Analysis
-
max time kernel
219s -
max time network
202s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-11-2024 14:13
Behavioral task
behavioral1
Sample
Dest/HorrorBob2.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Dest/HorrorRansom 1.0 Final.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
Dest/HorrorTrojan Ultimate Edition.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
Dest/HorrorTrojan123.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Dest/Start.bat
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
Dest/covid20.exe
Resource
win11-20241007-en
Errors
General
-
Target
Dest/HorrorTrojan Ultimate Edition.exe
-
Size
15.0MB
-
MD5
8f5a2b3154aba26acf5440fd3034326c
-
SHA1
b4d508ee783dc1f1a2cf9147cc1e5729470e773b
-
SHA256
fc7e799742a1c64361a8a9c3fecdf44f9db85f0bf57f4fb5712519d12ba4c5ac
-
SHA512
01c052c71a2f97daf76c91765e3ee6ec46ca7cb67b162c2fc668ef5ee35399622496c95568dedffbaf72524f70f6afcfe90f567fbb653a93d800664b046cd5f2
-
SSDEEP
393216:l2iLiU7VXd6AKprP7iJx4J20cQ3qpalJZfhxGWqIcckC:l2iNObp4x820AS7nj
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" gdifuncs.exe -
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1592 takeown.exe 4920 icacls.exe 5696 takeown.exe 3712 icacls.exe -
Executes dropped EXE 4 IoCs
Processes:
mbr.exejeffpopup.exebobcreep.exegdifuncs.exepid process 2508 mbr.exe 5700 jeffpopup.exe 3028 bobcreep.exe 5968 gdifuncs.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1592 takeown.exe 4920 icacls.exe 5696 takeown.exe 3712 icacls.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mbr.exedescription ioc process File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe -
Drops file in Windows directory 6 IoCs
Processes:
cmd.execmd.exegdifuncs.exedescription ioc process File opened for modification \??\c:\windows\WinAttr.gci cmd.exe File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe File created C:\windows\WinAttr.gci gdifuncs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
gdifuncs.exeicacls.exetakeown.exetimeout.exeHorrorTrojan Ultimate Edition.exembr.exejeffpopup.exeicacls.exetaskkill.exebobcreep.exetakeown.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gdifuncs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HorrorTrojan Ultimate Edition.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jeffpopup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bobcreep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1552 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1512 taskkill.exe -
Modifies Control Panel 3 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe -
Modifies registry class 1 IoCs
Processes:
MiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
gdifuncs.exepid process 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe 5968 gdifuncs.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
gdifuncs.exeAUDIODG.EXEtakeown.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 5968 gdifuncs.exe Token: SeDebugPrivilege 5968 gdifuncs.exe Token: 33 4484 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4484 AUDIODG.EXE Token: SeTakeOwnershipPrivilege 1592 takeown.exe Token: SeTakeOwnershipPrivilege 5696 takeown.exe Token: SeDebugPrivilege 1512 taskkill.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
jeffpopup.exebobcreep.exeMiniSearchHost.exepid process 5700 jeffpopup.exe 3028 bobcreep.exe 5352 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
HorrorTrojan Ultimate Edition.exewscript.execmd.exedescription pid process target process PID 5840 wrote to memory of 1424 5840 HorrorTrojan Ultimate Edition.exe wscript.exe PID 5840 wrote to memory of 1424 5840 HorrorTrojan Ultimate Edition.exe wscript.exe PID 1424 wrote to memory of 2508 1424 wscript.exe mbr.exe PID 1424 wrote to memory of 2508 1424 wscript.exe mbr.exe PID 1424 wrote to memory of 2508 1424 wscript.exe mbr.exe PID 1424 wrote to memory of 3568 1424 wscript.exe cmd.exe PID 1424 wrote to memory of 3568 1424 wscript.exe cmd.exe PID 3568 wrote to memory of 1728 3568 cmd.exe reg.exe PID 3568 wrote to memory of 1728 3568 cmd.exe reg.exe PID 3568 wrote to memory of 1620 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 1620 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 3984 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 3984 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 6012 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 6012 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 900 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 900 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4780 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4780 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4144 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4144 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 1904 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 1904 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 5124 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 5124 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 5792 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 5792 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 3332 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 3332 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 1228 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 1228 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4120 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4120 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4128 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4128 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 5300 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 5300 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 5160 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 5160 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 1332 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 1332 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 3676 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 3676 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 2604 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 2604 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 2100 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 2100 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4912 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4912 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 740 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 740 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4748 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4748 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 932 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 932 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4956 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 4956 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 1376 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 1376 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 2000 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 2000 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 2112 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 2112 3568 cmd.exe rundll32.exe PID 3568 wrote to memory of 1572 3568 cmd.exe rundll32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5840 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\783D.tmp\783E.tmp\783F.vbs //Nologo2⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\783D.tmp\tools.cmd" "3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f4⤵
- Sets desktop wallpaper using registry
PID:1728 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1620
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3984
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:6012
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:900
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4780
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4144
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1904
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5124
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5792
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3332
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1228
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4120
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4128
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5300
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5160
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1332
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3676
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2604
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2100
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4912
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:740
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4748
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:932
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4956
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1376
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2000
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2112
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1572
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1564
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3020
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:6128
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:228
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:220
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5924
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe"C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5700 -
C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe"C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5968 -
C:\windows\SysWOW64\takeown.exe"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\windows\SysWOW64\icacls.exe"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65© "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\takeown.exetakeown /f LogonUI.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5696 -
C:\Windows\SysWOW64\icacls.exeicacls LogonUI.exe /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3712 -
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1552 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "tobi0a0c.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004E81⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:848
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5b7443e89f0cb29d51ee6a257750e54d2
SHA184127eebf275e781d5276af6fc4d09c5a6bfb7b9
SHA2568226877d6ab2e4834aea6bc71bd9865b28d0bd1ec2e8b4c23b8acf0301c56f26
SHA512446cfe25d82f3bbf7badd324cae691ad62e13bd7469e415f47b9141bddf30679219c672937f4f6768796c2936c3b9c557fabbda1fb51c5edbb7c1964bffa17be
-
Filesize
2KB
MD5a0679dce64fcf875f4208b823d4b85c0
SHA185abe3673db82bfe5b2c207dc98648e32afffea0
SHA25685a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1
SHA5121e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6
-
Filesize
6.6MB
MD5a605dbeda4f89c1569dd46221c5e85b5
SHA15f28ce1e1788a083552b9ac760e57d278467a1f9
SHA25677897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e
SHA512e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610
-
Filesize
92KB
MD5219cd85d93a4ed65a481f353a3de5376
SHA1a38ab77caf5417765d5595b2fcd859c6354bf079
SHA25600c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f
SHA512367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9
-
Filesize
5.0MB
MD5c47c6a5111193af2c9337634b773d2d3
SHA1036604921b67bbad60c7823482e5e6cb268ded14
SHA2567c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585
SHA51256698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262
-
Filesize
780KB
MD54151b988c9d5c550ccb6c3b49bf551d4
SHA110ff979be4a5bbacaf208bdbb8236b940208eed1
SHA2565ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e
SHA512c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d
-
Filesize
19.0MB
MD51b185a156cfc1ddeff939bf62672516b
SHA1fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA51241b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7
-
Filesize
1.3MB
MD574be3afd732dc010c8266326cc32127b
SHA1a91802c200f10c09ff9a0679c274bbe55ecb7b41
SHA25603fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c
SHA51268fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5
-
Filesize
2KB
MD5288bebe9f904e6fabe4de67bd7897445
SHA10587ce2d936600a9eb142c6197fe12a0c3e8472f
SHA256cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2
SHA5127db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c
-
Filesize
74B
MD505d30a59150a996af1258cdc6f388684
SHA1c773b24888976c889284365dd0b584f003141f38
SHA256c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9
SHA5122144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a