Analysis
-
max time kernel
31s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06/12/2024, 18:43
General
-
Target
ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe
-
Size
147KB
-
MD5
75c865f1747b242051eb6a05e91f915a
-
SHA1
624e32dc35c81331bee657174ba5744ab262564b
-
SHA256
ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc
-
SHA512
b5ca5b998a12cede7c11cac166d6f839c3ba4cbd7a22b6cdfb0385cb42ebd2e94c163543d826419f05f4cd4780e3f72003ae20d69b6ac7bebe4afadf48926cea
-
SSDEEP
3072:YA/yzn2EpnbZdb1U4FwhKNUrvHc9c7AWTTYbDU:YJnjbyKUziXMTN
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 7 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 51 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 10 IoCs
-
Modifies registry class 2 IoCs
-
Runs regedit.exe 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~7EA6.bat "C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"3⤵
- Drops file in Drivers directory
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBInfo.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Drivers\USBInfo.com"C:\Windows\system32\Drivers\USBInfo.com"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~9D2A.bat "C:\Windows\system32\Drivers\USBInfo.com"6⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h autorun.inf7⤵
- Sets file to hidden
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "$Recycle.Bin"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Documents and Settings"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "PerfLogs"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Program Files"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Program Files (x86)"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "ProgramData"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Recovery"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "System Volume Information"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Users"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Windows"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h autorun.inf7⤵
- Sets file to hidden
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "$RECYCLE.BIN"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "System Volume Information"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
4Hidden Files and Directories
4Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5bc278224d87330dbedf84ddefdced3f1
SHA10a21b60897db6bd7559fef583bb095266110b653
SHA2561d75230f2ab4daeb62d42bb1bea8a5c4c9f6831f3830407f9615677dc29dac7a
SHA5126ff654c73c68420d97657657f77d3934aaa60fddceca095d0f9d3f169e6fab7435d3a758f0d3eae086b2ee32ea7e5c0fa3ba602bc9416e0e1e2ca8743f0d846a
-
Filesize
257B
MD522100584c4bac88a9e789445cc99d9f4
SHA123dd9245f53f77daf7afc5aaf26ef6231c21feb7
SHA256e7cfb21cd1378af2c50437827582fbb2665255610bc6febbb3f3e808752d8b16
SHA51241141de46a46e4abc854bb40babc6ad9e998d02590526be637bdfaae9ae63ced501a9a72c22f96559ef12616913e350076032f5576180880a90a10cd1248ac2c
-
Filesize
147KB
MD575c865f1747b242051eb6a05e91f915a
SHA1624e32dc35c81331bee657174ba5744ab262564b
SHA256ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc
SHA512b5ca5b998a12cede7c11cac166d6f839c3ba4cbd7a22b6cdfb0385cb42ebd2e94c163543d826419f05f4cd4780e3f72003ae20d69b6ac7bebe4afadf48926cea
-
Filesize
77B
MD554ceb8eabaff522c097e4949d39fbd09
SHA1304fd3c274aac25477ba1f3f500ae34e6c94612d
SHA256d2d64a938a71d1b747112176eeb345991433fc81475a397b85b6b4c3d97f8550
SHA5123c6ce4fe30121305b176a3ccc7358343bfdd28537358e7289e4354b52f152c018acfe843659df5bd35228fca804b0285baa8350e2b6ca39719bdefdb77b2e0be
-
Filesize
20B
MD5905d7a48a13a75ced1342bbdf0a3ace2
SHA13bcc021a82ed38810bcf61286eb1f4e578e3721f
SHA25610338a72fbacb4fdf731d8937cdf23519896c5122b6a80079527cebf8406b3cd
SHA512fe77b8b928ba1ffb1a8bf941b2a0279b3ca6512d30dd1a2e2f363f9b2be245e361fab40232bc868f0f7e79bacc476653a49b66d2cf6945ed87b0c776783db8c1
-
Filesize
19B
MD5322866ac1312f3bc0dd8685949f35b6a
SHA1dc3f64764aa99595ee48721142d2301ebbe07aec
SHA2565417fd3704beb2760ed54c38048ae44d2cd49312be2a8f104e542bbd5bbc88d6
SHA5121b5c2320beaeb34895a1d11882566463d365a128db4d260189850990e1215ce737334ee96b43ecd2c018f040548209cc6f11328a5a9b9eb5f57fc6ac61afe03d
-
Filesize
1KB
MD5e3f32bf45469d18567e23485109ffdd4
SHA12e207b073a4237e05b5da89f9ca2e9771757620c
SHA256e41ad345599c751ed8b124229df31681f2c44d322d092f85c2205b97f09c8a81
SHA512e8ab034c883c747d6a093d1221e080adf84a1c3662e4469c59cf49f693561262d435c28eede60e18151222fd9562abc6c81b6a57fa5587032cbc2d0b74a0c0e5
-
Filesize
149B
MD5babb9292822f6963475088494e446a00
SHA1d0f96ea279562a899f24b5a6905065de029877b0
SHA256bff5694d6d4c8a41217fa9d98d95c355a6f63ef939a4ef89bc45d1cf443a1f9d
SHA512b96daa0a52867f7f0454c8b35d85682aa22c3ac59495760c95204cc1cfc419bd88b5cc59d92dfab5a6343f8f86659e35e2f38cda0c1ea014d2377ab5e525fd5b
-
Filesize
150B
MD5ec4064ac609dc25d680be76463282759
SHA1e811243e6946ab739afe39f79e7e010c5d3aa646
SHA2565f7b66850209b68edce639f55db86876840969a4302143811f5953b643f45dae
SHA512e65ad34b719c46d97729167cd0c8ed0ba8a9ee567b67a4663ddc48873735914c28315428b8415ced78a7608165910dcb4583222b08e3e1a7cabf7b3e9339401f
-
Filesize
100KB
MD5042b7217342dca9381c799cf9f6116ad
SHA1c06a828c8a997fb83a95f7dcb5bd042ec44f4200
SHA256894b3263bb87a51bbe94f8a87ee6c3a2908470b1a41ceb35004a653c08e49c5f
SHA512a17ec75911faa7495cd52ec0920b67ea38264be02bdf1cc09d4f045a1b29ed0467f62df9981f018c6fb3d156ba5651df7d488ca424d27c970629a8b0d87eb320
-
Filesize
41B
MD5fc58af21d2445196d228547ba36ce949
SHA1f5eade25a4c478faa988d62ad7f93679a148e511
SHA25693bd2fd7de32217b93b299ccf87fe53d47f5c1f1b44dbcfa3921f10d405d026e
SHA512eabe18f6d152fd1f4450d618ed0084990f90071cc18d42812a68339d3fd55c8b4a4ce03fb575730a2188a8ce3bfb15c275ad6a00820902a3737723220fdd4427
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
172KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
16.6MB
-
Filesize
172KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB