Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-02-2022 17:16
Static task
static1
Behavioral task
behavioral1
Sample
SC221420.exe
Resource
win7-en-20211208
General
-
Target
SC221420.exe
-
Size
456KB
-
MD5
376f50bcc33f115ff257d0c05ac4ba1b
-
SHA1
6a81172d13f238b8ca60850870070ce8f3b20488
-
SHA256
0fcfde1ee285a35c722bfdd0b33f08771a26503d4bfc20541726456cf9351af1
-
SHA512
9bcce9e9dd2f2326f11b8a94867808404af9741e8e0dec59cf073a6eec666acfbb3eaaa26b6bb155060679937ee991048bf4ba3398bc53354c50dd9b61dae81c
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1560-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2144-144-0x00000000008A0000-0x00000000008C9000-memory.dmp xloader -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 61 2144 msiexec.exe 80 2144 msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
phlnztizg.exephlnztizg.exepid process 492 phlnztizg.exe 1560 phlnztizg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
phlnztizg.exephlnztizg.exemsiexec.exedescription pid process target process PID 492 set thread context of 1560 492 phlnztizg.exe phlnztizg.exe PID 1560 set thread context of 2372 1560 phlnztizg.exe Explorer.EXE PID 2144 set thread context of 2372 2144 msiexec.exe Explorer.EXE -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.660103" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4196" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4396" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4056" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.631898" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.505022" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132895954183846836" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
phlnztizg.exemsiexec.exepid process 1560 phlnztizg.exe 1560 phlnztizg.exe 1560 phlnztizg.exe 1560 phlnztizg.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe 2144 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2372 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
phlnztizg.exemsiexec.exepid process 1560 phlnztizg.exe 1560 phlnztizg.exe 1560 phlnztizg.exe 2144 msiexec.exe 2144 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
phlnztizg.exemsiexec.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 1560 phlnztizg.exe Token: SeDebugPrivilege 2144 msiexec.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe Token: SeSecurityPrivilege 1112 TiWorker.exe Token: SeBackupPrivilege 1112 TiWorker.exe Token: SeRestorePrivilege 1112 TiWorker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SC221420.exephlnztizg.exeExplorer.EXEmsiexec.exedescription pid process target process PID 3880 wrote to memory of 492 3880 SC221420.exe phlnztizg.exe PID 3880 wrote to memory of 492 3880 SC221420.exe phlnztizg.exe PID 3880 wrote to memory of 492 3880 SC221420.exe phlnztizg.exe PID 492 wrote to memory of 1560 492 phlnztizg.exe phlnztizg.exe PID 492 wrote to memory of 1560 492 phlnztizg.exe phlnztizg.exe PID 492 wrote to memory of 1560 492 phlnztizg.exe phlnztizg.exe PID 492 wrote to memory of 1560 492 phlnztizg.exe phlnztizg.exe PID 492 wrote to memory of 1560 492 phlnztizg.exe phlnztizg.exe PID 492 wrote to memory of 1560 492 phlnztizg.exe phlnztizg.exe PID 2372 wrote to memory of 2144 2372 Explorer.EXE msiexec.exe PID 2372 wrote to memory of 2144 2372 Explorer.EXE msiexec.exe PID 2372 wrote to memory of 2144 2372 Explorer.EXE msiexec.exe PID 2144 wrote to memory of 3036 2144 msiexec.exe cmd.exe PID 2144 wrote to memory of 3036 2144 msiexec.exe cmd.exe PID 2144 wrote to memory of 3036 2144 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SC221420.exe"C:\Users\Admin\AppData\Local\Temp\SC221420.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exeC:\Users\Admin\AppData\Local\Temp\phlnztizg.exe C:\Users\Admin\AppData\Local\Temp\bxqlkx3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exeC:\Users\Admin\AppData\Local\Temp\phlnztizg.exe C:\Users\Admin\AppData\Local\Temp\bxqlkx4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe"3⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5i7piex8bs4jMD5
a52498c2a045ff0a0065ef878e1ffdfe
SHA123abc7ebc00bf80780a11dca2d25c46123046088
SHA25652a72dec9b196122f3008e8f314ca83546448cf48e47ce485398d52edc7c0861
SHA51225af0ff1d48e4c5d15f22f8d4770ff846dd711ea00a40255db094ebc7340df4ccd760e0654ca021c34d2f85e55b6770a720a01a0affcaa31530bdb28efb01dd7
-
C:\Users\Admin\AppData\Local\Temp\bxqlkxMD5
30efdc42eda73cb1c555eaf1484814f9
SHA14263d4d980c3e262615f9577d262d96dab3160bc
SHA25695fc7ef3394623fa4142d220c0b13d62d7e03f0ad23917167dc578eef688f848
SHA512a67b30b0a9c7660c973b02bb054a43dd113cba575519ed89c054215407f4f8e9c4326f3734a6af4a831b04f3c2ce8907aec6e5aae2f857218f84fc2920fc2459
-
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exeMD5
f9082eb743fa0bf57bf91d97f5251a44
SHA10c58960df67a771c5a780ea0bf1adcbb3296710c
SHA256c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20
SHA51230ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62
-
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exeMD5
f9082eb743fa0bf57bf91d97f5251a44
SHA10c58960df67a771c5a780ea0bf1adcbb3296710c
SHA256c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20
SHA51230ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62
-
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exeMD5
f9082eb743fa0bf57bf91d97f5251a44
SHA10c58960df67a771c5a780ea0bf1adcbb3296710c
SHA256c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20
SHA51230ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62
-
memory/1560-136-0x0000000000AA0000-0x0000000000DEA000-memory.dmpFilesize
3.3MB
-
memory/1560-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1560-138-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/1560-139-0x0000000000500000-0x0000000000511000-memory.dmpFilesize
68KB
-
memory/2144-144-0x00000000008A0000-0x00000000008C9000-memory.dmpFilesize
164KB
-
memory/2144-143-0x00000000009E0000-0x00000000009F2000-memory.dmpFilesize
72KB
-
memory/2144-145-0x0000000004840000-0x0000000004B8A000-memory.dmpFilesize
3.3MB
-
memory/2144-146-0x00000000045D0000-0x0000000004660000-memory.dmpFilesize
576KB
-
memory/2372-140-0x0000000008810000-0x0000000008915000-memory.dmpFilesize
1.0MB
-
memory/2372-147-0x0000000008610000-0x00000000086B1000-memory.dmpFilesize
644KB