Analysis
-
max time kernel
30s -
max time network
31s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
DutchbotInject.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DutchbotInject.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Dutchlove2.dll
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
Dutchlove2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Start.bat
Resource
win7-20240903-en
General
-
Target
Start.bat
-
Size
2KB
-
MD5
6319006e2bfe88e5d7c643f6f44e25c8
-
SHA1
3cc007c17d44a0d5292a4f397abe8990c19ed17e
-
SHA256
b479648114f6ec339ff14483f813ef312d67fad1630a2c52f9b475717ee9f4c1
-
SHA512
81ac3ca0fd198cb094156fb6f0d4b882d7ec676b201bf2b996fba095013d11c9de38de6c2442cca8f340aefc921db02e623502afa6f5038e3733337120b90fcd
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral6/memory/4500-76-0x0000000000540000-0x0000000000549000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral6/files/0x000b000000023b84-33.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Ghxb.exe -
Executes dropped EXE 1 IoCs
pid Process 4500 Ghxb.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe Ghxb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe Ghxb.exe File opened for modification C:\Program Files\Windows Mail\wab.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe Ghxb.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE Ghxb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe Ghxb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe Ghxb.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE Ghxb.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Ghxb.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Ghxb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe Ghxb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Ghxb.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe Ghxb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe Ghxb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe Ghxb.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe Ghxb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe Ghxb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE Ghxb.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE Ghxb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe Ghxb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe Ghxb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe Ghxb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe Ghxb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Ghxb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe Ghxb.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe Ghxb.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE Ghxb.exe File created C:\Program Files (x86)\MTA San Andreas 1.6\server\mods\deathmatch\deathmatch.dll DutchbotInject.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe Ghxb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Ghxb.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe Ghxb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE Ghxb.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe Ghxb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe Ghxb.exe -
Launches sc.exe 15 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4036 sc.exe 3688 sc.exe 1380 sc.exe 924 sc.exe 1520 sc.exe 3608 sc.exe 336 sc.exe 3516 sc.exe 2676 sc.exe 1952 sc.exe 4600 sc.exe 4860 sc.exe 4344 sc.exe 1784 sc.exe 4116 sc.exe -
pid Process 4376 powershell.exe 872 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DutchbotInject.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5116 PING.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS powershell.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS powershell.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5116 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4376 powershell.exe 4376 powershell.exe 4376 powershell.exe 872 powershell.exe 872 powershell.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe 3208 DutchbotInject.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 4376 powershell.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeSecurityPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeSecurityPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeSecurityPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeSecurityPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeSecurityPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeSecurityPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeSecurityPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeSecurityPrivilege 872 powershell.exe Token: SeSecurityPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeSecurityPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe Token: SeSecurityPrivilege 872 powershell.exe Token: SeBackupPrivilege 872 powershell.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 4876 wrote to memory of 1520 4876 cmd.exe 83 PID 4876 wrote to memory of 1520 4876 cmd.exe 83 PID 4876 wrote to memory of 3608 4876 cmd.exe 84 PID 4876 wrote to memory of 3608 4876 cmd.exe 84 PID 4876 wrote to memory of 4036 4876 cmd.exe 85 PID 4876 wrote to memory of 4036 4876 cmd.exe 85 PID 4876 wrote to memory of 4344 4876 cmd.exe 86 PID 4876 wrote to memory of 4344 4876 cmd.exe 86 PID 4876 wrote to memory of 336 4876 cmd.exe 87 PID 4876 wrote to memory of 336 4876 cmd.exe 87 PID 4876 wrote to memory of 3516 4876 cmd.exe 88 PID 4876 wrote to memory of 3516 4876 cmd.exe 88 PID 4876 wrote to memory of 4600 4876 cmd.exe 89 PID 4876 wrote to memory of 4600 4876 cmd.exe 89 PID 4876 wrote to memory of 3688 4876 cmd.exe 90 PID 4876 wrote to memory of 3688 4876 cmd.exe 90 PID 4876 wrote to memory of 2676 4876 cmd.exe 91 PID 4876 wrote to memory of 2676 4876 cmd.exe 91 PID 4876 wrote to memory of 4860 4876 cmd.exe 92 PID 4876 wrote to memory of 4860 4876 cmd.exe 92 PID 4876 wrote to memory of 1380 4876 cmd.exe 93 PID 4876 wrote to memory of 1380 4876 cmd.exe 93 PID 4876 wrote to memory of 5116 4876 cmd.exe 94 PID 4876 wrote to memory of 5116 4876 cmd.exe 94 PID 4876 wrote to memory of 4376 4876 cmd.exe 95 PID 4876 wrote to memory of 4376 4876 cmd.exe 95 PID 4876 wrote to memory of 872 4876 cmd.exe 96 PID 4876 wrote to memory of 872 4876 cmd.exe 96 PID 4876 wrote to memory of 3208 4876 cmd.exe 97 PID 4876 wrote to memory of 3208 4876 cmd.exe 97 PID 4876 wrote to memory of 3208 4876 cmd.exe 97 PID 3208 wrote to memory of 4500 3208 DutchbotInject.exe 99 PID 3208 wrote to memory of 4500 3208 DutchbotInject.exe 99 PID 3208 wrote to memory of 4500 3208 DutchbotInject.exe 99 PID 3208 wrote to memory of 2192 3208 DutchbotInject.exe 100 PID 3208 wrote to memory of 2192 3208 DutchbotInject.exe 100 PID 3208 wrote to memory of 2192 3208 DutchbotInject.exe 100 PID 2192 wrote to memory of 1952 2192 cmd.exe 101 PID 2192 wrote to memory of 1952 2192 cmd.exe 101 PID 2192 wrote to memory of 1952 2192 cmd.exe 101 PID 3208 wrote to memory of 2256 3208 DutchbotInject.exe 102 PID 3208 wrote to memory of 2256 3208 DutchbotInject.exe 102 PID 3208 wrote to memory of 2256 3208 DutchbotInject.exe 102 PID 2256 wrote to memory of 1784 2256 cmd.exe 103 PID 2256 wrote to memory of 1784 2256 cmd.exe 103 PID 2256 wrote to memory of 1784 2256 cmd.exe 103 PID 3208 wrote to memory of 4088 3208 DutchbotInject.exe 104 PID 3208 wrote to memory of 4088 3208 DutchbotInject.exe 104 PID 3208 wrote to memory of 4088 3208 DutchbotInject.exe 104 PID 4088 wrote to memory of 4116 4088 cmd.exe 105 PID 4088 wrote to memory of 4116 4088 cmd.exe 105 PID 4088 wrote to memory of 4116 4088 cmd.exe 105 PID 3208 wrote to memory of 1324 3208 DutchbotInject.exe 106 PID 3208 wrote to memory of 1324 3208 DutchbotInject.exe 106 PID 3208 wrote to memory of 1324 3208 DutchbotInject.exe 106 PID 1324 wrote to memory of 924 1324 cmd.exe 107 PID 1324 wrote to memory of 924 1324 cmd.exe 107 PID 1324 wrote to memory of 924 1324 cmd.exe 107 PID 4500 wrote to memory of 1408 4500 Ghxb.exe 108 PID 4500 wrote to memory of 1408 4500 Ghxb.exe 108 PID 4500 wrote to memory of 1408 4500 Ghxb.exe 108
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Start.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\system32\sc.exesc delete FairplayKD2⤵
- Launches sc.exe
PID:1520
-
-
C:\Windows\system32\sc.exesc delete FairplayKD12⤵
- Launches sc.exe
PID:3608
-
-
C:\Windows\system32\sc.exesc delete FairplayKD22⤵
- Launches sc.exe
PID:4036
-
-
C:\Windows\system32\sc.exesc delete FairplayKD32⤵
- Launches sc.exe
PID:4344
-
-
C:\Windows\system32\sc.exesc delete FairplayKD42⤵
- Launches sc.exe
PID:336
-
-
C:\Windows\system32\sc.exesc delete FairplayKD52⤵
- Launches sc.exe
PID:3516
-
-
C:\Windows\system32\sc.exesc delete FairplayKD62⤵
- Launches sc.exe
PID:4600
-
-
C:\Windows\system32\sc.exesc delete FairplayKD72⤵
- Launches sc.exe
PID:3688
-
-
C:\Windows\system32\sc.exesc delete FairplayKD82⤵
- Launches sc.exe
PID:2676
-
-
C:\Windows\system32\sc.exesc delete FairplayKD92⤵
- Launches sc.exe
PID:4860
-
-
C:\Windows\system32\sc.exesc delete FairplayKD102⤵
- Launches sc.exe
PID:1380
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\service.ps12⤵
- Command and Scripting Interpreter: PowerShell
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Users\Admin\AppData\Local\Temp\DutchbotInject.exeDutchbotInject.exe2⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\Ghxb.exeC:\Users\Admin\AppData\Local\Temp\Ghxb.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2f6c0d30.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop FairplayKD >nul3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\sc.exesc stop FairplayKD4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete FairplayKD >nul3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\sc.exesc delete FairplayKD4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop FairplayKD1 >nul3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\sc.exesc stop FairplayKD14⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete FairplayKD1 >nul3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\sc.exesc delete FairplayKD14⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:924
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
Filesize
1KB
MD5e0ec6bf376a6b15852bce768196c5ed0
SHA105fe4e592ebbb7e29f36b8d30a6a90ba29bd4f81
SHA2562d4a39cbbd597a7cfff477817c3c7c541c14974c8d234b4c0de6d229e3a3ce97
SHA512dc0c7d3d127c88affea9ae402d7358c079cfa7fc3ecb417085e31dc749da1406e72563bfbe42167fdad57e10aa0c6cca7a8ba06921b3a1212ad7ccee1a0f859b
-
Filesize
183B
MD55f1702122a6ac639741dd38aada0d58a
SHA1753ff33ee3fec0b82b958d3fdf462cfaf3b54d1e
SHA2560c9979c16ceebee1c9dd59ab79c03bbcefcc21a696f351dede055bcb7669d58f
SHA5127deae43105b09898e34989b2c7dfd0c2b6d475ab203ddd7e60b23b501f7449f25c9e16868283f9519299410a3e0587f6735e0eb78649f15d58fe381f84327244
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD555cee1bfb2bb685c8886fef55e2f0eed
SHA1c52eab8b690bfc94ff354d10f3d944af76d49f9a
SHA256728ecfc271c6117ff28b278845cd18614e79e69d4a8c9ee7d3266b274452ad95
SHA5121ac4aa4ea02d513d66f39e0ebab8d64d6c03bdbb7ed84eff2fac6bebffb1bf0516e16f90baaf8c3d5a67b53c10b07518b3fbd37057b54966fcfd177a557ca02a