Analysis
-
max time kernel
153s -
max time network
169s -
platform
windows11_x64 -
resource
win11 -
submitted
21-10-2021 12:23
Static task
static1
Behavioral task
behavioral1
Sample
REE20212110575259OCT.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
REE20212110575259OCT.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
REE20212110575259OCT.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
REE20212110575259OCT.exe
Resource
win11
Behavioral task
behavioral5
Sample
REE20212110575259OCT.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
REE20212110575259OCT.exe
Resource
win10-en-20210920
General
-
Target
REE20212110575259OCT.exe
-
Size
498KB
-
MD5
9c00fc940483cff2a0f3f619db16ad54
-
SHA1
6f9c746d9cfb4e0bbf829783a82b883f7317b16b
-
SHA256
8a54e41751369783c64f56f30133b985933092324e9b2dad025641d23643280c
-
SHA512
30451538f9ed65159280a168c711056d7bc0776d0c30f1c82bfa4dfacfe4373c01f503004f1eacc1a690104f99bf7e78c61c5436261c0813508467ff5dd4ff21
Malware Config
Extracted
xloader
2.5
gab8
http://www.purodetalle.com/gab8/
amateurfeetworship.com
big-food.biz
metaversevolution.com
profecional-pacasmayo.com
royzoom.com
bekindevolution.com
hokozaki.com
waltersswholesale.com
wayfinderacu.com
schnurrgallery.com
babygearrentals.net
imggtoken.club
24x7x366.com
lakiernictwo.info
les-cours.com
dwticket.com
onarollshades.com
ramireztradepartners.com
safarparfums.com
6ngie.info
hoedetamni.quest
europeangurl.com
sakhakot.com
franciscoalpizar.com
jsyysn.com
goldberg-lighting.com
symbebidas.online
aucoeurducadeau.com
diamondscaterers.com
surswain.quest
gequper.xyz
roytsb.com
332151.com
hienrenow.com
skullother.com
betnubhelp.com
donerightcleaningnation.info
noukou-tonkotsu.xyz
bulkysofthome.com
yuejiayouhua.com
sevillalimpieza.com
involvefinance.com
obz7mo9amu.com
niftyfashionreward.com
refunddngame.com
norllix.com
vergadercentrumdji.com
1006e.com
boraeresici.com
partnerbebefits.com
hejabbanifatemi.com
bigskypediatrics.com
thefortclub.com
blacksource.xyz
happyklikshop.com
fullamodatoptan.com
pinupcams.info
javnfts.com
duocvietpharmacy.com
babyfloki.tech
cequitycorp.com
frenziedflora.com
5cherries.com
slurcap.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/2844-163-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral4/memory/4040-188-0x0000000002E00000-0x0000000002E29000-memory.dmp xloader -
Sets service image path in registry 2 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
REE20212110575259OCT.exeREE20212110575259OCT.exemsiexec.exedescription pid process target process PID 512 set thread context of 2844 512 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 2844 set thread context of 3208 2844 REE20212110575259OCT.exe Explorer.EXE PID 4040 set thread context of 3208 4040 msiexec.exe Explorer.EXE -
Drops file in Windows directory 9 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File created C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\cbshandler\state svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
powershell.exeREE20212110575259OCT.exemsiexec.exepid process 4796 powershell.exe 2844 REE20212110575259OCT.exe 2844 REE20212110575259OCT.exe 2844 REE20212110575259OCT.exe 2844 REE20212110575259OCT.exe 4796 powershell.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe 4040 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
REE20212110575259OCT.exemsiexec.exepid process 2844 REE20212110575259OCT.exe 2844 REE20212110575259OCT.exe 2844 REE20212110575259OCT.exe 4040 msiexec.exe 4040 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exesvchost.exepowershell.exeREE20212110575259OCT.exemsiexec.exeExplorer.EXETiWorker.exedescription pid process Token: SeShutdownPrivilege 1868 svchost.exe Token: SeCreatePagefilePrivilege 1868 svchost.exe Token: SeShutdownPrivilege 1868 svchost.exe Token: SeCreatePagefilePrivilege 1868 svchost.exe Token: SeShutdownPrivilege 1868 svchost.exe Token: SeCreatePagefilePrivilege 1868 svchost.exe Token: SeShutdownPrivilege 3048 svchost.exe Token: SeCreatePagefilePrivilege 3048 svchost.exe Token: SeDebugPrivilege 4796 powershell.exe Token: SeDebugPrivilege 2844 REE20212110575259OCT.exe Token: SeDebugPrivilege 4040 msiexec.exe Token: SeIncreaseQuotaPrivilege 4796 powershell.exe Token: SeSecurityPrivilege 4796 powershell.exe Token: SeTakeOwnershipPrivilege 4796 powershell.exe Token: SeLoadDriverPrivilege 4796 powershell.exe Token: SeSystemProfilePrivilege 4796 powershell.exe Token: SeSystemtimePrivilege 4796 powershell.exe Token: SeProfSingleProcessPrivilege 4796 powershell.exe Token: SeIncBasePriorityPrivilege 4796 powershell.exe Token: SeCreatePagefilePrivilege 4796 powershell.exe Token: SeBackupPrivilege 4796 powershell.exe Token: SeRestorePrivilege 4796 powershell.exe Token: SeShutdownPrivilege 4796 powershell.exe Token: SeDebugPrivilege 4796 powershell.exe Token: SeSystemEnvironmentPrivilege 4796 powershell.exe Token: SeRemoteShutdownPrivilege 4796 powershell.exe Token: SeUndockPrivilege 4796 powershell.exe Token: SeManageVolumePrivilege 4796 powershell.exe Token: 33 4796 powershell.exe Token: 34 4796 powershell.exe Token: 35 4796 powershell.exe Token: 36 4796 powershell.exe Token: SeShutdownPrivilege 3208 Explorer.EXE Token: SeCreatePagefilePrivilege 3208 Explorer.EXE Token: SeShutdownPrivilege 1868 svchost.exe Token: SeCreatePagefilePrivilege 1868 svchost.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3208 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
svchost.exeREE20212110575259OCT.exeExplorer.EXEmsiexec.exedescription pid process target process PID 3048 wrote to memory of 1364 3048 svchost.exe MoUsoCoreWorker.exe PID 3048 wrote to memory of 1364 3048 svchost.exe MoUsoCoreWorker.exe PID 512 wrote to memory of 4796 512 REE20212110575259OCT.exe powershell.exe PID 512 wrote to memory of 4796 512 REE20212110575259OCT.exe powershell.exe PID 512 wrote to memory of 4796 512 REE20212110575259OCT.exe powershell.exe PID 512 wrote to memory of 2844 512 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 512 wrote to memory of 2844 512 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 512 wrote to memory of 2844 512 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 512 wrote to memory of 2844 512 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 512 wrote to memory of 2844 512 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 512 wrote to memory of 2844 512 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 3208 wrote to memory of 4040 3208 Explorer.EXE msiexec.exe PID 3208 wrote to memory of 4040 3208 Explorer.EXE msiexec.exe PID 3208 wrote to memory of 4040 3208 Explorer.EXE msiexec.exe PID 4040 wrote to memory of 1956 4040 msiexec.exe cmd.exe PID 4040 wrote to memory of 1956 4040 msiexec.exe cmd.exe PID 4040 wrote to memory of 1956 4040 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"3⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 6095c4766816601af10a4ee05997dc20 AQDsvRa7tUaC9RKl/oIxlQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 6095c4766816601af10a4ee05997dc20 AQDsvRa7tUaC9RKl/oIxlQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 6095c4766816601af10a4ee05997dc20 AQDsvRa7tUaC9RKl/oIxlQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 6095c4766816601af10a4ee05997dc20 AQDsvRa7tUaC9RKl/oIxlQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/512-148-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/512-149-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/512-150-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/512-151-0x0000000005FC0000-0x0000000005FC1000-memory.dmpFilesize
4KB
-
memory/512-152-0x0000000005510000-0x0000000005511000-memory.dmpFilesize
4KB
-
memory/512-153-0x0000000005460000-0x0000000005A06000-memory.dmpFilesize
5.6MB
-
memory/512-154-0x00000000059F0000-0x00000000059F7000-memory.dmpFilesize
28KB
-
memory/512-146-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/512-160-0x0000000006720000-0x000000000676B000-memory.dmpFilesize
300KB
-
memory/512-159-0x0000000006530000-0x0000000006531000-memory.dmpFilesize
4KB
-
memory/1364-158-0x0000000000000000-mapping.dmp
-
memory/1868-157-0x000001F0CDCA0000-0x000001F0CDCA4000-memory.dmpFilesize
16KB
-
memory/1868-156-0x000001F0CB5A0000-0x000001F0CB5B0000-memory.dmpFilesize
64KB
-
memory/1868-155-0x000001F0CB520000-0x000001F0CB530000-memory.dmpFilesize
64KB
-
memory/1956-186-0x0000000000000000-mapping.dmp
-
memory/2844-162-0x0000000000000000-mapping.dmp
-
memory/2844-163-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2844-179-0x00000000010D0000-0x00000000010E1000-memory.dmpFilesize
68KB
-
memory/2844-178-0x0000000001180000-0x00000000014D6000-memory.dmpFilesize
3.3MB
-
memory/3208-176-0x00000000087B0000-0x000000000888A000-memory.dmpFilesize
872KB
-
memory/3208-209-0x0000000008890000-0x000000000894C000-memory.dmpFilesize
752KB
-
memory/4040-189-0x0000000004D90000-0x00000000050E6000-memory.dmpFilesize
3.3MB
-
memory/4040-183-0x0000000000000000-mapping.dmp
-
memory/4040-208-0x0000000004C10000-0x0000000004CA0000-memory.dmpFilesize
576KB
-
memory/4040-188-0x0000000002E00000-0x0000000002E29000-memory.dmpFilesize
164KB
-
memory/4040-187-0x0000000000600000-0x0000000000628000-memory.dmpFilesize
160KB
-
memory/4040-184-0x0000000002FF0000-0x0000000002FF1000-memory.dmpFilesize
4KB
-
memory/4040-185-0x0000000002FF0000-0x0000000002FF1000-memory.dmpFilesize
4KB
-
memory/4796-165-0x0000000002FC0000-0x0000000002FC1000-memory.dmpFilesize
4KB
-
memory/4796-164-0x0000000002FC0000-0x0000000002FC1000-memory.dmpFilesize
4KB
-
memory/4796-166-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/4796-181-0x0000000007EB0000-0x0000000007EB1000-memory.dmpFilesize
4KB
-
memory/4796-182-0x0000000008640000-0x0000000008641000-memory.dmpFilesize
4KB
-
memory/4796-177-0x0000000004A42000-0x0000000004A43000-memory.dmpFilesize
4KB
-
memory/4796-168-0x0000000007460000-0x0000000007461000-memory.dmpFilesize
4KB
-
memory/4796-175-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/4796-169-0x00000000074D0000-0x00000000074D1000-memory.dmpFilesize
4KB
-
memory/4796-173-0x0000000008170000-0x0000000008171000-memory.dmpFilesize
4KB
-
memory/4796-172-0x0000000007DA0000-0x0000000007DA1000-memory.dmpFilesize
4KB
-
memory/4796-167-0x0000000007520000-0x0000000007521000-memory.dmpFilesize
4KB
-
memory/4796-190-0x0000000004A45000-0x0000000004A47000-memory.dmpFilesize
8KB
-
memory/4796-193-0x0000000008A10000-0x0000000008A44000-memory.dmpFilesize
208KB
-
memory/4796-201-0x000000007FC60000-0x000000007FC61000-memory.dmpFilesize
4KB
-
memory/4796-202-0x00000000089F0000-0x00000000089F1000-memory.dmpFilesize
4KB
-
memory/4796-203-0x00000000097C0000-0x00000000097C1000-memory.dmpFilesize
4KB
-
memory/4796-204-0x0000000009FA0000-0x0000000009FA1000-memory.dmpFilesize
4KB
-
memory/4796-205-0x0000000009940000-0x0000000009941000-memory.dmpFilesize
4KB
-
memory/4796-206-0x00000000099A0000-0x00000000099A1000-memory.dmpFilesize
4KB
-
memory/4796-207-0x0000000009C30000-0x0000000009C31000-memory.dmpFilesize
4KB
-
memory/4796-171-0x0000000007CC0000-0x0000000007CC1000-memory.dmpFilesize
4KB
-
memory/4796-161-0x0000000000000000-mapping.dmp
-
memory/4796-210-0x0000000002FC0000-0x0000000002FC1000-memory.dmpFilesize
4KB