766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175e

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 06:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe
Size

5.4MB
MD5

66eeab5c2975a225bce2746baf77b260
SHA1

725d520130a7f51442ab2aeae1dbe13b304a31a1
SHA256

766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175e
SHA512

6f7b739ad0f302533a22fcbce98239753eec29c4cd60daf51f22c5e0f1f342f6915bba864b6b6ece26c827010d3613ce25498671b9f5ef0e4df051a8f68228bb
SSDEEP

98304:p8sjk3hRWieWT0ywsagZ9VeXD3OKvRbgyNMY/HzrCU7vXG+:PjYhRPeWvnzwrOjy9//xTXd

Score

8^/10

discovery exploit persistence upx

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
2504	takeown.exe
2452	icacls.exe
2192	takeown.exe
2140	icacls.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WindowsLoader.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activer.exe	Activer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Activer.exe	Activer.exe

Executes dropped EXE 4 IoCs

pid	Process
3012	WindowsLoader.exe
2696	WindowsActiver.exe
1144	Activer.exe
2368	bootsect.exe

Loads dropped DLL 7 IoCs

pid	Process
392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe
392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe
2944	regsvr32.exe
2696	WindowsActiver.exe
2696	WindowsActiver.exe
2696	WindowsActiver.exe
2696	WindowsActiver.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2452	icacls.exe
2192	takeown.exe
2140	icacls.exe
2504	takeown.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Win = "rundll32 shell32,ShellExec_RunDLL regsvr32 -s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\sfx.dll\""	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Activer.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Activer.exe\""	Activer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Activer.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Activer.exe\""	Activer.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1144-120-0x0000000001000000-0x000000000111F000-memory.dmp	autoit_exe
behavioral1/memory/2696-118-0x0000000000AA0000-0x0000000000BBF000-memory.dmp	autoit_exe
behavioral1/memory/1144-134-0x0000000001000000-0x000000000111F000-memory.dmp	autoit_exe
behavioral1/memory/1144-149-0x0000000001000000-0x000000000111F000-memory.dmp	autoit_exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000018b05-5.dat	upx
behavioral1/memory/3012-10-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/files/0x0007000000018b50-86.dat	upx
behavioral1/memory/2696-90-0x0000000000AA0000-0x0000000000BBF000-memory.dmp	upx
behavioral1/memory/3012-114-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/1144-120-0x0000000001000000-0x000000000111F000-memory.dmp	upx
behavioral1/memory/2696-118-0x0000000000AA0000-0x0000000000BBF000-memory.dmp	upx
behavioral1/memory/1144-134-0x0000000001000000-0x000000000111F000-memory.dmp	upx
behavioral1/memory/1144-149-0x0000000001000000-0x000000000111F000-memory.dmp	upx
behavioral1/memory/3012-150-0x0000000000400000-0x0000000000623000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Activer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compact.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootsect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsActiver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WindowsLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	WindowsLoader.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2	Activer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\securitycenter	Activer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\securitycenter2	Activer.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3012	WindowsLoader.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	3012	WindowsLoader.exe
Token: SeIncBasePriorityPrivilege	3012	WindowsLoader.exe
Token: 33	3012	WindowsLoader.exe
Token: SeIncBasePriorityPrivilege	3012	WindowsLoader.exe
Token: SeTakeOwnershipPrivilege	2504	takeown.exe
Token: SeTakeOwnershipPrivilege	2192	takeown.exe
Token: SeShutdownPrivilege	1604	shutdown.exe
Token: SeRemoteShutdownPrivilege	1604	shutdown.exe
Token: 33	2992	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2992	AUDIODG.EXE
Token: 33	2992	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2992	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3012	WindowsLoader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 3012	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	29
PID 392 wrote to memory of 3012	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	29
PID 392 wrote to memory of 3012	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	29
PID 392 wrote to memory of 3012	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	29
PID 392 wrote to memory of 2840	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	30
PID 392 wrote to memory of 2840	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	30
PID 392 wrote to memory of 2840	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	30
PID 392 wrote to memory of 2840	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	30
PID 2840 wrote to memory of 2944	2840	cmd.exe	32
PID 2840 wrote to memory of 2944	2840	cmd.exe	32
PID 2840 wrote to memory of 2944	2840	cmd.exe	32
PID 2840 wrote to memory of 2944	2840	cmd.exe	32
PID 2840 wrote to memory of 2944	2840	cmd.exe	32
PID 2840 wrote to memory of 2944	2840	cmd.exe	32
PID 2840 wrote to memory of 2944	2840	cmd.exe	32
PID 392 wrote to memory of 2696	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	33
PID 392 wrote to memory of 2696	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	33
PID 392 wrote to memory of 2696	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	33
PID 392 wrote to memory of 2696	392	766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe	33
PID 2696 wrote to memory of 1144	2696	WindowsActiver.exe	36
PID 2696 wrote to memory of 1144	2696	WindowsActiver.exe	36
PID 2696 wrote to memory of 1144	2696	WindowsActiver.exe	36
PID 2696 wrote to memory of 1144	2696	WindowsActiver.exe	36
PID 3012 wrote to memory of 1744	3012	WindowsLoader.exe	37
PID 3012 wrote to memory of 1744	3012	WindowsLoader.exe	37
PID 3012 wrote to memory of 1744	3012	WindowsLoader.exe	37
PID 3012 wrote to memory of 1744	3012	WindowsLoader.exe	37
PID 1744 wrote to memory of 2424	1744	cmd.exe	39
PID 1744 wrote to memory of 2424	1744	cmd.exe	39
PID 1744 wrote to memory of 2424	1744	cmd.exe	39
PID 1744 wrote to memory of 2424	1744	cmd.exe	39
PID 2424 wrote to memory of 2504	2424	cmd.exe	40
PID 2424 wrote to memory of 2504	2424	cmd.exe	40
PID 2424 wrote to memory of 2504	2424	cmd.exe	40
PID 2424 wrote to memory of 2504	2424	cmd.exe	40
PID 3012 wrote to memory of 2244	3012	WindowsLoader.exe	41
PID 3012 wrote to memory of 2244	3012	WindowsLoader.exe	41
PID 3012 wrote to memory of 2244	3012	WindowsLoader.exe	41
PID 3012 wrote to memory of 2244	3012	WindowsLoader.exe	41
PID 2244 wrote to memory of 2452	2244	cmd.exe	43
PID 2244 wrote to memory of 2452	2244	cmd.exe	43
PID 2244 wrote to memory of 2452	2244	cmd.exe	43
PID 2244 wrote to memory of 2452	2244	cmd.exe	43
PID 3012 wrote to memory of 2672	3012	WindowsLoader.exe	44
PID 3012 wrote to memory of 2672	3012	WindowsLoader.exe	44
PID 3012 wrote to memory of 2672	3012	WindowsLoader.exe	44
PID 3012 wrote to memory of 2672	3012	WindowsLoader.exe	44
PID 2672 wrote to memory of 2072	2672	cmd.exe	46
PID 2672 wrote to memory of 2072	2672	cmd.exe	46
PID 2672 wrote to memory of 2072	2672	cmd.exe	46
PID 2672 wrote to memory of 2072	2672	cmd.exe	46
PID 2072 wrote to memory of 2192	2072	cmd.exe	47
PID 2072 wrote to memory of 2192	2072	cmd.exe	47
PID 2072 wrote to memory of 2192	2072	cmd.exe	47
PID 2072 wrote to memory of 2192	2072	cmd.exe	47
PID 3012 wrote to memory of 2684	3012	WindowsLoader.exe	48
PID 3012 wrote to memory of 2684	3012	WindowsLoader.exe	48
PID 3012 wrote to memory of 2684	3012	WindowsLoader.exe	48
PID 3012 wrote to memory of 2684	3012	WindowsLoader.exe	48
PID 2684 wrote to memory of 2140	2684	cmd.exe	50
PID 2684 wrote to memory of 2140	2684	cmd.exe	50
PID 2684 wrote to memory of 2140	2684	cmd.exe	50
PID 2684 wrote to memory of 2140	2684	cmd.exe	50
PID 3012 wrote to memory of 1716	3012	WindowsLoader.exe	51

C:\Users\Admin\AppData\Local\Temp\766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe
"C:\Users\Admin\AppData\Local\Temp\766ce75e70a73a59213f139e449251ee061606cb467cde61f666cf5330f2175eN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
  C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\ldrscan\bootwin
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\ldrscan\bootwin
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\ldrscan\bootwin
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\ldrscan\bootwin
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2140
- - C:\Windows\system32\cmd.exe
    cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
    3⤵
    PID:1716
  - - C:\Windows\System32\cscript.exe
      C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
      4⤵
      PID:952
- - C:\Windows\system32\cmd.exe
    cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
    3⤵
    PID:2032
  - - C:\Windows\System32\cscript.exe
      C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
      4⤵
      PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /A /C "compact /u \\?\Volume{dc104d83-871d-11ef-a958-806e6f6e6963}\TOILS"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
  - - C:\Windows\SysWOW64\compact.exe
      compact /u \\?\Volume{dc104d83-871d-11ef-a958-806e6f6e6963}\TOILS
      4⤵
      System Location Discovery: System Language Discovery
      PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
  - - C:\bootsect.exe
      C:\bootsect.exe /nt60 SYS /force
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /A /C "shutdown -r -t 0"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 0
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start regsvr32 -s "C:\Users\Admin\AppData\Local\Temp\sfx.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 -s "C:\Users\Admin\AppData\Local\Temp\sfx.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2944
- C:\Users\Admin\AppData\Local\Temp\WindowsActiver.exe
  C:\Users\Admin\AppData\Local\Temp\WindowsActiver.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\Activer.exe
    "C:\Users\Admin\AppData\Local\Temp\Activer.exe" "del" C:\Users\Admin\AppData\Local\Temp\WindowsActiver.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    PID:1144

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Acer.XRM-MS

Filesize
2KB

MD5
f25832af6a684360950dbb15589de34a

SHA1
17ff1d21005c1695ae3dcbdc3435017c895fff5d

SHA256
266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

SHA512
e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsActiver.exe

Filesize
597KB

MD5
1f691ab8266ade4dffd908610d79b6be

SHA1
e437eb9d1d743cd84a00977396b2da643f08ae01

SHA256
24b216f2ef95aeab5d62c4e18f206b3d6873d40aa1ccfac676cff1a8f4987b30

SHA512
e5791868088ae81640bc8bf13f5aa9393d763fad0dfccee20e41dd7734c85cfceca775b787791cf57a4c5c3ee94fe0bffd4c709ee350386dea09a76524933599

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.dll

Filesize
2.1MB

MD5
c310316d34abd7ea3bd9d07a384b2556

SHA1
0a40516fd899a78609254d05932cfbca45e70dae

SHA256
f67e22b28eddd3eb446314b9081059d2bed2402438e9205baf8ab366d19537f8

SHA512
b7e6103b30e4d6dae82564013e7b5ede33a08450695ec121f5fa987bc94b5c9c115404bc44a4178d50dbb62ca17bca0e1d3df35586efb12be77db7df8af9c6da

Download Submit
C:\bootsect.exe

Filesize
95KB

MD5
88c9b8c446e59e9bc71373af3d061520

SHA1
65b7d8f36dd380a73509038108c79e2baf31ecf3

SHA256
22d7b52b87d37bc217a35569fe7103e9d61505967c9075199f88d3a8cbb689e0

SHA512
612d40695e28c882de76dbd738df0fb7c14f11a472b73c5a2f0475e78a1931a86a4f83611f5ed0fcd20a924c54b55a1ceab23e545c66b8c54765b1e4105fbf33

Download Submit
\??\Volume{dc104d83-871d-11ef-a958-806e6f6e6963}\TOILS

Filesize
294KB

MD5
cff64788d5ed6954855b43fd425cad18

SHA1
ec72ea777373d144f89411427d560081c862af0c

SHA256
c2b226a692df3353c2199f801a6c3e359ae7fc95aa264e5c122323c9ac4487dc

SHA512
82e3c0f2451f6c0d5ebf30a55acfe4923161c5626fe195fb345b6f3215ca90c3f486bf39b18dde69b30ff639f2f664038dd0536b374ed40300234df112a3c387

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsLoader.exe

Filesize
3.8MB

MD5
323c0fd51071400b51eedb1be90a8188

SHA1
0efc35935957c25193bbe9a83ab6caa25a487ada

SHA256
2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

SHA512
4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

Download Submit
memory/392-8-0x0000000002E10000-0x0000000003033000-memory.dmp

Filesize
2.1MB

Download
memory/392-88-0x0000000002E10000-0x0000000002F2F000-memory.dmp

Filesize
1.1MB

Download
memory/1144-149-0x0000000001000000-0x000000000111F000-memory.dmp

Filesize
1.1MB

Download
memory/1144-134-0x0000000001000000-0x000000000111F000-memory.dmp

Filesize
1.1MB

Download
memory/1144-120-0x0000000001000000-0x000000000111F000-memory.dmp

Filesize
1.1MB

Download
memory/2696-90-0x0000000000AA0000-0x0000000000BBF000-memory.dmp

Filesize
1.1MB

Download
memory/2696-111-0x0000000002CE0000-0x0000000002DFF000-memory.dmp

Filesize
1.1MB

Download
memory/2696-112-0x0000000002CE0000-0x0000000002DFF000-memory.dmp

Filesize
1.1MB

Download
memory/2696-118-0x0000000000AA0000-0x0000000000BBF000-memory.dmp

Filesize
1.1MB

Download
memory/2696-113-0x0000000002CE0000-0x0000000002DFF000-memory.dmp

Filesize
1.1MB

Download
memory/2696-115-0x0000000002CE0000-0x0000000002DFF000-memory.dmp

Filesize
1.1MB

Download
memory/2944-95-0x0000000000970000-0x0000000000B8D000-memory.dmp

Filesize
2.1MB

Download
memory/2944-93-0x0000000000970000-0x0000000000B8D000-memory.dmp

Filesize
2.1MB

Download
memory/3012-24-0x00000000007D0000-0x00000000007E3000-memory.dmp

Filesize
76KB

Download
memory/3012-37-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/3012-45-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/3012-32-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/3012-114-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3012-18-0x0000000002500000-0x00000000026A3000-memory.dmp

Filesize
1.6MB

Download
memory/3012-53-0x00000000009C0000-0x00000000009D1000-memory.dmp

Filesize
68KB

Download
memory/3012-61-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/3012-69-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/3012-77-0x00000000009F0000-0x0000000000A10000-memory.dmp

Filesize
128KB

Download
memory/3012-10-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3012-150-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads