Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Perm Spoof...er.exe
windows11-21h2-x64
1Perm Spoof...on.dll
windows11-21h2-x64
1Perm Spoof...ec.dll
windows11-21h2-x64
1Perm Spoofer/bz2.dll
windows11-21h2-x64
1Perm Spoof...ed.exe
windows11-21h2-x64
1Perm Spoof...F2.bat
windows11-21h2-x64
5Perm Spoof...ck.exe
windows11-21h2-x64
1Perm Spoof...hk.sys
windows11-21h2-x64
1Perm Spoof...DF.bat
windows11-21h2-x64
1Perm Spoof...64.dll
windows11-21h2-x64
1Perm Spoof...64.dll
windows11-21h2-x64
1Perm Spoof...64.dll
windows11-21h2-x64
1Perm Spoof...sk.bat
windows11-21h2-x64
6Perm Spoof...ls.exe
windows11-21h2-x64
10Perm Spoof...4e.sys
windows11-21h2-x64
1Perm Spoof...ac.bat
windows11-21h2-x64
1Perm Spoof...ss.exe
windows11-21h2-x64
1Perm Spoof...64.exe
windows11-21h2-x64
1Perm Spoof...64.sys
windows11-21h2-x64
1Perm Spoof...pe.dll
windows11-21h2-x64
1Perm Spoof...16.dll
windows11-21h2-x64
1Perm Spoof...ed.exe
windows11-21h2-x64
1Perm Spoof...b1.dll
windows11-21h2-x64
1Resubmissions
13/11/2024, 20:39
241113-zfjhksygpp 10Analysis
-
max time kernel
91s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/11/2024, 20:39
Behavioral task
behavioral1
Sample
Perm Spoofer/Perm Spoofer.exe
Resource
win11-20241023-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
Perm Spoofer/brotlicommon.dll
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
Perm Spoofer/brotlidec.dll
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
Perm Spoofer/bz2.dll
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
Perm Spoofer/cracked.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
Perm Spoofer/dumped files/ASUSPDF2.bat
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
Perm Spoofer/dumped files/AsDeviceCheck.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
Perm Spoofer/dumped files/AsDeviceChk.sys
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
Perm Spoofer/dumped files/AsusPDF.bat
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
Perm Spoofer/dumped files/afuefix64.dll
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
Perm Spoofer/dumped files/amideefix64.dll
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
Perm Spoofer/dumped files/bootx64.dll
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
Perm Spoofer/dumped files/disk.bat
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
Perm Spoofer/dumped files/fixserials.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
Perm Spoofer/dumped files/iqvw64e.sys
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
Perm Spoofer/dumped files/mac.bat
Resource
win11-20241023-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
Perm Spoofer/dumped files/tpmbypass.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
Perm Spoofer/dumped files/winxsrcsv64.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
Perm Spoofer/dumped files/winxsrcsv64.sys
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
Perm Spoofer/freetype.dll
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
Perm Spoofer/libpng16.dll
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
Perm Spoofer/non cracked.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
Perm Spoofer/zlib1.dll
Resource
win11-20241007-en
windows11-21h2-x64
General
-
Target
Perm Spoofer/dumped files/disk.bat
-
Size
13KB
-
MD5
0c345568b15f4163d3955388cfa615f4
-
SHA1
069c7b499e8f68fb90d316d6114440ef762507d6
-
SHA256
28dc4e8c24c16af0910f3542ec8ae12376e668e45ba310a7f25c87ab4bfb89e8
-
SHA512
d4619bbb7bfeccf0bb3ea7259fec6a8324aadd544017ee0df0390339d112fd0ced6707d91fc5036faf2c4cbcc9326c4ba57befbbdf909c2306c109acdba6c543
-
SSDEEP
192:dIo4yR9Y9A/r1/kMUnNLyCYSvGOqHQ28lh9YDpqWkSyt1ninmdKgZ:3xR9hjF/UnECROBClh9YDpDkSy3inlo
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: powershell.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 pnputil.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 pnputil.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0" pnputil.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0" pnputil.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum pnputil.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\ pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006 pnputil.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A pnputil.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters pnputil.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Address pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E pnputil.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6} pnputil.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6} pnputil.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 pnputil.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0018 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912} pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags pnputil.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\ pnputil.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2} pnputil.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006 pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\RemovalPolicy pnputil.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\ pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities pnputil.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e} pnputil.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ContainerID pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\ pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGUID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007 pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003 pnputil.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ pnputil.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg pnputil.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ pnputil.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\ pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000D pnputil.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID pnputil.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pnputil.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceType pnputil.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Exclusive pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006 pnputil.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ pnputil.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3460 powershell.exe 3460 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3460 powershell.exe Token: SeLoadDriverPrivilege 3404 pnputil.exe Token: SeLoadDriverPrivilege 3404 pnputil.exe Token: SeLoadDriverPrivilege 3664 pnputil.exe Token: SeLoadDriverPrivilege 3664 pnputil.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2352 2764 cmd.exe 78 PID 2764 wrote to memory of 2352 2764 cmd.exe 78 PID 2352 wrote to memory of 2348 2352 net.exe 79 PID 2352 wrote to memory of 2348 2352 net.exe 79 PID 2764 wrote to memory of 3460 2764 cmd.exe 80 PID 2764 wrote to memory of 3460 2764 cmd.exe 80 PID 3460 wrote to memory of 3624 3460 powershell.exe 81 PID 3460 wrote to memory of 3624 3460 powershell.exe 81 PID 3460 wrote to memory of 3404 3460 powershell.exe 82 PID 3460 wrote to memory of 3404 3460 powershell.exe 82 PID 3460 wrote to memory of 3664 3460 powershell.exe 83 PID 3460 wrote to memory of 3664 3460 powershell.exe 83
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Perm Spoofer\dumped files\disk.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\net.exeNET FILE2⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 FILE3⤵PID:2348
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell /nologo /noprofile /command "&{[ScriptBlock]::Create((cat """C:\Users\Admin\AppData\Local\Temp\Perm Spoofer\dumped files\disk.bat""") -join [Char[]]10).Invoke(@(&{$args}))}"2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\system32\pnputil.exe"C:\Windows\system32\pnputil.exe" /remove-device "SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 2&1f4adffe&0&000002" /force3⤵
- Checks SCSI registry key(s)
PID:3624
-
-
C:\Windows\system32\pnputil.exe"C:\Windows\system32\pnputil.exe" /remove-device SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 /force3⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
C:\Windows\system32\pnputil.exe"C:\Windows\system32\pnputil.exe" /remove-device SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 /force3⤵
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82