Analysis
-
max time kernel
1794s -
max time network
1796s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
21-01-2022 05:27
Static task
static1
General
-
Target
WT2lH6ZAAx8eKUZ.exe
-
Size
1.1MB
-
MD5
e53db947fce99439608c9a9553f69498
-
SHA1
95375e0e9ccf538d02b37ece3f6f9abc069d28b2
-
SHA256
17cb794e094d6cf35a700c399316360eb20eb235be61377ffd6dd0022ac3bb5f
-
SHA512
2f49647eabd7b743c265ebcd3f5c1e4ac4d315594558b3ca4214db8f0aa22ac57062ac9930e01b2ce4836db54e65bcc77f0d6e9106f64b14239b600e84fc315a
Malware Config
Extracted
nanocore
1.2.2.0
newcracker.duckdns.org:19864
mansengco778.ddns.net:19864
78c2a1b8-c3ee-4490-87c7-ebf1799a33a0
-
activate_away_mode
false
-
backup_connection_host
mansengco778.ddns.net
- backup_dns_server
-
buffer_size
65538
-
build_time
2021-07-31T15:07:21.224394636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
19864
-
default_group
END YEAR
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
78c2a1b8-c3ee-4490-87c7-ebf1799a33a0
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
newcracker.duckdns.org
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2764-138-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Executes dropped EXE 3 IoCs
Processes:
vgssyl.exevlypak.scruonsewk.pifpid process 2236 vgssyl.exe 3384 vlypak.scr 1496 uonsewk.pif -
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WT2lH6ZAAx8eKUZ.exeWT2lH6ZAAx8eKUZ.exevlypak.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation WT2lH6ZAAx8eKUZ.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation WT2lH6ZAAx8eKUZ.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation vlypak.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WT2lH6ZAAx8eKUZ.exedescription pid process target process PID 3076 set thread context of 2764 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe -
Drops file in Windows directory 1 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
WT2lH6ZAAx8eKUZ.exepowershell.exeWT2lH6ZAAx8eKUZ.exepowershell.exepid process 3076 WT2lH6ZAAx8eKUZ.exe 3076 WT2lH6ZAAx8eKUZ.exe 3076 WT2lH6ZAAx8eKUZ.exe 544 powershell.exe 2764 WT2lH6ZAAx8eKUZ.exe 544 powershell.exe 560 powershell.exe 560 powershell.exe 2764 WT2lH6ZAAx8eKUZ.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
WT2lH6ZAAx8eKUZ.exeWT2lH6ZAAx8eKUZ.exepowershell.exeTiWorker.exepowershell.exedescription pid process Token: SeDebugPrivilege 3076 WT2lH6ZAAx8eKUZ.exe Token: SeDebugPrivilege 2764 WT2lH6ZAAx8eKUZ.exe Token: SeDebugPrivilege 544 powershell.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe Token: SeDebugPrivilege 560 powershell.exe Token: SeSecurityPrivilege 3744 TiWorker.exe Token: SeRestorePrivilege 3744 TiWorker.exe Token: SeBackupPrivilege 3744 TiWorker.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
WT2lH6ZAAx8eKUZ.exeWT2lH6ZAAx8eKUZ.execmd.exepowershell.exevgssyl.exefondue.execmd.exepowershell.exevlypak.scrdescription pid process target process PID 3076 wrote to memory of 4000 3076 WT2lH6ZAAx8eKUZ.exe schtasks.exe PID 3076 wrote to memory of 4000 3076 WT2lH6ZAAx8eKUZ.exe schtasks.exe PID 3076 wrote to memory of 4000 3076 WT2lH6ZAAx8eKUZ.exe schtasks.exe PID 3076 wrote to memory of 3556 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe PID 3076 wrote to memory of 3556 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe PID 3076 wrote to memory of 3556 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe PID 3076 wrote to memory of 2764 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe PID 3076 wrote to memory of 2764 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe PID 3076 wrote to memory of 2764 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe PID 3076 wrote to memory of 2764 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe PID 3076 wrote to memory of 2764 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe PID 3076 wrote to memory of 2764 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe PID 3076 wrote to memory of 2764 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe PID 3076 wrote to memory of 2764 3076 WT2lH6ZAAx8eKUZ.exe WT2lH6ZAAx8eKUZ.exe PID 2764 wrote to memory of 4008 2764 WT2lH6ZAAx8eKUZ.exe cmd.exe PID 2764 wrote to memory of 4008 2764 WT2lH6ZAAx8eKUZ.exe cmd.exe PID 2764 wrote to memory of 4008 2764 WT2lH6ZAAx8eKUZ.exe cmd.exe PID 4008 wrote to memory of 544 4008 cmd.exe powershell.exe PID 4008 wrote to memory of 544 4008 cmd.exe powershell.exe PID 4008 wrote to memory of 544 4008 cmd.exe powershell.exe PID 544 wrote to memory of 2236 544 powershell.exe vgssyl.exe PID 544 wrote to memory of 2236 544 powershell.exe vgssyl.exe PID 544 wrote to memory of 2236 544 powershell.exe vgssyl.exe PID 2236 wrote to memory of 1520 2236 vgssyl.exe fondue.exe PID 2236 wrote to memory of 1520 2236 vgssyl.exe fondue.exe PID 2236 wrote to memory of 1520 2236 vgssyl.exe fondue.exe PID 1520 wrote to memory of 1136 1520 fondue.exe FonDUE.EXE PID 1520 wrote to memory of 1136 1520 fondue.exe FonDUE.EXE PID 2764 wrote to memory of 3840 2764 WT2lH6ZAAx8eKUZ.exe cmd.exe PID 2764 wrote to memory of 3840 2764 WT2lH6ZAAx8eKUZ.exe cmd.exe PID 2764 wrote to memory of 3840 2764 WT2lH6ZAAx8eKUZ.exe cmd.exe PID 3840 wrote to memory of 560 3840 cmd.exe powershell.exe PID 3840 wrote to memory of 560 3840 cmd.exe powershell.exe PID 3840 wrote to memory of 560 3840 cmd.exe powershell.exe PID 560 wrote to memory of 3384 560 powershell.exe vlypak.scr PID 560 wrote to memory of 3384 560 powershell.exe vlypak.scr PID 560 wrote to memory of 3384 560 powershell.exe vlypak.scr PID 3384 wrote to memory of 1496 3384 vlypak.scr uonsewk.pif PID 3384 wrote to memory of 1496 3384 vlypak.scr uonsewk.pif PID 3384 wrote to memory of 1496 3384 vlypak.scr uonsewk.pif
Processes
-
C:\Users\Admin\AppData\Local\Temp\WT2lH6ZAAx8eKUZ.exe"C:\Users\Admin\AppData\Local\Temp\WT2lH6ZAAx8eKUZ.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DitCsNFxpO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6228.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\WT2lH6ZAAx8eKUZ.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\WT2lH6ZAAx8eKUZ.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vgssyl.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vgssyl.exe"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vgssyl.exe"C:\Users\Admin\AppData\Local\Temp\vgssyl.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vlypak.scr"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vlypak.scr"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vlypak.scr"C:\Users\Admin\AppData\Local\Temp\vlypak.scr" /S5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\71389037\uonsewk.pif"C:\Users\Admin\AppData\Local\Temp\71389037\uonsewk.pif" svpqc.nrr6⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe faa615816241a1205b38889cb3ee1fa9 Pjx81x9EX0yx/8/CJ1J92A.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WT2lH6ZAAx8eKUZ.exe.logMD5
17573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
5315900105942deb090a358a315b06fe
SHA122fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA51277e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
e96883050c4ec06d58183718b5967286
SHA1f5a60dde971a1886d7234ee7ca08c25a3b060e0e
SHA256b902c7e3efe2aa8cb5eb09f3a6baa2c0b42806cc810eefe6c06554421f93432f
SHA51239812a9a9b097d0f085c678d6f1481a95053da6bded5826f3eaa71a3274ff94da50a5d69fe19eb12a0c2da079a18175dbe6f6d1f2b151e5b661831b13505dd45
-
C:\Users\Admin\AppData\Local\Temp\71389037\uonsewk.pifMD5
f4ec7a7f74a8038814157a33ca2cf5c4
SHA146f2847056c85bda7bfac259ce80b43f6d20762e
SHA25693dbd6e25b11e7512787153cb23e44ee9c463cc561ac04f4226631ab58bdf0a6
SHA51267df6ccc37a467e44d8a945850dfc468ffc37c4bf660f1bc2c1e0fb923d6b6fa505349f4d1d55d7b4102449a8f073ec63493993220f57f07f0ad7ac1accd3b3d
-
C:\Users\Admin\AppData\Local\Temp\71389037\uonsewk.pifMD5
f4ec7a7f74a8038814157a33ca2cf5c4
SHA146f2847056c85bda7bfac259ce80b43f6d20762e
SHA25693dbd6e25b11e7512787153cb23e44ee9c463cc561ac04f4226631ab58bdf0a6
SHA51267df6ccc37a467e44d8a945850dfc468ffc37c4bf660f1bc2c1e0fb923d6b6fa505349f4d1d55d7b4102449a8f073ec63493993220f57f07f0ad7ac1accd3b3d
-
C:\Users\Admin\AppData\Local\Temp\tmp6228.tmpMD5
9c3e05c918e87520497934b9eab66cc2
SHA16c0d77d60c6f27a90415bdbc4a8a66c5da50bace
SHA256085cb3e0de8a99f223979ec59cf7968e829d437c22948417f3dc291e025eaeeb
SHA512986dc57017bb509cf7d9317a401a08b45dce874af2c48b4cc9b9d05d9514b245aa561bd394d8a60012871f4f62e8b5567db5eec05e96094d492eab50a3b43dec
-
C:\Users\Admin\AppData\Local\Temp\vgssyl.exeMD5
0023ecce99e706dfc8653684fde09de5
SHA173c62f0a520457a701079003b230affc8ce31e20
SHA25633957cc4479b6e6465101ea76f536142b3dda64c5c3025c96c0e63ade66410da
SHA512c7bb4f3fb8678c3c926bcd93dd9755ade2c89c9e4e3799c11a017235f1be1b72b1d634c6c60080829a2c8c774d47b74291ac17c8864a87288ee88aa726a90d91
-
C:\Users\Admin\AppData\Local\Temp\vgssyl.exeMD5
0023ecce99e706dfc8653684fde09de5
SHA173c62f0a520457a701079003b230affc8ce31e20
SHA25633957cc4479b6e6465101ea76f536142b3dda64c5c3025c96c0e63ade66410da
SHA512c7bb4f3fb8678c3c926bcd93dd9755ade2c89c9e4e3799c11a017235f1be1b72b1d634c6c60080829a2c8c774d47b74291ac17c8864a87288ee88aa726a90d91
-
C:\Users\Admin\AppData\Local\Temp\vlypak.scrMD5
87b3045af8d9eaccfc30d02c188c5aac
SHA11f598d0213e56c64ce06b5726d6238d8be625120
SHA256053bb72cb0f173c2c3294af0f1dcf41073ddecbc19dcf3f4ce1f586c41ae970f
SHA512f9e3c510746c06129d2ae5b9fee6e290553b27b8a8624bbfbf345cadf50d4c523e173ba3bd051301b0e29528f79b075d6966a9d2906d2e59485dabdd6fc558f1
-
C:\Users\Admin\AppData\Local\Temp\vlypak.scrMD5
87b3045af8d9eaccfc30d02c188c5aac
SHA11f598d0213e56c64ce06b5726d6238d8be625120
SHA256053bb72cb0f173c2c3294af0f1dcf41073ddecbc19dcf3f4ce1f586c41ae970f
SHA512f9e3c510746c06129d2ae5b9fee6e290553b27b8a8624bbfbf345cadf50d4c523e173ba3bd051301b0e29528f79b075d6966a9d2906d2e59485dabdd6fc558f1
-
memory/544-158-0x0000000008C20000-0x0000000008C42000-memory.dmpFilesize
136KB
-
memory/544-157-0x0000000008BD0000-0x0000000008BEA000-memory.dmpFilesize
104KB
-
memory/544-156-0x0000000008C50000-0x0000000008CE6000-memory.dmpFilesize
600KB
-
memory/544-155-0x0000000004F15000-0x0000000004F17000-memory.dmpFilesize
8KB
-
memory/544-148-0x0000000004DB0000-0x0000000004DE6000-memory.dmpFilesize
216KB
-
memory/544-149-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/544-150-0x0000000004F12000-0x0000000004F13000-memory.dmpFilesize
4KB
-
memory/544-151-0x0000000007950000-0x0000000007F78000-memory.dmpFilesize
6.2MB
-
memory/544-152-0x0000000007FB0000-0x0000000007FD2000-memory.dmpFilesize
136KB
-
memory/544-153-0x0000000008050000-0x00000000080B6000-memory.dmpFilesize
408KB
-
memory/544-154-0x00000000086F0000-0x000000000870E000-memory.dmpFilesize
120KB
-
memory/560-167-0x0000000004152000-0x0000000004153000-memory.dmpFilesize
4KB
-
memory/560-166-0x0000000004150000-0x0000000004151000-memory.dmpFilesize
4KB
-
memory/2764-144-0x00000000070C0000-0x0000000007136000-memory.dmpFilesize
472KB
-
memory/2764-143-0x00000000059E0000-0x0000000005A46000-memory.dmpFilesize
408KB
-
memory/2764-145-0x0000000007060000-0x000000000707E000-memory.dmpFilesize
120KB
-
memory/2764-140-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/2764-138-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3076-130-0x00000000002F0000-0x000000000040C000-memory.dmpFilesize
1.1MB
-
memory/3076-135-0x0000000004ED0000-0x0000000004F26000-memory.dmpFilesize
344KB
-
memory/3076-136-0x0000000004ED0000-0x0000000005474000-memory.dmpFilesize
5.6MB
-
memory/3076-134-0x0000000004E40000-0x0000000004E4A000-memory.dmpFilesize
40KB
-
memory/3076-133-0x0000000004F70000-0x0000000005002000-memory.dmpFilesize
584KB
-
memory/3076-132-0x0000000005480000-0x0000000005A24000-memory.dmpFilesize
5.6MB
-
memory/3076-131-0x0000000004D90000-0x0000000004E2C000-memory.dmpFilesize
624KB