Analysis
-
max time kernel
159s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-02-2022 12:45
Static task
static1
Behavioral task
behavioral1
Sample
SC221420.exe
Resource
win7-en-20211208
General
-
Target
SC221420.exe
-
Size
456KB
-
MD5
376f50bcc33f115ff257d0c05ac4ba1b
-
SHA1
6a81172d13f238b8ca60850870070ce8f3b20488
-
SHA256
0fcfde1ee285a35c722bfdd0b33f08771a26503d4bfc20541726456cf9351af1
-
SHA512
9bcce9e9dd2f2326f11b8a94867808404af9741e8e0dec59cf073a6eec666acfbb3eaaa26b6bb155060679937ee991048bf4ba3398bc53354c50dd9b61dae81c
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2332-135-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2340-143-0x0000000002BA0000-0x0000000002BC9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 82 2340 cscript.exe -
Executes dropped EXE 2 IoCs
Processes:
phlnztizg.exephlnztizg.exepid process 1220 phlnztizg.exe 2332 phlnztizg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
phlnztizg.exephlnztizg.execscript.exedescription pid process target process PID 1220 set thread context of 2332 1220 phlnztizg.exe phlnztizg.exe PID 2332 set thread context of 2308 2332 phlnztizg.exe Explorer.EXE PID 2340 set thread context of 2308 2340 cscript.exe Explorer.EXE -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.369706" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.503221" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4304" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.000346" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132895791817084929" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
phlnztizg.execscript.exepid process 2332 phlnztizg.exe 2332 phlnztizg.exe 2332 phlnztizg.exe 2332 phlnztizg.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe 2340 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2308 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
phlnztizg.execscript.exepid process 2332 phlnztizg.exe 2332 phlnztizg.exe 2332 phlnztizg.exe 2340 cscript.exe 2340 cscript.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
phlnztizg.execscript.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 2332 phlnztizg.exe Token: SeDebugPrivilege 2340 cscript.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe Token: SeSecurityPrivilege 1508 TiWorker.exe Token: SeBackupPrivilege 1508 TiWorker.exe Token: SeRestorePrivilege 1508 TiWorker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SC221420.exephlnztizg.exeExplorer.EXEcscript.exedescription pid process target process PID 2788 wrote to memory of 1220 2788 SC221420.exe phlnztizg.exe PID 2788 wrote to memory of 1220 2788 SC221420.exe phlnztizg.exe PID 2788 wrote to memory of 1220 2788 SC221420.exe phlnztizg.exe PID 1220 wrote to memory of 2332 1220 phlnztizg.exe phlnztizg.exe PID 1220 wrote to memory of 2332 1220 phlnztizg.exe phlnztizg.exe PID 1220 wrote to memory of 2332 1220 phlnztizg.exe phlnztizg.exe PID 1220 wrote to memory of 2332 1220 phlnztizg.exe phlnztizg.exe PID 1220 wrote to memory of 2332 1220 phlnztizg.exe phlnztizg.exe PID 1220 wrote to memory of 2332 1220 phlnztizg.exe phlnztizg.exe PID 2308 wrote to memory of 2340 2308 Explorer.EXE cscript.exe PID 2308 wrote to memory of 2340 2308 Explorer.EXE cscript.exe PID 2308 wrote to memory of 2340 2308 Explorer.EXE cscript.exe PID 2340 wrote to memory of 4076 2340 cscript.exe cmd.exe PID 2340 wrote to memory of 4076 2340 cscript.exe cmd.exe PID 2340 wrote to memory of 4076 2340 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SC221420.exe"C:\Users\Admin\AppData\Local\Temp\SC221420.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exeC:\Users\Admin\AppData\Local\Temp\phlnztizg.exe C:\Users\Admin\AppData\Local\Temp\bxqlkx3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exeC:\Users\Admin\AppData\Local\Temp\phlnztizg.exe C:\Users\Admin\AppData\Local\Temp\bxqlkx4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe"3⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5i7piex8bs4jMD5
a52498c2a045ff0a0065ef878e1ffdfe
SHA123abc7ebc00bf80780a11dca2d25c46123046088
SHA25652a72dec9b196122f3008e8f314ca83546448cf48e47ce485398d52edc7c0861
SHA51225af0ff1d48e4c5d15f22f8d4770ff846dd711ea00a40255db094ebc7340df4ccd760e0654ca021c34d2f85e55b6770a720a01a0affcaa31530bdb28efb01dd7
-
C:\Users\Admin\AppData\Local\Temp\bxqlkxMD5
30efdc42eda73cb1c555eaf1484814f9
SHA14263d4d980c3e262615f9577d262d96dab3160bc
SHA25695fc7ef3394623fa4142d220c0b13d62d7e03f0ad23917167dc578eef688f848
SHA512a67b30b0a9c7660c973b02bb054a43dd113cba575519ed89c054215407f4f8e9c4326f3734a6af4a831b04f3c2ce8907aec6e5aae2f857218f84fc2920fc2459
-
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exeMD5
f9082eb743fa0bf57bf91d97f5251a44
SHA10c58960df67a771c5a780ea0bf1adcbb3296710c
SHA256c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20
SHA51230ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62
-
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exeMD5
f9082eb743fa0bf57bf91d97f5251a44
SHA10c58960df67a771c5a780ea0bf1adcbb3296710c
SHA256c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20
SHA51230ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62
-
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exeMD5
f9082eb743fa0bf57bf91d97f5251a44
SHA10c58960df67a771c5a780ea0bf1adcbb3296710c
SHA256c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20
SHA51230ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62
-
memory/1220-134-0x00000000004A0000-0x00000000004A2000-memory.dmpFilesize
8KB
-
memory/2308-146-0x0000000003590000-0x0000000003684000-memory.dmpFilesize
976KB
-
memory/2308-141-0x0000000008C60000-0x0000000008DA8000-memory.dmpFilesize
1.3MB
-
memory/2332-139-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/2332-140-0x00000000008D0000-0x00000000008E1000-memory.dmpFilesize
68KB
-
memory/2332-137-0x0000000000990000-0x0000000000CDA000-memory.dmpFilesize
3.3MB
-
memory/2332-135-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2340-142-0x00000000001D0000-0x00000000001F7000-memory.dmpFilesize
156KB
-
memory/2340-143-0x0000000002BA0000-0x0000000002BC9000-memory.dmpFilesize
164KB
-
memory/2340-144-0x0000000004CD0000-0x000000000501A000-memory.dmpFilesize
3.3MB
-
memory/2340-145-0x0000000004A30000-0x0000000004AC0000-memory.dmpFilesize
576KB