Analysis
-
max time kernel
53s -
max time network
55s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-07-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
cheker.exe
Resource
win10-20240404-en
Errors
General
-
Target
cheker.exe
-
Size
16.0MB
-
MD5
4073368212b724b12a562b0dbf74e2d0
-
SHA1
8dca0faf07d074922992f723c3ff101628c26a8a
-
SHA256
7d5f078d2720427aefe6c66d7ce90a63331634f49d94a37ed5225acf2876155b
-
SHA512
c7e90e489c960271e6fafac6f838b231eaa7884b5e6d1b93e10e55fd075c988c78b2f8d4d8649a6aeab5be5341a9665d4ca03302bc8bd796cc30962f7be58afe
-
SSDEEP
393216:I4wP0hDEpTfheUmFQlZd7MhYRFC+QD3xs6DXwTuKvn:a0hYpTflFZlAYvUXXKn
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "winlocker.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "winlocker.exe" reg.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\drive injector.exe dcrat C:\Users\Admin\AppData\Local\Temp\Xroblox.exe dcrat C:\Users\Admin\AppData\Local\Temp\appdata.exe dcrat C:\Users\Admin\AppData\Local\Temp\robloxClient.exe dcrat -
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
Processes:
kiler.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiler.url kiler.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiler.exe kiler.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiler.exe kiler.exe -
Executes dropped EXE 7 IoCs
Processes:
Xroblox.exeappdata.exedriveinjector.exeinjector.exerobloxClient.exewindrive.exekiler.exepid process 4604 Xroblox.exe 3420 appdata.exe 1392 driveinjector.exe 2384 injector.exe 3640 robloxClient.exe 4608 windrive.exe 4768 kiler.exe -
Loads dropped DLL 2 IoCs
Processes:
injector.exekiler.exepid process 2384 injector.exe 4768 kiler.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
kiler.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiler.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\kiler.exe\" .." kiler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kiler.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\kiler.exe\" .." kiler.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WScript.exedescription ioc process File opened (read-only) \??\M: WScript.exe File opened (read-only) \??\P: WScript.exe File opened (read-only) \??\R: WScript.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\W: WScript.exe File opened (read-only) \??\X: WScript.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\I: WScript.exe File opened (read-only) \??\K: WScript.exe File opened (read-only) \??\V: WScript.exe File opened (read-only) \??\A: WScript.exe File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\J: WScript.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\B: WScript.exe File opened (read-only) \??\L: WScript.exe File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\Q: WScript.exe File opened (read-only) \??\U: WScript.exe File opened (read-only) \??\Y: WScript.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = " " reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2948 timeout.exe -
Kills process with taskkill 5 IoCs
Processes:
TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exetaskkill.exepid process 4900 TASKKILL.exe 2336 TASKKILL.exe 3592 TASKKILL.exe 1708 TASKKILL.exe 2852 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe -
Modifies registry class 5 IoCs
Processes:
cheker.exeappdata.exerobloxClient.exeXroblox.exedriveinjector.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings cheker.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings appdata.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings robloxClient.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Xroblox.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings driveinjector.exe -
Modifies registry key 1 TTPs 7 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2996 reg.exe 1496 reg.exe 944 reg.exe 2292 reg.exe 4004 reg.exe 2736 reg.exe 2892 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
injector.exepid process 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe 2384 injector.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
WScript.exeinjector.exeTASKKILL.exeTASKKILL.exeshutdown.exekiler.exeTASKKILL.exeTASKKILL.exedescription pid process Token: SeShutdownPrivilege 3576 WScript.exe Token: SeCreatePagefilePrivilege 3576 WScript.exe Token: SeDebugPrivilege 2384 injector.exe Token: SeDebugPrivilege 4900 TASKKILL.exe Token: SeDebugPrivilege 2336 TASKKILL.exe Token: SeShutdownPrivilege 2652 shutdown.exe Token: SeRemoteShutdownPrivilege 2652 shutdown.exe Token: SeDebugPrivilege 4768 kiler.exe Token: SeDebugPrivilege 1708 TASKKILL.exe Token: SeDebugPrivilege 3592 TASKKILL.exe Token: 33 4768 kiler.exe Token: SeIncBasePriorityPrivilege 4768 kiler.exe Token: 33 4768 kiler.exe Token: SeIncBasePriorityPrivilege 4768 kiler.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 500 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cheker.exedriveinjector.exeXroblox.exeappdata.exeinjector.exerobloxClient.exewindrive.execmd.execmd.execmd.exedescription pid process target process PID 4804 wrote to memory of 4604 4804 cheker.exe Xroblox.exe PID 4804 wrote to memory of 4604 4804 cheker.exe Xroblox.exe PID 4804 wrote to memory of 4604 4804 cheker.exe Xroblox.exe PID 4804 wrote to memory of 3420 4804 cheker.exe appdata.exe PID 4804 wrote to memory of 3420 4804 cheker.exe appdata.exe PID 4804 wrote to memory of 3420 4804 cheker.exe appdata.exe PID 4804 wrote to memory of 1392 4804 cheker.exe driveinjector.exe PID 4804 wrote to memory of 1392 4804 cheker.exe driveinjector.exe PID 4804 wrote to memory of 1392 4804 cheker.exe driveinjector.exe PID 4804 wrote to memory of 2384 4804 cheker.exe injector.exe PID 4804 wrote to memory of 2384 4804 cheker.exe injector.exe PID 4804 wrote to memory of 2384 4804 cheker.exe injector.exe PID 4804 wrote to memory of 3640 4804 cheker.exe robloxClient.exe PID 4804 wrote to memory of 3640 4804 cheker.exe robloxClient.exe PID 4804 wrote to memory of 3640 4804 cheker.exe robloxClient.exe PID 4804 wrote to memory of 3576 4804 cheker.exe WScript.exe PID 4804 wrote to memory of 3576 4804 cheker.exe WScript.exe PID 1392 wrote to memory of 1068 1392 driveinjector.exe WScript.exe PID 1392 wrote to memory of 1068 1392 driveinjector.exe WScript.exe PID 1392 wrote to memory of 1068 1392 driveinjector.exe WScript.exe PID 4604 wrote to memory of 592 4604 Xroblox.exe WScript.exe PID 4604 wrote to memory of 592 4604 Xroblox.exe WScript.exe PID 4604 wrote to memory of 592 4604 Xroblox.exe WScript.exe PID 3420 wrote to memory of 4488 3420 appdata.exe WScript.exe PID 3420 wrote to memory of 4488 3420 appdata.exe WScript.exe PID 3420 wrote to memory of 4488 3420 appdata.exe WScript.exe PID 2384 wrote to memory of 2336 2384 injector.exe TASKKILL.exe PID 2384 wrote to memory of 2336 2384 injector.exe TASKKILL.exe PID 2384 wrote to memory of 2336 2384 injector.exe TASKKILL.exe PID 2384 wrote to memory of 4900 2384 injector.exe TASKKILL.exe PID 2384 wrote to memory of 4900 2384 injector.exe TASKKILL.exe PID 2384 wrote to memory of 4900 2384 injector.exe TASKKILL.exe PID 3640 wrote to memory of 2580 3640 robloxClient.exe WScript.exe PID 3640 wrote to memory of 2580 3640 robloxClient.exe WScript.exe PID 3640 wrote to memory of 2580 3640 robloxClient.exe WScript.exe PID 4804 wrote to memory of 368 4804 cheker.exe cmd.exe PID 4804 wrote to memory of 368 4804 cheker.exe cmd.exe PID 4804 wrote to memory of 2928 4804 cheker.exe cmd.exe PID 4804 wrote to memory of 2928 4804 cheker.exe cmd.exe PID 4804 wrote to memory of 4608 4804 cheker.exe windrive.exe PID 4804 wrote to memory of 4608 4804 cheker.exe windrive.exe PID 4804 wrote to memory of 4608 4804 cheker.exe windrive.exe PID 4608 wrote to memory of 4724 4608 windrive.exe cmd.exe PID 4608 wrote to memory of 4724 4608 windrive.exe cmd.exe PID 368 wrote to memory of 3796 368 cmd.exe reg.exe PID 368 wrote to memory of 3796 368 cmd.exe reg.exe PID 4724 wrote to memory of 2948 4724 cmd.exe timeout.exe PID 4724 wrote to memory of 2948 4724 cmd.exe timeout.exe PID 2928 wrote to memory of 944 2928 cmd.exe reg.exe PID 2928 wrote to memory of 944 2928 cmd.exe reg.exe PID 368 wrote to memory of 2276 368 cmd.exe reg.exe PID 368 wrote to memory of 2276 368 cmd.exe reg.exe PID 2928 wrote to memory of 2652 2928 cmd.exe shutdown.exe PID 2928 wrote to memory of 2652 2928 cmd.exe shutdown.exe PID 368 wrote to memory of 3500 368 cmd.exe reg.exe PID 368 wrote to memory of 3500 368 cmd.exe reg.exe PID 4724 wrote to memory of 2660 4724 cmd.exe reg.exe PID 4724 wrote to memory of 2660 4724 cmd.exe reg.exe PID 368 wrote to memory of 192 368 cmd.exe rundll32.exe PID 368 wrote to memory of 192 368 cmd.exe rundll32.exe PID 4724 wrote to memory of 216 4724 cmd.exe reg.exe PID 4724 wrote to memory of 216 4724 cmd.exe reg.exe PID 2928 wrote to memory of 2292 2928 cmd.exe reg.exe PID 2928 wrote to memory of 2292 2928 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cheker.exe"C:\Users\Admin\AppData\Local\Temp\cheker.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Xroblox.exe"C:\Users\Admin\AppData\Local\Temp\Xroblox.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockproviderComponentweb\LzYuX9pzQxeIw.vbe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\appdata.exe"C:\Users\Admin\AppData\Local\Temp\appdata.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockproviderComponentweb\FlrU2Sw3hI88Kq0oMKFqlJBcKKk7.vbe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\driveinjector.exe"C:\Users\Admin\AppData\Local\Temp\driveinjector.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProviderwebRuntimebrokerDll\AzoUH9rmryPf4YVykgERWga1ZsG.vbe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\kiler.exe"C:\Users\Admin\AppData\Local\Temp\kiler.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f im Wireshark.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\kiler.exe4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\injector.exe"3⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 54⤵
-
C:\Users\Admin\AppData\Local\Temp\robloxClient.exe"C:\Users\Admin\AppData\Local\Temp\robloxClient.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BlockproviderComponentweb\rLN2CzC2BGDm0saFwwqZ.vbe"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\startoff.vbs"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d " " /f3⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v WallPaperStyle /t REG_SZ /d 2 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d 0 /f3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\shutdown.exeshutdown /r /t 303⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f3⤵
- Disables RegEdit via registry modification
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NO winKeys /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NO Drives /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HidePowerOptions /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v No ViewOnDrive /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\rundll32.exerundll32 mouse,disable3⤵
-
C:\Users\Admin\AppData\Local\Temp\windrive.exe"C:\Users\Admin\AppData\Local\Temp\windrive.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A4AC.tmp\A4AD.tmp\A4AE.bat C:\Users\Admin\AppData\Local\Temp\windrive.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "winlocker.exe" /f4⤵
- Modifies WinLogon for persistence
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "winlocker.exe" /f4⤵
- Modifies WinLogon for persistence
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2001⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aed055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\BlockproviderComponentweb\LzYuX9pzQxeIw.vbeFilesize
224B
MD5ac65a75f2ee29bca1ced3f4279f35192
SHA1905f99dc033b80377da593dfaa03ca9dea86521b
SHA256b0ebc32dafa29a57b91c73ac0b89242da68d40cd470c262d4cc0361ba0cd8b95
SHA5128ddfbc73ce949e48b270fd1717fe42d035c54d14cbb17f1764e98ae17305d26bc246deb254b0d439f314133e574b6c2bd8b1f1611cbf07eecbb569251f4c6206
-
C:\ProviderwebRuntimebrokerDll\AzoUH9rmryPf4YVykgERWga1ZsG.vbeFilesize
227B
MD54a854cad3f93b3e5c68443bedd1f8de1
SHA1b71b93f98f49c7d334a09c80bac424db005913de
SHA256c21e88d44eb247ab02667e37de05d2e10ecc27bdfdc0f380778494570b5377db
SHA512b5a0db320eeecb1ab7c72376d3cf42f1c2c9aa659456dcad1f66696b6d0c0b83daa46b04e993d69aa7f0ac8ad4324a1a86e3e3d7dbd41d39d8e727e80a6c7541
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Temp\123.batFilesize
2KB
MD56dc1223fd2f2355f7519ef05b3573579
SHA16750ee8463f6be825bf33de91d6211b66b1c52cb
SHA256c0b8d34c1fcdc4da9ea3881a517dee2b83cf45d519a87363dbc9c564ecb2c5ea
SHA512a5348d646f981acacda3385fb770eedf83799d5aa370beebcf9fc2721f6af8fb36f9992b7e8a23c94804f616a763dfd06be2eff21dbdd6b387b36b181d5958a3
-
C:\Users\Admin\AppData\Local\Temp\A4AC.tmp\A4AD.tmp\A4AE.batFilesize
15KB
MD50d55ae276ab5546c2ec30fb4eb175fff
SHA1d6613f6ff4ca80fbca37a2e6afdc91db3bc769fb
SHA256803ec9b0c408c8e8b6138fbeaed42a203420fbd67ee88c454dd1b27da967c2cc
SHA51217b2d9d878513d92b263f6ec69d29b9dddf5dcce32fc30869018c11acf558cc8be08a69371f5d4edbbd461223f00e74c80e9457dd51fe52932b7e4e1a7bf8733
-
C:\Users\Admin\AppData\Local\Temp\BlockproviderComponentweb\rLN2CzC2BGDm0saFwwqZ.vbeFilesize
214B
MD5c6e17f78ef2cab853baa01a81f114972
SHA1246165f27b7d3d2ac642c5230f7ca09e39dd36a6
SHA25625f85a5bcaed5fadfba4b5368f224468e602e8991225b1fc2176cec26672cd81
SHA51284384b504dfceb204d15b8961f25ac40b6747014a4a4eb7b1ed2948c5d90e36db782c11d034f18f8cf18e53d3c6635d7d0fc6bb43866a464a24e02695dc13061
-
C:\Users\Admin\AppData\Local\Temp\Xroblox.exeFilesize
3.1MB
MD5918f850b87799087aab3391985a3c81a
SHA19ff3cb6d0d3694d10acdda212826b9ffb7759f78
SHA256fb1ad76b6875612578539b3bf70c93438165465dd6b4cd128a692cfed974e5f7
SHA512ca1abdfc6a2007f516c46d8446c76e0e02c1087ceb38827e41c84f352b17175a7c4ffac18cc2283a7fb690324685a2acb1b310f234f755aafa1bcdc645bbbf1a
-
C:\Users\Admin\AppData\Local\Temp\appdata.exeFilesize
3.1MB
MD584d84c88f059dcc80c8b8269bda163d0
SHA194ca3cdba45a6961a19162cfc9eaa85a65be21ea
SHA2560813184d94537f7f52e27a48733ce01ab3f8a40c807f8b1e3e876a0857270b98
SHA512778ee47a7ee2967ffaa101d2de287be8545adfbd26e1d7f9944d8b3f5c238751bb48aa73f64ea1d1180692b383792281504bd6d54ec9446f2396fed4090255fc
-
C:\Users\Admin\AppData\Local\Temp\drive injector.exeFilesize
3.1MB
MD53a8e20e9b2e9f923d8c7f73e0a4cf725
SHA1300070b3025f282e63af63a4751762e6309dbd95
SHA2567d0a7d85531fa4e95cad06073ce5fc918c1a1607f8b7c3da9ea0d765d3ab9dad
SHA5128892c7cce62bd29d40b66415a1847fec2cf75c181ec3ddcc8e628db4775cf2fb5de0505eb61ce44c36813462c48a18945ed53f9bf7c2734a202194ed3c932d8a
-
C:\Users\Admin\AppData\Local\Temp\injector.exeFilesize
249KB
MD58bb7f3314ffb6329e0a2e94489df2579
SHA133abb1c5671a8a08e45712a7417ccba94cac8f61
SHA25677d822158965fe6c07d02d6fd22590f2fd5b67b0fb2f1f0b080bf8f627687c63
SHA5121ca4b92ded899e01550f0fbb362842692137f72e63301453880fb39e342d9b8be98c35b53cb50821009c33fe3a2ab986ecfdf4dee80e04f31669f20e2caa1193
-
C:\Users\Admin\AppData\Local\Temp\robloxClient.exeFilesize
3.1MB
MD57d43fffdbeb71e7ff79251ebf8b558a7
SHA100ef8701369d0308bc50876e75db78f803cccaa0
SHA2563cb7f2e31e0d726f91631cdc0a44e8c97282e48a23a76521346df13f159d6e16
SHA51278971890e29f929bd9913ebbfff5f324590b82582be168427e939f123d9f9f1ee264643b0489deb12711e41d58e6bfd0678ab63fcfc4a945a01909aad8b04da4
-
C:\Users\Admin\AppData\Local\Temp\start.batFilesize
312B
MD5bf3c10d1ff785241b7e56be626373c80
SHA15e6ce808736f6ddcd125b56a26bd1c97a26cfc00
SHA2562f17cc457f3b453cbcf569e35016a889bcadf7f2baf3e299929af9a3669aaed2
SHA5120eb72f6ff4e40668df62166efd7fefa62ab8164e380bbd76ace82e6c8f0d51f1f999e768d77716456aa090ed4e97749ae388d17cc4f78cc589ba08165abbcf78
-
C:\Users\Admin\AppData\Local\Temp\startcheat.mp3Filesize
83KB
MD54843241a72238329e13f2497733fd70c
SHA1c6b6fcc361bbcf17e9d05868deec5700b9e1d048
SHA2563c6de7e0e9b3781a9bbf710553efaacbd61afd486034a1a633e571fdb02f4348
SHA512f302d7b69c6a9eced6770ca2e6da3119c3bdf9c2a6a90657814cf0b5ddc52f3c336a4c5e45152443bb6d6f3fa777e3d99c82a3c090c6fa5b4b377f5aa0e1ba20
-
C:\Users\Admin\AppData\Local\Temp\startoff.vbsFilesize
122B
MD5f65c8c5a951686b035bded7c3ad3cb8c
SHA10fe23a2d14d0d04a4e824cacb086cd379577f4e3
SHA256408aee75addf93eb1e790c4615622bb90a639b0862598ad387f948dda533534b
SHA512b9adc1e916730b36f34149a0063eec2d5ce296490fd84b44ea57cef4567cae9849def5b2d27a9327c607d4d859595b2b4cfb3a1aeb6245137170867f35a5c010
-
C:\Users\Admin\AppData\Local\Temp\windrive.exeFilesize
108KB
MD53a0f22f80c3edce0174f14cb35b896d1
SHA1a3bb47e6ffe48fc8f72f1e32a30098ddf33f5009
SHA25686a96776f970cbe6b71d1bcadfb4fcf2d430f99b99a0db914829656b7ee00044
SHA512d9d3311ab81930f0de6ff0be8c854747fe885613fb1540305588611de49e40ea39b8879d5418f4123d5bf39915810b08ffae7a3f7d916ce76fe93a1c728fb054
-
C:\Users\Admin\AppData\Roaming\BlockproviderComponentweb\FlrU2Sw3hI88Kq0oMKFqlJBcKKk7.vbeFilesize
215B
MD5f31a6303fa711859b55f1823d797c287
SHA18a56aaf8ed61bbee69334a1bdb6330351c448102
SHA25632eaa92211f658207acdfa9cf61ffb6ec96330e6918d35943c3562a8323bcc37
SHA512a9e9b9ebe96e79cc49e441896eb80af50aafd378c9f52cf5bfd50feae7b2a54369ceb47fe186a054ee1f30e70bf0507189de71c871a55c05e9a92d0c2ac12d02
-
\Users\Admin\AppData\Local\Temp\VERSION.DLLFilesize
18KB
MD54c7d34c4224a4e95dd23d61798e11180
SHA1f4d38146721ed1c285805b4f0602a66d9fdb994a
SHA2568b97c55c15fe91680955611cd4a562c9c47eedfbedb514ff52992c029f15e86a
SHA5122c8589d8f38c7e56fd6b416b9ce44a51e62fd79c6fdc87c32d8a53f5cee9ae70a2ae2f91dfc324e47dc1dfcbb9e764fd1583ff8eee2f4b500a38bc224b2cac41