0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384a

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
Size

345KB
MD5

c9e80445f0a257960d42c65b5a4383b0
SHA1

3473ccc4a88c86af20a4a7d8747926f487dc5ee3
SHA256

0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384a
SHA512

5c4af77b3f8db27e41682ae955b67257cde878ba6d33c3f50743903a710f600129a85fa9ec13436630df00d1b78b498f923543dfcc933dcc244f0b1c5deb3348
SSDEEP

3072:Kg9OBT3Be2Q6khQiCCuefXxzk6iGcbPChEdGZFR2obD4CTvek5WNQp0qYutgxS9I:YeC4EwZFoobUk8qp0qpgogZfpjkNYLb

Score

10^/10

evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	x0gcdl11.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	x0gcdl11.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	x0gcdl11.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
3016	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	x0gcdl11.bat

Loads dropped DLL 1 IoCs

pid	Process
2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	x0gcdl11.bat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
9	api.ipify.org

Launches sc.exe 22 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2528	sc.exe
3004	sc.exe
1980	sc.exe
1708	sc.exe
2740	sc.exe
2208	sc.exe
2912	sc.exe
2220	sc.exe
2764	sc.exe
1716	sc.exe
2416	sc.exe
680	sc.exe
2472	sc.exe
2128	sc.exe
2712	sc.exe
1872	sc.exe
1196	sc.exe
1808	sc.exe
2868	sc.exe
1816	sc.exe
1444	sc.exe
2060	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2012	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
2236	powershell.exe
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
2464	powershell.exe
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat
3040	x0gcdl11.bat

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
Token: SeDebugPrivilege	3040	x0gcdl11.bat
Token: SeSecurityPrivilege	1304	wevtutil.exe
Token: SeBackupPrivilege	1304	wevtutil.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2868	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	31
PID 2240 wrote to memory of 2868	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	31
PID 2240 wrote to memory of 2868	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	31
PID 2240 wrote to memory of 2128	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	33
PID 2240 wrote to memory of 2128	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	33
PID 2240 wrote to memory of 2128	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	33
PID 2240 wrote to memory of 2596	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	35
PID 2240 wrote to memory of 2596	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	35
PID 2240 wrote to memory of 2596	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	35
PID 2240 wrote to memory of 2712	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	37
PID 2240 wrote to memory of 2712	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	37
PID 2240 wrote to memory of 2712	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	37
PID 2596 wrote to memory of 2740	2596	cmd.exe	39
PID 2596 wrote to memory of 2740	2596	cmd.exe	39
PID 2596 wrote to memory of 2740	2596	cmd.exe	39
PID 2240 wrote to memory of 2588	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	40
PID 2240 wrote to memory of 2588	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	40
PID 2240 wrote to memory of 2588	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	40
PID 2240 wrote to memory of 2208	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	42
PID 2240 wrote to memory of 2208	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	42
PID 2240 wrote to memory of 2208	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	42
PID 2588 wrote to memory of 1716	2588	cmd.exe	44
PID 2588 wrote to memory of 1716	2588	cmd.exe	44
PID 2588 wrote to memory of 1716	2588	cmd.exe	44
PID 2240 wrote to memory of 1840	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	45
PID 2240 wrote to memory of 1840	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	45
PID 2240 wrote to memory of 1840	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	45
PID 2240 wrote to memory of 2912	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	47
PID 2240 wrote to memory of 2912	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	47
PID 2240 wrote to memory of 2912	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	47
PID 1840 wrote to memory of 1872	1840	cmd.exe	49
PID 1840 wrote to memory of 1872	1840	cmd.exe	49
PID 1840 wrote to memory of 1872	1840	cmd.exe	49
PID 2240 wrote to memory of 2224	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	50
PID 2240 wrote to memory of 2224	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	50
PID 2240 wrote to memory of 2224	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	50
PID 2224 wrote to memory of 2220	2224	cmd.exe	52
PID 2224 wrote to memory of 2220	2224	cmd.exe	52
PID 2224 wrote to memory of 2220	2224	cmd.exe	52
PID 2240 wrote to memory of 2180	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	53
PID 2240 wrote to memory of 2180	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	53
PID 2240 wrote to memory of 2180	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	53
PID 2180 wrote to memory of 2528	2180	cmd.exe	55
PID 2180 wrote to memory of 2528	2180	cmd.exe	55
PID 2180 wrote to memory of 2528	2180	cmd.exe	55
PID 2240 wrote to memory of 3040	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	56
PID 2240 wrote to memory of 3040	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	56
PID 2240 wrote to memory of 3040	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	56
PID 2240 wrote to memory of 3016	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	57
PID 2240 wrote to memory of 3016	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	57
PID 2240 wrote to memory of 3016	2240	0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe	57
PID 3040 wrote to memory of 3004	3040	x0gcdl11.bat	59
PID 3040 wrote to memory of 3004	3040	x0gcdl11.bat	59
PID 3040 wrote to memory of 3004	3040	x0gcdl11.bat	59
PID 3040 wrote to memory of 1980	3040	x0gcdl11.bat	61
PID 3040 wrote to memory of 1980	3040	x0gcdl11.bat	61
PID 3040 wrote to memory of 1980	3040	x0gcdl11.bat	61
PID 3016 wrote to memory of 2332	3016	cmd.exe	63
PID 3016 wrote to memory of 2332	3016	cmd.exe	63
PID 3016 wrote to memory of 2332	3016	cmd.exe	63
PID 3016 wrote to memory of 2852	3016	cmd.exe	64
PID 3016 wrote to memory of 2852	3016	cmd.exe	64
PID 3016 wrote to memory of 2852	3016	cmd.exe	64
PID 3016 wrote to memory of 2012	3016	cmd.exe	65

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2332	attrib.exe
760	attrib.exe
2020	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe
"C:\Users\Admin\AppData\Local\Temp\0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config wdfilter start=disabled
  2⤵
  - Launches sc.exe
  PID:2868
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WerSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\system32\sc.exe
    sc stop wdfilter
    3⤵
    - Launches sc.exe
    PID:2740
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WinDefend start=disabled
  2⤵
  - Launches sc.exe
  PID:2712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\sc.exe
    sc stop WerSvc
    3⤵
    - Launches sc.exe
    PID:1716
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\system32\sc.exe
    sc stop WdNisSvc
    3⤵
    - Launches sc.exe
    PID:1872
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
  2⤵
  - Launches sc.exe
  PID:2912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\sc.exe
    sc stop XblGameSave
    3⤵
    - Launches sc.exe
    PID:2528
- C:\Users\Admin\AppData\Local\Temp\x0gcdl11.bat
  "C:\Users\Admin\AppData\Local\Temp\x0gcdl11.bat" ok
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config wdfilter start=disabled
    3⤵
    - Launches sc.exe
    PID:3004
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WerSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1980
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    PID:476
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:1444
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WinDefend start=disabled
    3⤵
    - Launches sc.exe
    PID:1816
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
    3⤵
    PID:1972
  - - C:\Windows\system32\sc.exe
      sc stop WerSvc
      4⤵
      Launches sc.exe
      PID:2060
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2416
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    PID:2880
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2472
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
    3⤵
    PID:1148
  - - C:\Windows\system32\sc.exe
      sc stop WdNisSvc
      4⤵
      Launches sc.exe
      PID:680
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
    3⤵
    - Launches sc.exe
    PID:1196
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
    3⤵
    PID:1476
  - - C:\Windows\system32\sc.exe
      sc stop XblGameSave
      4⤵
      Launches sc.exe
      PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "XXXXX" -AppPathNameMatchCondition "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "YYYYY" -AppPathNameMatchCondition "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    PID:2052
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:1708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop faceit
    3⤵
    PID:1600
  - - C:\Windows\system32\sc.exe
      sc stop faceit
      4⤵
      Launches sc.exe
      PID:2764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a931acd1-8a4f-4f2d-80d9-3cb95a5e9f46.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe"
    3⤵
    - Views/modifies file attributes
    PID:2332
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2852
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:2012
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\0c8c54fdd4059466eb4867c961d032351642ade27d8f3d79c46caf075394384aN.exe"
    3⤵
    - Views/modifies file attributes
    PID:760
- - C:\Windows\system32\wevtutil.exe
    wevtutil el
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1304
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\a931acd1-8a4f-4f2d-80d9-3cb95a5e9f46.bat"
    3⤵
    - Views/modifies file attributes
    PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a931acd1-8a4f-4f2d-80d9-3cb95a5e9f46.bat

Filesize
780B

MD5
af6ab7bf9461c6af0920231f8e01226d

SHA1
7a3c1c4ba9c4dbd1ea8cc96eeec7411d31250951

SHA256
ce653f7ee43197a8b16f3a103dee3ef80f3b751ef1f893ea35bda7d9f29c86ca

SHA512
c9414324e4d3f0d6e589c47466bdfab96b1fe099c162c8b7ce416baaa0717987fef873f0703299c943128ba6721a91a9cc7ed6494df25929f5d9ac8ba8af6b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a5e291e0fe5b90d6a970d3f6f4558238

SHA1
ff5e80e7e4d59642602a6d744d15919b8c822386

SHA256
8a0dcdc103c4854d1e6c689e857a22505c867bedaab78c99d4c349fdec014619

SHA512
9ee266e6fa1bcc366966060fb61015e409dde67edabe0b17b012b56523c5dffa03363f75bd76868a9d88d4338d043fb85b1ff133969db5eb169498497e979adc

Download Submit
C:\Users\Admin\AppData\Roaming\spf\unknown.log

Filesize
263B

MD5
58ff01639de47afb960944c98034b51d

SHA1
f605f72891bea1eb1712faccee4b5b8df72f7227

SHA256
161b542eedae4ef678670cb411555bd40d94be39913704a04fa059b1ac74f214

SHA512
fd8feabcb6143b761518adb0d8189f3e58e03d24094c182f1a80779bd0c16bcf632863ee74b5511ea8e7a557371ecfe02a8dfe03fa8b7507edbc458a3b37c8fc

Download Submit
\Users\Admin\AppData\Local\Temp\x0gcdl11.bat

Filesize
346KB

MD5
7d1e5e3d22c9c470edfefac266372e37

SHA1
52ab5cfafc7ebee8b71254ba9218295bf2091469

SHA256
d6bb9709edb33cacf75dd9958e8cb2bf37455cba8edd039fbd688d8c19b9c028

SHA512
67a7acc65f390a6b2ccd6bf07dea6239ad7aeba88e7ef5d367dc8c498c9ebe4c3657592458153788a8d4b837bac1f6b52750101989165f2efde458efd0e586a1

Download Submit
memory/2236-28-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2236-29-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2240-18-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2240-2-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2240-0-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

Filesize
4KB

Download
memory/2240-1-0x000000013EE60000-0x000000013EE9E000-memory.dmp

Filesize
248KB

Download
memory/2464-36-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2464-35-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/3040-17-0x000000013E3E0000-0x000000013E41E000-memory.dmp

Filesize
248KB

Download