Overview
overview
9Static
static
7HBCD/WinTo...ip.bat
windows7-x64
7HBCD/WinTo...ip.bat
windows10-2004-x64
7HBCD/WinTo...er.bat
windows7-x64
7HBCD/WinTo...er.bat
windows10-2004-x64
9HBCD/WinTo...ns.bat
windows7-x64
7HBCD/WinTo...ns.bat
windows10-2004-x64
7HBCD/WinTo...un.exe
windows7-x64
7HBCD/WinTo...un.exe
windows10-2004-x64
7HBCD/WinTo...er.bat
windows7-x64
7HBCD/WinTo...er.bat
windows10-2004-x64
7HBCD/WinTo...Uz.bat
windows7-x64
7HBCD/WinTo...Uz.bat
windows10-2004-x64
7HBCD/WinTo...ts.bat
windows7-x64
7HBCD/WinTo...ts.bat
windows10-2004-x64
9HBCD/WinTo...ix.exe
windows7-x64
9HBCD/WinTo...ix.exe
windows10-2004-x64
9HBCD/WinTo...er.bat
windows7-x64
7HBCD/WinTo...er.bat
windows10-2004-x64
7HBCD/WinTo...er.bat
windows7-x64
7HBCD/WinTo...er.bat
windows10-2004-x64
7HBCD/WinTo...mp.bat
windows7-x64
7HBCD/WinTo...mp.bat
windows10-2004-x64
7HBCD/WinTo...NT.exe
windows7-x64
7HBCD/WinTo...NT.exe
windows10-2004-x64
7HBCD/WinTo...ix.bat
windows7-x64
7HBCD/WinTo...ix.bat
windows10-2004-x64
7HBCD/WinTo...un.bat
windows7-x64
1HBCD/WinTo...un.bat
windows10-2004-x64
1HBCD/WinTo...es.bat
windows7-x64
1HBCD/WinTo...es.bat
windows10-2004-x64
1HBCD/WinTo...er.bat
windows7-x64
7HBCD/WinTo...er.bat
windows10-2004-x64
7Analysis
-
max time kernel
129s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 06:36
Behavioral task
behavioral1
Sample
HBCD/WinTools/7Zip.bat
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
HBCD/WinTools/7Zip.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
HBCD/WinTools/AsteriskLogger.bat
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
HBCD/WinTools/AsteriskLogger.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
HBCD/WinTools/AutoRuns.bat
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
HBCD/WinTools/AutoRuns.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
HBCD/WinTools/Autorun.exe
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
HBCD/WinTools/Autorun.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
HBCD/WinTools/CCleaner.bat
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
HBCD/WinTools/CCleaner.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
HBCD/WinTools/CPUz.bat
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
HBCD/WinTools/CPUz.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
HBCD/WinTools/CPorts.bat
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
HBCD/WinTools/CPorts.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
HBCD/WinTools/ComboFix.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
HBCD/WinTools/ComboFix.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
HBCD/WinTools/ContentAdvisorPasswordRemover.bat
Resource
win7-20240611-en
Behavioral task
behavioral18
Sample
HBCD/WinTools/ContentAdvisorPasswordRemover.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
HBCD/WinTools/CoolWebSearch_Remover.bat
Resource
win7-20240419-en
Behavioral task
behavioral20
Sample
HBCD/WinTools/CoolWebSearch_Remover.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
HBCD/WinTools/DTemp.bat
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
HBCD/WinTools/DTemp.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
HBCD/WinTools/DefragNT.exe
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
HBCD/WinTools/DefragNT.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
HBCD/WinTools/DialAFix.bat
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
HBCD/WinTools/DialAFix.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
HBCD/WinTools/DisableAutorun.bat
Resource
win7-20240220-en
Behavioral task
behavioral28
Sample
HBCD/WinTools/DisableAutorun.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
HBCD/WinTools/DisableCompressOldFiles.bat
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
HBCD/WinTools/DisableCompressOldFiles.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
HBCD/WinTools/DoubleDriver.bat
Resource
win7-20240611-en
Behavioral task
behavioral32
Sample
HBCD/WinTools/DoubleDriver.bat
Resource
win10v2004-20240508-en
General
-
Target
HBCD/WinTools/ComboFix.exe
-
Size
2.9MB
-
MD5
14b582165769a58e64a74e007e7a2e3e
-
SHA1
ddb5384c93794f0aca59c6d0b384a19028189076
-
SHA256
ac5700575a0776c7ac6bb2b2fdcd7ea9e2914cfd9ac72dd6d191557aa0479892
-
SHA512
94079cb6c72991bf6f50ca138136ff9a88302e26239d06e34a39c9df0a736aa3869974b027e1edf12776da9fb743d682384d32d1ce5c1100e34381e283190ccd
-
SSDEEP
49152:N/cX0+PRzFKDSiNUiVjHhAb5QgDmV/fK0fXU51/Mr84almQAG61ZdwJ0:aJp2+iNCFDo/V/wEYlmeSO0
Malware Config
Signatures
-
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral16/memory/3632-282-0x0000000000400000-0x0000000000414000-memory.dmp Nirsoft behavioral16/memory/2944-307-0x0000000000400000-0x0000000000414000-memory.dmp Nirsoft behavioral16/memory/3368-397-0x0000000000400000-0x0000000000414000-memory.dmp Nirsoft -
Disables RegEdit via registry modification 2 IoCs
Processes:
swreg.exeInfDefaultInstall.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" swreg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" InfDefaultInstall.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ComboFix.exen.comdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation ComboFix.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation n.com -
Executes dropped EXE 29 IoCs
Processes:
n.comhidec.exeswreg.exehidec.exeswreg.exehidec.exeswreg.exen.comSWREG.exen.comSWREG.exen.comn.comGSAR.cfexen.comswreg.execmd.execfn.compev.exepv.exepv.cfexegrep.cfexegrep.cfexegrep.cfexeswreg.exegrep.cfexeswreg.exeswreg.exen.compid process 3632 n.com 1104 hidec.exe 3664 swreg.exe 3988 hidec.exe 3692 swreg.exe 4308 hidec.exe 4800 swreg.exe 2944 n.com 4372 SWREG.exe 2312 n.com 1556 SWREG.exe 3668 n.com 1320 n.com 4672 GSAR.cfexe 2868 n.com 2512 swreg.exe 2944 cmd.execf 1760 n.com 1200 pev.exe 4572 pv.exe 5096 pv.cfexe 1748 grep.cfexe 4604 grep.cfexe 2788 grep.cfexe 2780 swreg.exe 4844 grep.cfexe 3240 swreg.exe 1936 swreg.exe 3368 n.com -
Modifies system executable filetype association 2 TTPs 12 IoCs
Processes:
InfDefaultInstall.exeswreg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command swreg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" swreg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" swreg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" swreg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command swreg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command swreg.exe -
Processes:
resource yara_rule behavioral16/memory/2336-0-0x0000000000400000-0x0000000000426000-memory.dmp upx C:\32788R22FWJFW\n.com upx behavioral16/memory/3632-279-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral16/memory/3632-282-0x0000000000400000-0x0000000000414000-memory.dmp upx C:\32788R22FWJFW\swreg.exe upx behavioral16/memory/3664-298-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral16/memory/2336-311-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral16/memory/3664-313-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral16/memory/2944-307-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral16/memory/3692-315-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral16/memory/4800-318-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral16/memory/4372-320-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral16/memory/1556-325-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral16/memory/2868-334-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral16/memory/2512-338-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral16/memory/2780-380-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral16/memory/2336-390-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral16/memory/3240-392-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral16/memory/1936-395-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral16/memory/3368-397-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
InfDefaultInstall.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ InfDefaultInstall.exe -
Drops file in System32 directory 1 IoCs
Processes:
GSAR.cfexedescription ioc process File created C:\Windows\SysWOW64\cmd.execf GSAR.cfexe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
runonce.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
swreg.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor swreg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1" swreg.exe -
Modifies registry class 25 IoCs
Processes:
InfDefaultInstall.exeswreg.exen.comdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" swreg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" swreg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler swreg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" swreg.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings n.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command swreg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command swreg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command swreg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" swreg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe swreg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe\ = "exefile" swreg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" swreg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command swreg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" swreg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe\ = "exefile" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs swreg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
pv.exepv.cfexepid process 4572 pv.exe 4572 pv.exe 4572 pv.exe 4572 pv.exe 4572 pv.exe 5096 pv.cfexe 5096 pv.cfexe 5096 pv.cfexe 5096 pv.cfexe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
swreg.exeswreg.exeSWREG.exeSWREG.exeswreg.exepv.exepv.cfexeswreg.exeswreg.exedescription pid process Token: SeSecurityPrivilege 3664 swreg.exe Token: SeTakeOwnershipPrivilege 3692 swreg.exe Token: SeRestorePrivilege 3692 swreg.exe Token: SeSecurityPrivilege 3692 swreg.exe Token: SeTakeOwnershipPrivilege 4372 SWREG.exe Token: SeRestorePrivilege 4372 SWREG.exe Token: SeSecurityPrivilege 1556 SWREG.exe Token: SeTakeOwnershipPrivilege 2512 swreg.exe Token: SeRestorePrivilege 2512 swreg.exe Token: SeSecurityPrivilege 2512 swreg.exe Token: SeDebugPrivilege 4572 pv.exe Token: SeDebugPrivilege 5096 pv.cfexe Token: SeTakeOwnershipPrivilege 3240 swreg.exe Token: SeRestorePrivilege 3240 swreg.exe Token: SeSecurityPrivilege 3240 swreg.exe Token: SeTakeOwnershipPrivilege 3240 swreg.exe Token: SeRestorePrivilege 3240 swreg.exe Token: SeSecurityPrivilege 3240 swreg.exe Token: SeTakeOwnershipPrivilege 3240 swreg.exe Token: SeRestorePrivilege 3240 swreg.exe Token: SeSecurityPrivilege 3240 swreg.exe Token: SeSecurityPrivilege 1936 swreg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ComboFix.exen.comInfDefaultInstall.exerunonce.exehidec.exehidec.exehidec.exen.comn.comn.comn.comn.comcmd.execfdescription pid process target process PID 2336 wrote to memory of 3632 2336 ComboFix.exe n.com PID 2336 wrote to memory of 3632 2336 ComboFix.exe n.com PID 2336 wrote to memory of 3632 2336 ComboFix.exe n.com PID 3632 wrote to memory of 3384 3632 n.com InfDefaultInstall.exe PID 3632 wrote to memory of 3384 3632 n.com InfDefaultInstall.exe PID 3632 wrote to memory of 3384 3632 n.com InfDefaultInstall.exe PID 3384 wrote to memory of 3368 3384 InfDefaultInstall.exe runonce.exe PID 3384 wrote to memory of 3368 3384 InfDefaultInstall.exe runonce.exe PID 3384 wrote to memory of 3368 3384 InfDefaultInstall.exe runonce.exe PID 3368 wrote to memory of 1212 3368 runonce.exe grpconv.exe PID 3368 wrote to memory of 1212 3368 runonce.exe grpconv.exe PID 3368 wrote to memory of 1212 3368 runonce.exe grpconv.exe PID 2336 wrote to memory of 1104 2336 ComboFix.exe hidec.exe PID 2336 wrote to memory of 1104 2336 ComboFix.exe hidec.exe PID 2336 wrote to memory of 1104 2336 ComboFix.exe hidec.exe PID 1104 wrote to memory of 3664 1104 hidec.exe swreg.exe PID 1104 wrote to memory of 3664 1104 hidec.exe swreg.exe PID 1104 wrote to memory of 3664 1104 hidec.exe swreg.exe PID 2336 wrote to memory of 3988 2336 ComboFix.exe hidec.exe PID 2336 wrote to memory of 3988 2336 ComboFix.exe hidec.exe PID 2336 wrote to memory of 3988 2336 ComboFix.exe hidec.exe PID 3988 wrote to memory of 3692 3988 hidec.exe swreg.exe PID 3988 wrote to memory of 3692 3988 hidec.exe swreg.exe PID 3988 wrote to memory of 3692 3988 hidec.exe swreg.exe PID 2336 wrote to memory of 4308 2336 ComboFix.exe hidec.exe PID 2336 wrote to memory of 4308 2336 ComboFix.exe hidec.exe PID 2336 wrote to memory of 4308 2336 ComboFix.exe hidec.exe PID 4308 wrote to memory of 4800 4308 hidec.exe swreg.exe PID 4308 wrote to memory of 4800 4308 hidec.exe swreg.exe PID 4308 wrote to memory of 4800 4308 hidec.exe swreg.exe PID 2336 wrote to memory of 2944 2336 ComboFix.exe n.com PID 2336 wrote to memory of 2944 2336 ComboFix.exe n.com PID 2336 wrote to memory of 2944 2336 ComboFix.exe n.com PID 2944 wrote to memory of 4372 2944 n.com SWREG.exe PID 2944 wrote to memory of 4372 2944 n.com SWREG.exe PID 2944 wrote to memory of 4372 2944 n.com SWREG.exe PID 2336 wrote to memory of 2312 2336 ComboFix.exe n.com PID 2336 wrote to memory of 2312 2336 ComboFix.exe n.com PID 2336 wrote to memory of 2312 2336 ComboFix.exe n.com PID 2312 wrote to memory of 1556 2312 n.com SWREG.exe PID 2312 wrote to memory of 1556 2312 n.com SWREG.exe PID 2312 wrote to memory of 1556 2312 n.com SWREG.exe PID 2336 wrote to memory of 3668 2336 ComboFix.exe n.com PID 2336 wrote to memory of 3668 2336 ComboFix.exe n.com PID 2336 wrote to memory of 3668 2336 ComboFix.exe n.com PID 2336 wrote to memory of 1320 2336 ComboFix.exe n.com PID 2336 wrote to memory of 1320 2336 ComboFix.exe n.com PID 2336 wrote to memory of 1320 2336 ComboFix.exe n.com PID 1320 wrote to memory of 4672 1320 n.com GSAR.cfexe PID 1320 wrote to memory of 4672 1320 n.com GSAR.cfexe PID 1320 wrote to memory of 4672 1320 n.com GSAR.cfexe PID 2336 wrote to memory of 2868 2336 ComboFix.exe n.com PID 2336 wrote to memory of 2868 2336 ComboFix.exe n.com PID 2336 wrote to memory of 2868 2336 ComboFix.exe n.com PID 3668 wrote to memory of 2512 3668 n.com swreg.exe PID 3668 wrote to memory of 2512 3668 n.com swreg.exe PID 3668 wrote to memory of 2512 3668 n.com swreg.exe PID 2868 wrote to memory of 2944 2868 n.com cmd.execf PID 2868 wrote to memory of 2944 2868 n.com cmd.execf PID 2868 wrote to memory of 2944 2868 n.com cmd.execf PID 2336 wrote to memory of 1760 2336 ComboFix.exe n.com PID 2336 wrote to memory of 1760 2336 ComboFix.exe n.com PID 2336 wrote to memory of 1760 2336 ComboFix.exe n.com PID 2944 wrote to memory of 1200 2944 cmd.execf pev.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HBCD\WinTools\ComboFix.exe"C:\Users\Admin\AppData\Local\Temp\HBCD\WinTools\ComboFix.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" shexec install 32788R22FWJFW\Prep.inf2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\InfDefaultInstall.exe"C:\Windows\System32\InfDefaultInstall.exe" "C:\32788R22FWJFW\Prep.inf"3⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o5⤵
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe import 32788R22FWJFW\EXE.reg2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe import 32788R22FWJFW\EXE.reg3⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" cmdwait 150 exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" cmdwait 3000 exec hide 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" exec hide 32788R22FWJFW\GSAR.cfexe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "~$folder.system$\cmd.exe" "~$folder.system$\cmd.execf"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\GSAR.cfexe32788R22FWJFW\GSAR.cfexe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" cmdwait 1000 exec hide "~$folder.system$\cmd.execf" /c 32788R22FWJFW\prep.cmd >\Bug.txt 2>&12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execf"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\prep.cmd >\Bug.txt 2>&13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe uzip "32788R22FWJFW\License\pv_5_2_2.zip" "32788R22FWJFW\License"4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\pv.exe32788R22FWJFW\pv.exe -kf n.com4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\pv.cfexe32788R22FWJFW\pv.cfexe -kf n.com4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\grep.cfexeGREP.cfexe -F "5.2." OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfexeGREP.cfexe -F "5.1.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfexeGREP.cfexe -F "5.00.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG.exe query "hklm\software\microsoft\windows nt\currentversion" /v currentversion4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfexeGREP.cfexe -sq "currentversion.* 6.0" OsVer004⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chcp.comCHCP 12524⤵
-
C:\32788R22FWJFW\n.comn.com infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" cmdwait 2500 exec hide "~$folder.system$\cmd.execf" /c 32788R22FWJFW\prep.cmd2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\32788R22FWJFW\License\pv.exeFilesize
72KB
MD592bd80f82fe8a28385b7d9d3f215e8b3
SHA1e1ec40d4458b269d009d9c60344de3d187385290
SHA2565fc1b8e1cdd4d80b9818b854f70c009b7c182824e22c8eed7f524b4da2c60f4a
SHA51232a0d8551a4861f7ce40a9b4c127dfaace92eaf9d20407441714c475e1e0110c1225f5cc508999d832458d7e940f8711dee8853e49c1c963ffb0aaa884a94a2a
-
C:\32788R22FWJFW\OsVerFilesize
104B
MD581107438325dd733bb955160756d8c08
SHA1fb50243b24da6daef8ae5671d7cbb1a30bd4c4ca
SHA25629f6c98e2dc762764bce3fcd63826f7038170b4644e1a2e676463734e59a0ff6
SHA512d4ed17c94ffb44bfac3ed5ea22f4c42cd39d6f87623a1e96cecca52b30caf1b745c4ce8bd5f04ca670ef71789af92a29db603a897be2e539c8745fb68a43b1ed
-
C:\32788R22FWJFW\OsVer00Filesize
180B
MD5565b4fcda29a1d96b7d24cf989068f72
SHA13b2a83f8f1c436145defd842ad9c6c4c3509e8ed
SHA256c13525d71c5c05c054078a8634d639d899878ba1943491f18a31bc63c19b6772
SHA51227e10a4eee95ab0597cc570f4cbb7ff0a7cb957968c017d0204d0dbd4a75d8875eb42152610123366c4d3ab58d8f03f8766578759a62d7bed90c91c586a7dc05
-
C:\32788R22FWJFW\Prep.cmdFilesize
11KB
MD532bfd8a67ce1d117464212f534ddc4e8
SHA1c88fda96795f5b8a41e62d40a0064fd2e5fb441c
SHA2569049dbbfea87257ddfccd499e99bd00aa9d5f3770d478833ce8385a7cc90a57f
SHA512ba4e39ac9ecd822d82581b522c8a982316fffab125a723dd5fd1ca2f20ff5d7f6fafcde66d23382e046d13af5decb07bc0ded01e17dfef98e55e9d99d6cf2742
-
C:\32788R22FWJFW\Prep.infFilesize
2KB
MD57b6282af0c15cdb2087d27f55940c9f1
SHA128eab995e41d72560812140af2bfc55a06cd1507
SHA2560566cb7b0f8f8d287d298a247db0c72cde0d77250147e94d37b435c58b468119
SHA51269a598d54972a83a81421f05fb02e8408cc52126f81b9243c5ea0603e84b5963172cbf116e560a4096867270f394972aedf632e4d9412b988882dbd26df53eca
-
C:\32788R22FWJFW\Rkey.cmdFilesize
241B
MD572b52f9a4fb6ac4d77ef2dbeeac4e2bc
SHA11f0ff2972a53f4bd60dd92471164b14c54d37909
SHA256ba956605d2993a8186f7138a70feaf39242f1710d0683a3e66644792a48258d9
SHA5124d392f1d6c0f4d646409df127399f12a76bda669a531c5206b6437e0e326406dcc53e88fff16130af0c59ca54112d01d353fe23a0ea51c4ab2c4d1a2852d0127
-
C:\32788R22FWJFW\grep.cfexeFilesize
78KB
MD59e05a9c264c8a908a8e79450fcbff047
SHA1363b2ee171de15aeea793bd7fdffd68d0feb8ba4
SHA256c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1
SHA512712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa
-
C:\32788R22FWJFW\gsar.cfexeFilesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\n.comFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\pev.exeFilesize
151KB
MD5915a05f3839497fa5ed64036b376f5bf
SHA182c7b739aa6a25522280fa33e7cec351524fc95b
SHA256b56a43b98983ecd011a9611150af2cc9b2bf1f7e055531e1ffa32c1999e39492
SHA512dd80cc41349c41b7e3bd63fc0ca913e164feb04d7f6437480b6e572c6667bbcd24f5d9eac0b53e509a3a39ecb179660b321dcb128f2632cecf7e557405c68118
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\Windows\SysWOW64\cmd.execfFilesize
231KB
MD529824dce144b6134797729005107ee1f
SHA1d0bb9999154b87c32658b55c5c3bc2c5cbe156b6
SHA256bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5
SHA512f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd
-
C:\\32788R22FWJFW\License\pv_5_2_2.zipFilesize
38KB
MD5ee4f5df5ff87dfd72cf4c6b1c9fecb8f
SHA1abcc01a6b8c1e5ad7a75343dccb749cc7a38449e
SHA25640d6357bb63352b259a3a4fa7ce68daf61764efeacdb41d473d535cf09a7aff6
SHA512dcf030e0c007e63ec6dcd11d46f6b61b2ad3b5d6627b13050f6db3f43753cbf729553dcaa10e4dc3de0a9cf433af0b70a1eb3b6a380acea93e328653bd3d8b19
-
C:\\32788r22fwjfw\exe.regFilesize
7KB
MD541a42847640838accb27d89797932bba
SHA13982d3cab64faecaabce9179e900a87d2f7913fa
SHA25600e6f28b3a1606659fb55c216418be823e2eccff105e9d55de7d80de478b5571
SHA51272cfa964169e2a7bcaf52f097a47651df87fc8889462f21c909f6eb4af90b12c061fbe63bd463e239940c828c8648fd9132eb60107577c2d052f5b3eba8a9750
-
memory/1104-295-0x0000000000400000-0x0000000000402000-memory.dmpFilesize
8KB
-
memory/1200-351-0x0000000000110000-0x000000000017F000-memory.dmpFilesize
444KB
-
memory/1200-347-0x0000000000110000-0x000000000017F000-memory.dmpFilesize
444KB
-
memory/1556-325-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1748-369-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1936-395-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2336-390-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2336-0-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2336-311-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2512-338-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2780-380-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2788-375-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2868-334-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2944-307-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3240-392-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3368-397-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3632-279-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3632-282-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3664-313-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3664-298-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3692-315-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4372-320-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4604-372-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4800-318-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4844-386-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB