Analysis
-
max time kernel
28s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06/12/2024, 18:51
General
-
Target
ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe
-
Size
147KB
-
MD5
75c865f1747b242051eb6a05e91f915a
-
SHA1
624e32dc35c81331bee657174ba5744ab262564b
-
SHA256
ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc
-
SHA512
b5ca5b998a12cede7c11cac166d6f839c3ba4cbd7a22b6cdfb0385cb42ebd2e94c163543d826419f05f4cd4780e3f72003ae20d69b6ac7bebe4afadf48926cea
-
SSDEEP
3072:YA/yzn2EpnbZdb1U4FwhKNUrvHc9c7AWTTYbDU:YJnjbyKUziXMTN
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 7 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 54 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 9 IoCs
-
Runs regedit.exe 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~D346.bat "C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"3⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBInfo.vbe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Drivers\USBInfo.com"C:\Windows\system32\Drivers\USBInfo.com"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~EDE8.bat "C:\Windows\system32\Drivers\USBInfo.com"6⤵
- Drops file in Drivers directory
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h autorun.inf7⤵
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "$Recycle.Bin"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Documents and Settings"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "MSOCache"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "PerfLogs"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Program Files"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Program Files (x86)"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "ProgramData"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Recovery"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "System Volume Information"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Users"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Windows"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h autorun.inf7⤵
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "$RECYCLE.BIN"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Windows\system32\Drivers\USBInfo.sy_7⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"7⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "recycler.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h ╬─╝■╝╨.exe7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +a +r +s +h "system volume information.exe"7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1413886582-4175867301737272844-10878082031800492334-1270285233-1833153633-1911376440"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
4Hidden Files and Directories
4Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5bc278224d87330dbedf84ddefdced3f1
SHA10a21b60897db6bd7559fef583bb095266110b653
SHA2561d75230f2ab4daeb62d42bb1bea8a5c4c9f6831f3830407f9615677dc29dac7a
SHA5126ff654c73c68420d97657657f77d3934aaa60fddceca095d0f9d3f169e6fab7435d3a758f0d3eae086b2ee32ea7e5c0fa3ba602bc9416e0e1e2ca8743f0d846a
-
Filesize
257B
MD50fbbbd0b601e4334b30f5b836de7d554
SHA1811ddbc6e3d4ffe6e3fca829b61585498ff8bfd9
SHA256868591895393a63976b7899c17f1785722fc8c70e5906874430ebdc8601d7454
SHA5129cc78378a5fcef613febc0688a3838a6ad2a2af4fe846e4c587cdf3870e3c9c1f02333e5e1d2926089f73f5b4f463604e778109489e4ad570257e7004185a1f9
-
Filesize
77B
MD554ceb8eabaff522c097e4949d39fbd09
SHA1304fd3c274aac25477ba1f3f500ae34e6c94612d
SHA256d2d64a938a71d1b747112176eeb345991433fc81475a397b85b6b4c3d97f8550
SHA5123c6ce4fe30121305b176a3ccc7358343bfdd28537358e7289e4354b52f152c018acfe843659df5bd35228fca804b0285baa8350e2b6ca39719bdefdb77b2e0be
-
Filesize
20B
MD5905d7a48a13a75ced1342bbdf0a3ace2
SHA13bcc021a82ed38810bcf61286eb1f4e578e3721f
SHA25610338a72fbacb4fdf731d8937cdf23519896c5122b6a80079527cebf8406b3cd
SHA512fe77b8b928ba1ffb1a8bf941b2a0279b3ca6512d30dd1a2e2f363f9b2be245e361fab40232bc868f0f7e79bacc476653a49b66d2cf6945ed87b0c776783db8c1
-
Filesize
19B
MD5322866ac1312f3bc0dd8685949f35b6a
SHA1dc3f64764aa99595ee48721142d2301ebbe07aec
SHA2565417fd3704beb2760ed54c38048ae44d2cd49312be2a8f104e542bbd5bbc88d6
SHA5121b5c2320beaeb34895a1d11882566463d365a128db4d260189850990e1215ce737334ee96b43ecd2c018f040548209cc6f11328a5a9b9eb5f57fc6ac61afe03d
-
Filesize
147KB
MD575c865f1747b242051eb6a05e91f915a
SHA1624e32dc35c81331bee657174ba5744ab262564b
SHA256ce3ecf3836b45da6e133fcd1a37a272d46cc6e6ba79b65d00a55bc6f81da8bdc
SHA512b5ca5b998a12cede7c11cac166d6f839c3ba4cbd7a22b6cdfb0385cb42ebd2e94c163543d826419f05f4cd4780e3f72003ae20d69b6ac7bebe4afadf48926cea
-
Filesize
1KB
MD5e3f32bf45469d18567e23485109ffdd4
SHA12e207b073a4237e05b5da89f9ca2e9771757620c
SHA256e41ad345599c751ed8b124229df31681f2c44d322d092f85c2205b97f09c8a81
SHA512e8ab034c883c747d6a093d1221e080adf84a1c3662e4469c59cf49f693561262d435c28eede60e18151222fd9562abc6c81b6a57fa5587032cbc2d0b74a0c0e5
-
Filesize
149B
MD5babb9292822f6963475088494e446a00
SHA1d0f96ea279562a899f24b5a6905065de029877b0
SHA256bff5694d6d4c8a41217fa9d98d95c355a6f63ef939a4ef89bc45d1cf443a1f9d
SHA512b96daa0a52867f7f0454c8b35d85682aa22c3ac59495760c95204cc1cfc419bd88b5cc59d92dfab5a6343f8f86659e35e2f38cda0c1ea014d2377ab5e525fd5b
-
Filesize
160B
MD5748a0be2fe2d85bb05d034b99e8e0d7d
SHA19ccddfb983fc4032b43019b2f7ebfa8c3b3b9d0b
SHA2561071b18912a1ed7d89a9f47c3a0417c66578a6ab0ffce30310f659ea54f2fdd0
SHA512b285a29b3651a02ba092c91d62f8891d726615953754a6919f3055ea2d169364157cb6470211b01c7edcb9390d90c851cecda78d1d9dfee1e846f56342ab558b
-
Filesize
100KB
MD5b3bb632003bf80bc78487cd0c4e90301
SHA1516321b87ba16f86ac328a703167a505b85ce3e9
SHA2569080c79f1046c81776336f77636557a1f7526c2f090e7253a46a607f3bd1a2d3
SHA512b9f0d991b227ebbf6719573ce328bfd752f6b7125604cc657a7c7c13873727f37c85d9cc7fe538283c6af3f1e16b9f14d0180387383839969092c6e7cd679e90
-
Filesize
14B
MD56feef98a8a0a708c076c6229fe3eb8e3
SHA121213d15bc8741f275d2f3b8c195ed7ce0548a78
SHA2568df87f65c0941524972d4b9ed54a7b652f6ce23980f3e35c2baa651f0b2df8a8
SHA512d00de3a17c0e66266cc02513a690e1bfa504122873926b035da2de492758df88930f999003638523faf211f085da6c755581f195bf1f3c2f3c74b75652b0f101
-
Filesize
172KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
172KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
172KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
172KB
-
Filesize
16.6MB
-
Filesize
172KB