9d1bdbf2d7b18f5cc380da85751468dea9f052f187ef136531d5bd48d723adae

Analysis

max time kernel
148s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2025 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXTERNAL/L-External.exe
Size

31.4MB
MD5

85b594f27029d0b6f6596e04f6ed88b7
SHA1

d1fa0c4df845908be7602d8f42910ee26b6cc804
SHA256

3cde26727bba3e8a15f5de379189654ba5fe079d98190147946946b046f47327
SHA512

bfc6369264bcf809573ffa85140da687875a691c36ec25dec115ff954e154b0508d69e95182da42ed8a39864db8323bf7f7f66c285cfc75c5dc5237ab294dbc2
SSDEEP

786432:W3QmUfZtpjvmyhr+XcDJJ+IMyaWpvhj1T8KkS:W3UZtpj+y142JJ+ILHB87S

Score

9^/10

bootkit defense_evasion persistence privilege_escalation trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	L-External.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Loader.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	L-External.exe

Modifies Windows Firewall 2 TTPs 36 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4692	netsh.exe
1600	netsh.exe
2012	netsh.exe
4784	netsh.exe
3752	netsh.exe
1328	netsh.exe
4948	netsh.exe
2772	netsh.exe
6068	netsh.exe
5076	netsh.exe
532	netsh.exe
2684	netsh.exe
5276	netsh.exe
4632	netsh.exe
3924	netsh.exe
400	netsh.exe
1616	netsh.exe
4516	netsh.exe
5340	netsh.exe
1776	netsh.exe
5088	netsh.exe
5052	netsh.exe
5692	netsh.exe
4580	netsh.exe
1308	netsh.exe
3820	netsh.exe
5024	netsh.exe
2404	netsh.exe
4052	netsh.exe
4112	netsh.exe
3880	netsh.exe
2844	netsh.exe
3960	netsh.exe
2180	netsh.exe
3916	netsh.exe
5272	netsh.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	L-External.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	L-External.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	L-External.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	L-External.exe

Executes dropped EXE 1 IoCs

pid	Process
4328	Loader.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	L-External.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ipinfo.io
10	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	L-External.exe
File opened for modification	\??\PhysicalDrive0	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
5860	L-External.exe
5860	L-External.exe
4328	Loader.exe
4328	Loader.exe
4328	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	L-External.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	L-External.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3016	timeout.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5860	L-External.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5860 wrote to memory of 4248	5860	L-External.exe	87
PID 5860 wrote to memory of 4248	5860	L-External.exe	87
PID 5860 wrote to memory of 5732	5860	L-External.exe	88
PID 5860 wrote to memory of 5732	5860	L-External.exe	88
PID 5732 wrote to memory of 4512	5732	cmd.exe	90
PID 5732 wrote to memory of 4512	5732	cmd.exe	90
PID 5860 wrote to memory of 5936	5860	L-External.exe	91
PID 5860 wrote to memory of 5936	5860	L-External.exe	91
PID 5936 wrote to memory of 3016	5936	cmd.exe	93
PID 5936 wrote to memory of 3016	5936	cmd.exe	93
PID 5936 wrote to memory of 4328	5936	cmd.exe	94
PID 5936 wrote to memory of 4328	5936	cmd.exe	94
PID 4328 wrote to memory of 4568	4328	Loader.exe	101
PID 4328 wrote to memory of 4568	4328	Loader.exe	101
PID 4568 wrote to memory of 400	4568	cmd.exe	102
PID 4568 wrote to memory of 400	4568	cmd.exe	102
PID 4328 wrote to memory of 5240	4328	Loader.exe	103
PID 4328 wrote to memory of 5240	4328	Loader.exe	103
PID 5240 wrote to memory of 4580	5240	cmd.exe	104
PID 5240 wrote to memory of 4580	5240	cmd.exe	104
PID 4328 wrote to memory of 5280	4328	Loader.exe	105
PID 4328 wrote to memory of 5280	4328	Loader.exe	105
PID 5280 wrote to memory of 2180	5280	cmd.exe	106
PID 5280 wrote to memory of 2180	5280	cmd.exe	106
PID 4328 wrote to memory of 5124	4328	Loader.exe	107
PID 4328 wrote to memory of 5124	4328	Loader.exe	107
PID 5124 wrote to memory of 4948	5124	cmd.exe	108
PID 5124 wrote to memory of 4948	5124	cmd.exe	108
PID 4328 wrote to memory of 5060	4328	Loader.exe	109
PID 4328 wrote to memory of 5060	4328	Loader.exe	109
PID 5060 wrote to memory of 2772	5060	cmd.exe	110
PID 5060 wrote to memory of 2772	5060	cmd.exe	110
PID 4328 wrote to memory of 1340	4328	Loader.exe	111
PID 4328 wrote to memory of 1340	4328	Loader.exe	111
PID 1340 wrote to memory of 1616	1340	cmd.exe	112
PID 1340 wrote to memory of 1616	1340	cmd.exe	112
PID 4328 wrote to memory of 940	4328	Loader.exe	113
PID 4328 wrote to memory of 940	4328	Loader.exe	113
PID 940 wrote to memory of 2012	940	cmd.exe	114
PID 940 wrote to memory of 2012	940	cmd.exe	114
PID 4328 wrote to memory of 1096	4328	Loader.exe	115
PID 4328 wrote to memory of 1096	4328	Loader.exe	115
PID 1096 wrote to memory of 4516	1096	cmd.exe	116
PID 1096 wrote to memory of 4516	1096	cmd.exe	116
PID 4328 wrote to memory of 5792	4328	Loader.exe	117
PID 4328 wrote to memory of 5792	4328	Loader.exe	117
PID 5792 wrote to memory of 3916	5792	cmd.exe	118
PID 5792 wrote to memory of 3916	5792	cmd.exe	118
PID 4328 wrote to memory of 832	4328	Loader.exe	119
PID 4328 wrote to memory of 832	4328	Loader.exe	119
PID 832 wrote to memory of 532	832	cmd.exe	120
PID 832 wrote to memory of 532	832	cmd.exe	120
PID 4328 wrote to memory of 1612	4328	Loader.exe	121
PID 4328 wrote to memory of 1612	4328	Loader.exe	121
PID 1612 wrote to memory of 1308	1612	cmd.exe	122
PID 1612 wrote to memory of 1308	1612	cmd.exe	122
PID 4328 wrote to memory of 1448	4328	Loader.exe	123
PID 4328 wrote to memory of 1448	4328	Loader.exe	123
PID 1448 wrote to memory of 5076	1448	cmd.exe	124
PID 1448 wrote to memory of 5076	1448	cmd.exe	124
PID 4328 wrote to memory of 1848	4328	Loader.exe	125
PID 4328 wrote to memory of 1848	4328	Loader.exe	125
PID 1848 wrote to memory of 4784	1848	cmd.exe	126
PID 1848 wrote to memory of 4784	1848	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\EXTERNAL\L-External.exe
"C:\Users\Admin\AppData\Local\Temp\EXTERNAL\L-External.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color e
  2⤵
  PID:4248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v NameServer /t REG_SZ /d "8.8.8.8,8.8.4.4" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5732
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v NameServer /t REG_SZ /d "8.8.8.8,8.8.4.4" /f
    3⤵
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delete_self.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5936
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3016
- - C:\Users\Admin\AppData\Local\Temp\EXTERNAL\Loader.exe
    "Loader.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 104.21.88.66" > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 104.21.88.66"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 104.21.88.66" dir=out action=block remoteip=104.21.88.66 > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5240
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 104.21.88.66" dir=out action=block remoteip=104.21.88.66
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 172.67.173.161" > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5280
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 172.67.173.161"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 172.67.173.161" dir=out action=block remoteip=172.67.173.161 > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5124
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 172.67.173.161" dir=out action=block remoteip=172.67.173.161
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 2606:4700:3034::6815:5842" > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 2606:4700:3034::6815:5842"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 2606:4700:3034::6815:5842" dir=out action=block remoteip=2606:4700:3034::6815:5842 > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 2606:4700:3034::6815:5842" dir=out action=block remoteip=2606:4700:3034::6815:5842
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 2606:4700:3030::ac43:ada1" > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 2606:4700:3030::ac43:ada1"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 2606:4700:3030::ac43:ada1" dir=out action=block remoteip=2606:4700:3030::ac43:ada1 > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 2606:4700:3030::ac43:ada1" dir=out action=block remoteip=2606:4700:3030::ac43:ada1
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:4001" > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5792
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:4001"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:4001" dir=out action=block remoteip=2606:4700:3030::6815:4001 > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:4001" dir=out action=block remoteip=2606:4700:3030::6815:4001
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:3001" > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:3001"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:3001" dir=out action=block remoteip=2606:4700:3030::6815:3001 > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:3001" dir=out action=block remoteip=2606:4700:3030::6815:3001
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:7001" > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:7001"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:7001" dir=out action=block remoteip=2606:4700:3030::6815:7001 > nul 2>&1
      4⤵
      PID:444
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:7001" dir=out action=block remoteip=2606:4700:3030::6815:7001
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:6001" > nul 2>&1
      4⤵
      PID:5824
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:6001"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:6001" dir=out action=block remoteip=2606:4700:3030::6815:6001 > nul 2>&1
      4⤵
      PID:244
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:6001" dir=out action=block remoteip=2606:4700:3030::6815:6001
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:5001" > nul 2>&1
      4⤵
      PID:4000
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:5001"
        5⤵
        Modifies Windows Firewall
        
        PID:3752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:5001" dir=out action=block remoteip=2606:4700:3030::6815:5001 > nul 2>&1
      4⤵
      PID:1148
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:5001" dir=out action=block remoteip=2606:4700:3030::6815:5001
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:2001" > nul 2>&1
      4⤵
      PID:3792
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:2001"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:2001" dir=out action=block remoteip=2606:4700:3030::6815:2001 > nul 2>&1
      4⤵
      PID:3760
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:2001" dir=out action=block remoteip=2606:4700:3030::6815:2001
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:1001" > nul 2>&1
      4⤵
      PID:5872
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 2606:4700:3030::6815:1001"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:1001" dir=out action=block remoteip=2606:4700:3030::6815:1001 > nul 2>&1
      4⤵
      PID:3528
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 2606:4700:3030::6815:1001" dir=out action=block remoteip=2606:4700:3030::6815:1001
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 104.21.32.1" > nul 2>&1
      4⤵
      PID:6128
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 104.21.32.1"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 104.21.32.1" dir=out action=block remoteip=104.21.32.1 > nul 2>&1
      4⤵
      PID:3904
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 104.21.32.1" dir=out action=block remoteip=104.21.32.1
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 104.21.96.1" > nul 2>&1
      4⤵
      PID:2640
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 104.21.96.1"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 104.21.96.1" dir=out action=block remoteip=104.21.96.1 > nul 2>&1
      4⤵
      PID:3148
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 104.21.96.1" dir=out action=block remoteip=104.21.96.1
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 104.21.48.1" > nul 2>&1
      4⤵
      PID:1792
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 104.21.48.1"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 104.21.48.1" dir=out action=block remoteip=104.21.48.1 > nul 2>&1
      4⤵
      PID:1472
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 104.21.48.1" dir=out action=block remoteip=104.21.48.1
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 104.21.64.1" > nul 2>&1
      4⤵
      PID:3628
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 104.21.64.1"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 104.21.64.1" dir=out action=block remoteip=104.21.64.1 > nul 2>&1
      4⤵
      PID:6008
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 104.21.64.1" dir=out action=block remoteip=104.21.64.1
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 104.21.80.1" > nul 2>&1
      4⤵
      PID:3848
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 104.21.80.1"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 104.21.80.1" dir=out action=block remoteip=104.21.80.1 > nul 2>&1
      4⤵
      PID:3956
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 104.21.80.1" dir=out action=block remoteip=104.21.80.1
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 104.21.112.1" > nul 2>&1
      4⤵
      PID:4792
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 104.21.112.1"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 104.21.112.1" dir=out action=block remoteip=104.21.112.1 > nul 2>&1
      4⤵
      PID:3920
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 104.21.112.1" dir=out action=block remoteip=104.21.112.1
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="Block 104.21.16.1" > nul 2>&1
      4⤵
      PID:4308
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall show rule name="Block 104.21.16.1"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Block 104.21.16.1" dir=out action=block remoteip=104.21.16.1 > nul 2>&1
      4⤵
      PID:4324
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Block 104.21.16.1" dir=out action=block remoteip=104.21.16.1
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color e
      4⤵
      PID:5732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:5472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mntemp

Filesize
16B

MD5
5b80f766c14dc7bfbbfa98ecabd12f02

SHA1
6c15e7caa5d1063012cb6908adcd331275ca2830

SHA256
a09c5ef5d77d900a1c175dce8b56e1be76fa3cbd2145d22bd4ae933239f41edd

SHA512
57d3372030b2df362f61bea431ea27a60ca6d962eb430b512ac9b69075c76648e937216c43c9e6f3308222aac26201c6730001fb9c8d3b53ae10a1f3a2af8a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXTERNAL\Loader.exe

Filesize
31.1MB

MD5
6ba2fc5b1c2cffc921264d06d6637f20

SHA1
47ab110de7aca478db15ca1d973192b195380ee2

SHA256
ca81473d4b91ee53cea1470de3c5da374631751facba920e38f1f01cb47e16c8

SHA512
59e6be28de7ecf93464458b54dbc667cdd488989aab8f5d313839ffe5410a387ea39b930fdf98e20322747bd963af9d2b811fcbf6f172aaf2cd7f9c706f58c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\delete_self.bat

Filesize
119B

MD5
608a68e7cf8845f50c5b4d588abf7220

SHA1
f65526ea8f4ca7573b63d858bfeef65869006078

SHA256
6e06322a10c44498d88bec1c00eb6e36384a04e60ec81cc481072476bf7318dd

SHA512
96a3bf43a2d4e4c15640c2afad92a184a3c2fae8280c4abc96738192d2dd1cefa7db5bb9ae1a4e5d67f1b7490c91a68779de93fbad9568e82533693a859b5f1a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
775B

MD5
0cf1514bfce30ad5ad51419e908a0825

SHA1
3e53f22c5601c463e0532f23cc5d9cea2eaac6d2

SHA256
cd94f28ea48fd91088c0c6e491c7c0d7c9e917811790836d3577afe25d0988bd

SHA512
95062d47f29b5c1322ffe4d29b07445b0599061085dd984c446cf0fc2a16ffd0f67e2e54e7afbb87398b270ec8452aa7bb9097c1e9c471102ebe825440192d96

Download Submit
memory/4328-40-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-39-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-46-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-45-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-44-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-43-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-42-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-41-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-29-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-30-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-28-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-31-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-32-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-33-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/4328-38-0x0000000140000000-0x0000000144EB1000-memory.dmp

Filesize
78.7MB

Download
memory/5860-1-0x00007FFA860D0000-0x00007FFA860D2000-memory.dmp

Filesize
8KB

Download
memory/5860-15-0x0000000140000000-0x0000000144EC6000-memory.dmp

Filesize
78.8MB

Download
memory/5860-0-0x0000000140000000-0x0000000144EC6000-memory.dmp

Filesize
78.8MB

Download
memory/5860-3-0x0000000140000000-0x0000000144EC6000-memory.dmp

Filesize
78.8MB

Download
memory/5860-4-0x0000000140000000-0x0000000144EC6000-memory.dmp

Filesize
78.8MB

Download
memory/5860-5-0x0000000140000000-0x0000000144EC6000-memory.dmp

Filesize
78.8MB

Download
memory/5860-22-0x0000000140000000-0x0000000144EC6000-memory.dmp

Filesize
78.8MB

Download
memory/5860-17-0x0000000140000000-0x0000000144EC6000-memory.dmp

Filesize
78.8MB

Download
memory/5860-16-0x0000000140000000-0x0000000144EC6000-memory.dmp

Filesize
78.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads