aa992bd325e516cc15ace

Download Submit
\comFontReview\HyperBlockserverdriver.exe

Filesize
1.9MB

MD5
4b99d9a064c418dd14ced0903ecd8d50

SHA1
e9afe1e7bf7e6b4da889ae1eca38fa5aeb570b5b

SHA256
cce2af4db2859767ba5edc050f6778c6cb90da4c538bdd8254a49329bdf1c130

SHA512
f45141610e70eda82d588757000875ba2475f138e16433652b6c082b21c53a2b06fc5407e52453d3948ad9ea74bf185439c8f81e53f6e5821f9dc96d34eab5f4

Download Submit
memory/764-94-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/996-92-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2572-101-0x0000000000C90000-0x0000000000E76000-memory.dmp

Filesize
1.9MB

Download
memory/2648-16-0x0000000001130000-0x000000000118C000-memory.dmp

Filesize
368KB

Download
memory/2648-12-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/2956-38-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2956-40-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2956-30-0x00000000008E0000-0x0000000000AC6000-memory.dmp

Filesize
1.9MB

Download
memory/2956-32-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2956-36-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/2956-34-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download