Analysis
-
max time kernel
301s -
max time network
303s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
16-02-2022 02:39
Static task
static1
Behavioral task
behavioral1
Sample
loader4.exe
Resource
win7-en-20211208
General
-
Target
loader4.exe
-
Size
267KB
-
MD5
a745520f45bced7375d4e918a82c0517
-
SHA1
5fe7418c073c45eebbd6d12220cd63a49ea4f122
-
SHA256
22099fbafc3dda95912c51aa0c313826f21e2fe84ef51453c649f66ab29c6916
-
SHA512
caa99e83e30c03a90e97c09f296eb2530e08da47957b4aa632909ffae9a2c929cf641496fbc9640598e1dca05f269b950b3ce8c10b198af0180684581e6dc194
Malware Config
Extracted
xloader
2.5
ndf8
cantobait.com
theangularteam.com
qq2222.xyz
floridasteamclean.com
daffodilhilldesigns.com
mindfulagilecoaching.com
xbyll.com
jessicaepedro2021.net
ccssv.top
zenginbilgiler.com
partumball.com
1681890.com
schippermediaproductions.com
m2volleyballclub.com
ooiase.com
sharingtechnology.net
kiminplaka.com
usedgeartrader.com
cosyba.com
foodfriendshipandyou.com
ottolimo.com
growingyourlist.com
therealvictoriabelieves.com
juststartmessy.com
giovannahuyke.biz
conditionsapplied.com
hypadel.com
hpywk.com
safepostcourier.com
heshicn.net
perfektdesigns.com
4008238110.com
29store.xyz
frasins.com
amrittrading.com
dimaiwang.com
promtgloan.com
rosalvarodriguez.com
yiqingdh.xyz
toloache-matrix.com
homevoru.com
esatescort.xyz
onlinedictionary.cloud
smarthomesecurity.online
nikisankala.com
multizoneductlessminisplits.com
32123.space
bethesdagardensloveland.com
bestpicture-toglancetoday.info
mochicascafe.com
moneylovepig.com
envisioneyecare.net
jumbul.com
onbecomingalifecoach.com
gubosaonline.com
2636654.win
ktxloo.com
side-clicks.com
spectrumassociation.com
albatrosmed.store
drsazidalsahaf.com
applykpologistics.com
rezzo-jazzavienne.com
huachen100.net
pawastreams.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/648-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/648-138-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2812-143-0x0000000002760000-0x0000000002789000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
twwruwspfp.exetwwruwspfp.exepid process 740 twwruwspfp.exe 648 twwruwspfp.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
twwruwspfp.exetwwruwspfp.exemstsc.exedescription pid process target process PID 740 set thread context of 648 740 twwruwspfp.exe twwruwspfp.exe PID 648 set thread context of 2440 648 twwruwspfp.exe Explorer.EXE PID 2812 set thread context of 2440 2812 mstsc.exe Explorer.EXE -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 55 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132896292050093514" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3972" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4328" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3904" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.142986" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.332787" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
twwruwspfp.exemstsc.exepid process 648 twwruwspfp.exe 648 twwruwspfp.exe 648 twwruwspfp.exe 648 twwruwspfp.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe 2812 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2440 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
twwruwspfp.exemstsc.exepid process 648 twwruwspfp.exe 648 twwruwspfp.exe 648 twwruwspfp.exe 2812 mstsc.exe 2812 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
twwruwspfp.exemstsc.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 648 twwruwspfp.exe Token: SeDebugPrivilege 2812 mstsc.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe Token: SeSecurityPrivilege 1828 TiWorker.exe Token: SeBackupPrivilege 1828 TiWorker.exe Token: SeRestorePrivilege 1828 TiWorker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
loader4.exetwwruwspfp.exeExplorer.EXEmstsc.exedescription pid process target process PID 2460 wrote to memory of 740 2460 loader4.exe twwruwspfp.exe PID 2460 wrote to memory of 740 2460 loader4.exe twwruwspfp.exe PID 2460 wrote to memory of 740 2460 loader4.exe twwruwspfp.exe PID 740 wrote to memory of 648 740 twwruwspfp.exe twwruwspfp.exe PID 740 wrote to memory of 648 740 twwruwspfp.exe twwruwspfp.exe PID 740 wrote to memory of 648 740 twwruwspfp.exe twwruwspfp.exe PID 740 wrote to memory of 648 740 twwruwspfp.exe twwruwspfp.exe PID 740 wrote to memory of 648 740 twwruwspfp.exe twwruwspfp.exe PID 740 wrote to memory of 648 740 twwruwspfp.exe twwruwspfp.exe PID 2440 wrote to memory of 2812 2440 Explorer.EXE mstsc.exe PID 2440 wrote to memory of 2812 2440 Explorer.EXE mstsc.exe PID 2440 wrote to memory of 2812 2440 Explorer.EXE mstsc.exe PID 2812 wrote to memory of 828 2812 mstsc.exe cmd.exe PID 2812 wrote to memory of 828 2812 mstsc.exe cmd.exe PID 2812 wrote to memory of 828 2812 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader4.exe"C:\Users\Admin\AppData\Local\Temp\loader4.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exeC:\Users\Admin\AppData\Local\Temp\twwruwspfp.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exeC:\Users\Admin\AppData\Local\Temp\twwruwspfp.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exe"3⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\puqyxaoMD5
0cccb3d3ec85f522fea9003131f138d8
SHA136963157e9e15060897a66454528b2d51ff5edab
SHA2560321eb87cf5be1d4802819099986bb5fa020e238c808e078a82e813c815b79fe
SHA5120ab908137ab532de23c15f7e8b39884359816708967b5c73ab0b97cb191ec8a2c0e21cd31180e5c59ee4632e5d43fc40cce8c484e9907dcb8535600d8144e880
-
C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exeMD5
73133e111e6aa23a59aae286f9c39fa4
SHA1859ab7fdf5cf27e7b41bcfc6f3ef224c3f461278
SHA256f67e0787d9af8915d51c45c47249d790695919171f2698d1b94ab31d7db34661
SHA5126cde996a0e2094ebf5fa883fb8064ec9563f0dc05bef0a6b52154d554a9a6fd4fcd49a99adbb3d4245a6548da75eae7057759d9c057cc50f9cb485d6fd7fce78
-
C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exeMD5
73133e111e6aa23a59aae286f9c39fa4
SHA1859ab7fdf5cf27e7b41bcfc6f3ef224c3f461278
SHA256f67e0787d9af8915d51c45c47249d790695919171f2698d1b94ab31d7db34661
SHA5126cde996a0e2094ebf5fa883fb8064ec9563f0dc05bef0a6b52154d554a9a6fd4fcd49a99adbb3d4245a6548da75eae7057759d9c057cc50f9cb485d6fd7fce78
-
C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exeMD5
73133e111e6aa23a59aae286f9c39fa4
SHA1859ab7fdf5cf27e7b41bcfc6f3ef224c3f461278
SHA256f67e0787d9af8915d51c45c47249d790695919171f2698d1b94ab31d7db34661
SHA5126cde996a0e2094ebf5fa883fb8064ec9563f0dc05bef0a6b52154d554a9a6fd4fcd49a99adbb3d4245a6548da75eae7057759d9c057cc50f9cb485d6fd7fce78
-
C:\Users\Admin\AppData\Local\Temp\wjy7pi4nrswxf71xxMD5
07d9a36fc28fec669f3faadcc3afb0cb
SHA1759b5877bb4253463d1b9009367e25659ee33f2b
SHA2569ae40010d4ca8121fdf6005ef4539f0fcc7aa7be94f674717757fad6908e06e2
SHA5122228ea42ba63f8ecc66e0e5e29687e911bca430d449bae74389316a288fa4221200136aad7318d0cce38c8f9ff62672ff70063cae0ca73e3fe99fa9ba54094ed
-
memory/648-139-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/648-137-0x0000000000A80000-0x0000000000DCA000-memory.dmpFilesize
3.3MB
-
memory/648-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/648-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/648-140-0x00000000005D0000-0x00000000005E1000-memory.dmpFilesize
68KB
-
memory/2440-141-0x0000000008250000-0x000000000836D000-memory.dmpFilesize
1.1MB
-
memory/2440-146-0x00000000084F0000-0x0000000008655000-memory.dmpFilesize
1.4MB
-
memory/2812-142-0x0000000000570000-0x00000000006AA000-memory.dmpFilesize
1.2MB
-
memory/2812-143-0x0000000002760000-0x0000000002789000-memory.dmpFilesize
164KB
-
memory/2812-144-0x00000000049D0000-0x0000000004D1A000-memory.dmpFilesize
3.3MB
-
memory/2812-145-0x0000000004720000-0x00000000047B0000-memory.dmpFilesize
576KB