4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Size

257KB
MD5

cd61032ae7bcdd087a60824958f966a0
SHA1

144aa2d9732ccd1c3a71833dbc30cd975e84c6d6
SHA256

4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6
SHA512

211318757eff85e63cde3cde723b790abce8af1e8b8712acc5569281f925aeca04b3076ada55a0287b1655d68a5ef1c511978be824ba54a148c645d7500df38d
SSDEEP

3072:Og9OBT3Be2Q6khQiCCuefXxzk6iGcbPChEdGZFR2obD4CTvek5WNQp0qYutgxbaA:UeC4EwZFoobUk8qp0qpgqOZ

Score

10^/10

evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jd1wwieu.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jd1wwieu.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jd1wwieu.bat

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
1152	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1700	jd1wwieu.bat

Loads dropped DLL 1 IoCs

pid	Process
2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	jd1wwieu.bat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
9	api.ipify.org

Launches sc.exe 22 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2808	sc.exe
2228	sc.exe
1996	sc.exe
2448	sc.exe
2220	sc.exe
2144	sc.exe
1532	sc.exe
2792	sc.exe
2692	sc.exe
2820	sc.exe
2548	sc.exe
2052	sc.exe
2336	sc.exe
900	sc.exe
1496	sc.exe
1640	sc.exe
2908	sc.exe
2344	sc.exe
2568	sc.exe
3004	sc.exe
2740	sc.exe
1632	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1156	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1664	powershell.exe
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
992	powershell.exe
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat
1700	jd1wwieu.bat

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Token: SeDebugPrivilege	1700	jd1wwieu.bat
Token: SeSecurityPrivilege	2152	wevtutil.exe
Token: SeBackupPrivilege	2152	wevtutil.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2336	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	32
PID 2612 wrote to memory of 2344	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	31
PID 2612 wrote to memory of 2336	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	32
PID 2612 wrote to memory of 2344	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	31
PID 2612 wrote to memory of 2336	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	32
PID 2612 wrote to memory of 2344	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	31
PID 2612 wrote to memory of 2676	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	35
PID 2612 wrote to memory of 2676	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	35
PID 2612 wrote to memory of 2676	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	35
PID 2612 wrote to memory of 2808	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	37
PID 2612 wrote to memory of 2808	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	37
PID 2612 wrote to memory of 2808	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	37
PID 2676 wrote to memory of 2792	2676	cmd.exe	39
PID 2676 wrote to memory of 2792	2676	cmd.exe	39
PID 2676 wrote to memory of 2792	2676	cmd.exe	39
PID 2612 wrote to memory of 2852	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	40
PID 2612 wrote to memory of 2852	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	40
PID 2612 wrote to memory of 2852	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	40
PID 2612 wrote to memory of 2692	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	42
PID 2612 wrote to memory of 2692	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	42
PID 2612 wrote to memory of 2692	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	42
PID 2852 wrote to memory of 2568	2852	cmd.exe	44
PID 2852 wrote to memory of 2568	2852	cmd.exe	44
PID 2852 wrote to memory of 2568	2852	cmd.exe	44
PID 2612 wrote to memory of 2696	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	45
PID 2612 wrote to memory of 2696	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	45
PID 2612 wrote to memory of 2696	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	45
PID 2612 wrote to memory of 2820	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	47
PID 2612 wrote to memory of 2820	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	47
PID 2612 wrote to memory of 2820	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	47
PID 2696 wrote to memory of 2548	2696	cmd.exe	49
PID 2696 wrote to memory of 2548	2696	cmd.exe	49
PID 2696 wrote to memory of 2548	2696	cmd.exe	49
PID 2612 wrote to memory of 2604	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	50
PID 2612 wrote to memory of 2604	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	50
PID 2612 wrote to memory of 2604	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	50
PID 2604 wrote to memory of 3004	2604	cmd.exe	52
PID 2604 wrote to memory of 3004	2604	cmd.exe	52
PID 2604 wrote to memory of 3004	2604	cmd.exe	52
PID 2612 wrote to memory of 2020	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	53
PID 2612 wrote to memory of 2020	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	53
PID 2612 wrote to memory of 2020	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	53
PID 2020 wrote to memory of 900	2020	cmd.exe	55
PID 2020 wrote to memory of 900	2020	cmd.exe	55
PID 2020 wrote to memory of 900	2020	cmd.exe	55
PID 2612 wrote to memory of 1700	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	56
PID 2612 wrote to memory of 1700	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	56
PID 2612 wrote to memory of 1700	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	56
PID 2612 wrote to memory of 1152	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	57
PID 2612 wrote to memory of 1152	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	57
PID 2612 wrote to memory of 1152	2612	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	57
PID 1700 wrote to memory of 2052	1700	jd1wwieu.bat	59
PID 1700 wrote to memory of 2052	1700	jd1wwieu.bat	59
PID 1700 wrote to memory of 2052	1700	jd1wwieu.bat	59
PID 1700 wrote to memory of 1496	1700	jd1wwieu.bat	60
PID 1700 wrote to memory of 1496	1700	jd1wwieu.bat	60
PID 1700 wrote to memory of 1496	1700	jd1wwieu.bat	60
PID 1152 wrote to memory of 1788	1152	cmd.exe	63
PID 1152 wrote to memory of 1788	1152	cmd.exe	63
PID 1152 wrote to memory of 1788	1152	cmd.exe	63
PID 1152 wrote to memory of 1964	1152	cmd.exe	64
PID 1152 wrote to memory of 1964	1152	cmd.exe	64
PID 1152 wrote to memory of 1964	1152	cmd.exe	64
PID 1152 wrote to memory of 1156	1152	cmd.exe	65

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1788	attrib.exe
956	attrib.exe
1396	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
"C:\Users\Admin\AppData\Local\Temp\4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config wdfilter start=disabled
  2⤵
  - Launches sc.exe
  PID:2344
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WerSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\sc.exe
    sc stop wdfilter
    3⤵
    - Launches sc.exe
    PID:2792
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WinDefend start=disabled
  2⤵
  - Launches sc.exe
  PID:2808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\sc.exe
    sc stop WerSvc
    3⤵
    - Launches sc.exe
    PID:2568
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\sc.exe
    sc stop WdNisSvc
    3⤵
    - Launches sc.exe
    PID:2548
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
  2⤵
  - Launches sc.exe
  PID:2820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:3004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\sc.exe
    sc stop XblGameSave
    3⤵
    - Launches sc.exe
    PID:900
- C:\Users\Admin\AppData\Local\Temp\jd1wwieu.bat
  "C:\Users\Admin\AppData\Local\Temp\jd1wwieu.bat" ok
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WerSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2052
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config wdfilter start=disabled
    3⤵
    - Launches sc.exe
    PID:1496
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    PID:2212
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:2228
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WinDefend start=disabled
    3⤵
    - Launches sc.exe
    PID:2220
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
    3⤵
    PID:2108
  - - C:\Windows\system32\sc.exe
      sc stop WerSvc
      4⤵
      Launches sc.exe
      PID:1640
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2144
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
    3⤵
    - Launches sc.exe
    PID:2740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
    3⤵
    PID:1936
  - - C:\Windows\system32\sc.exe
      sc stop WdNisSvc
      4⤵
      Launches sc.exe
      PID:1632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    PID:1288
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:1996
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
    3⤵
    PID:1304
  - - C:\Windows\system32\sc.exe
      sc stop XblGameSave
      4⤵
      Launches sc.exe
      PID:1532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "XXXXX" -AppPathNameMatchCondition "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "YYYYY" -AppPathNameMatchCondition "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    PID:1584
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:2908
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop faceit
    3⤵
    PID:108
  - - C:\Windows\system32\sc.exe
      sc stop faceit
      4⤵
      Launches sc.exe
      PID:2448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42f6641a-3601-4589-9480-0484554ffb27.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe"
    3⤵
    - Views/modifies file attributes
    PID:1788
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1964
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:1156
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe"
    3⤵
    - Views/modifies file attributes
    PID:956
- - C:\Windows\system32\wevtutil.exe
    wevtutil el
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\42f6641a-3601-4589-9480-0484554ffb27.bat"
    3⤵
    - Views/modifies file attributes
    PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\42f6641a-3601-4589-9480-0484554ffb27.bat

Filesize
780B

MD5
17453e405fccbb8f049460ece83923c9

SHA1
3584411cc63c76756a4c471eba89d9ba69b9b554

SHA256
3dd93c13a7ec499b3ede9df3984f4cd0bc2b8711e6148691033b5c99e7a07df0

SHA512
e24aa14a4790c644fcec9cad55619c5bc8c84300efec978027e56fb303549dc2d893d8620c96febd0962a69486acce2e85ce7bc0d9b07873256a507186a8b23b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7782bd0ca60b2ddcccdf616c1561429c

SHA1
012990002df3abe9d3f2072b173fb28c905b70cd

SHA256
e35c771f350374746ab0c2d575da6f3b7bde4acd28ffd352a21334f25a78e519

SHA512
982971fad5e0746daaaaa87f8667a26a1be1c95b43747e8c4246393e3b206fa7173fa7e365f58d41bf5ab01607b212fa0b2b3c63c8881b357dac0bfa507e9d46

Download Submit
C:\Users\Admin\AppData\Roaming\spf\unknown.log

Filesize
190B

MD5
b338943bd7d27e46b743884a8adc5a22

SHA1
e5bd1434132e66e2436b83ba105838e631dc384b

SHA256
95b7631e7d88a92c686ed16744fb8f3d7f897bc541f0eab65faf27bea21ebdc4

SHA512
4d0875816079d52678dba44385303de7bef97e07e7fd87f41c98a665df11ba904d4b779fc6ce7db2a761e6058cbad8b7d3eb17454f6d93894ebe1f186f26e1d6

Download Submit
\Users\Admin\AppData\Local\Temp\jd1wwieu.bat

Filesize
258KB

MD5
f91ad663d8f351e9080d47affa11369c

SHA1
d5a63f58ab65b1f1238224ef9bb6f3f86e00613a

SHA256
a246caabc22044189f7998499a20aeaab6aef15cbdabb1beecce2675fd32aeed

SHA512
6e78dee541a72a980bbaa060c86a76b736683d02b693a2ba9b4f1762578cdb51b6fa5f7838c051c0847b1a9fef370b91eb7b1a990cd877af2f033981e86acd45

Download Submit
memory/992-36-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/992-35-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1664-29-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1664-28-0x000000001B8C0000-0x000000001BBA2000-memory.dmp

Filesize
2.9MB

Download
memory/1700-17-0x000000013F870000-0x000000013F8AE000-memory.dmp

Filesize
248KB

Download
memory/2612-18-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2612-0-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

Filesize
4KB

Download
memory/2612-2-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2612-1-0x000000013FA70000-0x000000013FAAE000-memory.dmp

Filesize
248KB

Download