Analysis
-
max time kernel
29s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06/12/2024, 18:43
General
-
Target
ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe
-
Size
147KB
-
MD5
75c865f1747b242051eb6a05e91f915a
-
SHA1
624e32dc35c81331bee657174ba5744ab262564b
-
SHA256
ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc
-
SHA512
b5ca5b998a12cede7c11cac166d6f839c3ba4cbd7a22b6cdfb0385cb42ebd2e94c163543d826419f05f4cd4780e3f72003ae20d69b6ac7bebe4afadf48926cea
-
SSDEEP
3072:YA/yzn2EpnbZdb1U4FwhKNUrvHc9c7AWTTYbDU:YJnjbyKUziXMTN
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 7 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 48 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 7 IoCs
-
Runs regedit.exe 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~FFD2.bat "C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"3⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBInfo.vbe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Drivers\USBInfo.com"C:\Windows\system32\Drivers\USBInfo.com"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~24A0.bat "C:\Windows\system32\Drivers\USBInfo.com"6⤵
- Drops file in Drivers directory
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h autorun.inf7⤵
- Sets file to hidden
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "$Recycle.Bin"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Documents and Settings"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "MSOCache"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "PerfLogs"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Program Files"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Program Files (x86)"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "ProgramData"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Recovery"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "System Volume Information"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Users"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Windows"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h autorun.inf7⤵
- Sets file to hidden
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "$RECYCLE.BIN"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "889200431-569280326193843426211836923091571236423-989729089-20957142651000446718"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-155699798211510114801795613790990365110-1480472598-20445891785885436481126556125"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
4Hidden Files and Directories
4Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5bc278224d87330dbedf84ddefdced3f1
SHA10a21b60897db6bd7559fef583bb095266110b653
SHA2561d75230f2ab4daeb62d42bb1bea8a5c4c9f6831f3830407f9615677dc29dac7a
SHA5126ff654c73c68420d97657657f77d3934aaa60fddceca095d0f9d3f169e6fab7435d3a758f0d3eae086b2ee32ea7e5c0fa3ba602bc9416e0e1e2ca8743f0d846a
-
Filesize
256B
MD575ff72a0b3453735b4e1daf5a392a881
SHA101ed478d6ff4db3056d2e28d8816e87114f83a44
SHA256b364003f9ee77bc908a97e936edd7cd244987fa28d17f7d5d168ff701d76a8c6
SHA5129e6871ecc3fd6591c461f22c95d21619d113f0a623cf4b05258fc6277a9d5c03b11c8de8eca56f870d7120b1294e5e53a0ecc9e119c114707aed06c1083b27db
-
Filesize
147KB
MD575c865f1747b242051eb6a05e91f915a
SHA1624e32dc35c81331bee657174ba5744ab262564b
SHA256ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc
SHA512b5ca5b998a12cede7c11cac166d6f839c3ba4cbd7a22b6cdfb0385cb42ebd2e94c163543d826419f05f4cd4780e3f72003ae20d69b6ac7bebe4afadf48926cea
-
Filesize
77B
MD554ceb8eabaff522c097e4949d39fbd09
SHA1304fd3c274aac25477ba1f3f500ae34e6c94612d
SHA256d2d64a938a71d1b747112176eeb345991433fc81475a397b85b6b4c3d97f8550
SHA5123c6ce4fe30121305b176a3ccc7358343bfdd28537358e7289e4354b52f152c018acfe843659df5bd35228fca804b0285baa8350e2b6ca39719bdefdb77b2e0be
-
Filesize
20B
MD5905d7a48a13a75ced1342bbdf0a3ace2
SHA13bcc021a82ed38810bcf61286eb1f4e578e3721f
SHA25610338a72fbacb4fdf731d8937cdf23519896c5122b6a80079527cebf8406b3cd
SHA512fe77b8b928ba1ffb1a8bf941b2a0279b3ca6512d30dd1a2e2f363f9b2be245e361fab40232bc868f0f7e79bacc476653a49b66d2cf6945ed87b0c776783db8c1
-
Filesize
19B
MD5322866ac1312f3bc0dd8685949f35b6a
SHA1dc3f64764aa99595ee48721142d2301ebbe07aec
SHA2565417fd3704beb2760ed54c38048ae44d2cd49312be2a8f104e542bbd5bbc88d6
SHA5121b5c2320beaeb34895a1d11882566463d365a128db4d260189850990e1215ce737334ee96b43ecd2c018f040548209cc6f11328a5a9b9eb5f57fc6ac61afe03d
-
Filesize
1KB
MD5e3f32bf45469d18567e23485109ffdd4
SHA12e207b073a4237e05b5da89f9ca2e9771757620c
SHA256e41ad345599c751ed8b124229df31681f2c44d322d092f85c2205b97f09c8a81
SHA512e8ab034c883c747d6a093d1221e080adf84a1c3662e4469c59cf49f693561262d435c28eede60e18151222fd9562abc6c81b6a57fa5587032cbc2d0b74a0c0e5
-
Filesize
149B
MD5babb9292822f6963475088494e446a00
SHA1d0f96ea279562a899f24b5a6905065de029877b0
SHA256bff5694d6d4c8a41217fa9d98d95c355a6f63ef939a4ef89bc45d1cf443a1f9d
SHA512b96daa0a52867f7f0454c8b35d85682aa22c3ac59495760c95204cc1cfc419bd88b5cc59d92dfab5a6343f8f86659e35e2f38cda0c1ea014d2377ab5e525fd5b
-
Filesize
160B
MD5748a0be2fe2d85bb05d034b99e8e0d7d
SHA19ccddfb983fc4032b43019b2f7ebfa8c3b3b9d0b
SHA2561071b18912a1ed7d89a9f47c3a0417c66578a6ab0ffce30310f659ea54f2fdd0
SHA512b285a29b3651a02ba092c91d62f8891d726615953754a6919f3055ea2d169364157cb6470211b01c7edcb9390d90c851cecda78d1d9dfee1e846f56342ab558b
-
Filesize
100KB
MD5a9d3dc0e13ba721c4cc03e34b783cd25
SHA1fb1abe2e0e478dcf4fc5f93e75c41fcd5acd4e9b
SHA256346c6f622a740a4354c2a11d584a7900cc49bd16cc1ec1382fbb16f736a3c015
SHA51257c0f062eb0d9978a6aa7d39a99da68834a269daf43d61de48abcd3308d87cfda55823315f4d775aa975cce6f5d91a9ac4bad75ec304e4d082d482b0112d7590
-
Filesize
14B
MD56feef98a8a0a708c076c6229fe3eb8e3
SHA121213d15bc8741f275d2f3b8c195ed7ce0548a78
SHA2568df87f65c0941524972d4b9ed54a7b652f6ce23980f3e35c2baa651f0b2df8a8
SHA512d00de3a17c0e66266cc02513a690e1bfa504122873926b035da2de492758df88930f999003638523faf211f085da6c755581f195bf1f3c2f3c74b75652b0f101
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
172KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
172KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
172KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB