af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1

General

Target

af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe
Size

2.8MB
MD5

de492cbc850eb7150ee62ea519b21986
SHA1

40779e9f591f0ae04e6967095b4974d04a5f2984
SHA256

af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1
SHA512

b7976c507ab679bdf93e14139cc4cf4fbeb3629c06da345927c12263f6c393b6b99eccf3800c1bfd71cd5b8f687ba90ddb2cc9d94778164c560224b81352181e

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "2"	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4268	WMIC.exe
Token: SeSecurityPrivilege	4268	WMIC.exe
Token: SeTakeOwnershipPrivilege	4268	WMIC.exe
Token: SeLoadDriverPrivilege	4268	WMIC.exe
Token: SeSystemProfilePrivilege	4268	WMIC.exe
Token: SeSystemtimePrivilege	4268	WMIC.exe
Token: SeProfSingleProcessPrivilege	4268	WMIC.exe
Token: SeIncBasePriorityPrivilege	4268	WMIC.exe
Token: SeCreatePagefilePrivilege	4268	WMIC.exe
Token: SeBackupPrivilege	4268	WMIC.exe
Token: SeRestorePrivilege	4268	WMIC.exe
Token: SeShutdownPrivilege	4268	WMIC.exe
Token: SeDebugPrivilege	4268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4268	WMIC.exe
Token: SeRemoteShutdownPrivilege	4268	WMIC.exe
Token: SeUndockPrivilege	4268	WMIC.exe
Token: SeManageVolumePrivilege	4268	WMIC.exe
Token: 33	4268	WMIC.exe
Token: 34	4268	WMIC.exe
Token: 35	4268	WMIC.exe
Token: 36	4268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4268	WMIC.exe
Token: SeSecurityPrivilege	4268	WMIC.exe
Token: SeTakeOwnershipPrivilege	4268	WMIC.exe
Token: SeLoadDriverPrivilege	4268	WMIC.exe
Token: SeSystemProfilePrivilege	4268	WMIC.exe
Token: SeSystemtimePrivilege	4268	WMIC.exe
Token: SeProfSingleProcessPrivilege	4268	WMIC.exe
Token: SeIncBasePriorityPrivilege	4268	WMIC.exe
Token: SeCreatePagefilePrivilege	4268	WMIC.exe
Token: SeBackupPrivilege	4268	WMIC.exe
Token: SeRestorePrivilege	4268	WMIC.exe
Token: SeShutdownPrivilege	4268	WMIC.exe
Token: SeDebugPrivilege	4268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4268	WMIC.exe
Token: SeRemoteShutdownPrivilege	4268	WMIC.exe
Token: SeUndockPrivilege	4268	WMIC.exe
Token: SeManageVolumePrivilege	4268	WMIC.exe
Token: 33	4268	WMIC.exe
Token: 34	4268	WMIC.exe
Token: 35	4268	WMIC.exe
Token: 36	4268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3960	WMIC.exe
Token: SeSecurityPrivilege	3960	WMIC.exe
Token: SeTakeOwnershipPrivilege	3960	WMIC.exe
Token: SeLoadDriverPrivilege	3960	WMIC.exe
Token: SeSystemProfilePrivilege	3960	WMIC.exe
Token: SeSystemtimePrivilege	3960	WMIC.exe
Token: SeProfSingleProcessPrivilege	3960	WMIC.exe
Token: SeIncBasePriorityPrivilege	3960	WMIC.exe
Token: SeCreatePagefilePrivilege	3960	WMIC.exe
Token: SeBackupPrivilege	3960	WMIC.exe
Token: SeRestorePrivilege	3960	WMIC.exe
Token: SeShutdownPrivilege	3960	WMIC.exe
Token: SeDebugPrivilege	3960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3960	WMIC.exe
Token: SeRemoteShutdownPrivilege	3960	WMIC.exe
Token: SeUndockPrivilege	3960	WMIC.exe
Token: SeManageVolumePrivilege	3960	WMIC.exe
Token: 33	3960	WMIC.exe
Token: 34	3960	WMIC.exe
Token: 35	3960	WMIC.exe
Token: 36	3960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3960	WMIC.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4464 wrote to memory of 696	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 696	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 696	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 696 wrote to memory of 4268	696	cmd.exe	WMIC.exe
PID 696 wrote to memory of 4268	696	cmd.exe	WMIC.exe
PID 696 wrote to memory of 4268	696	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 4224	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 4224	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 4224	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4224 wrote to memory of 3960	4224	cmd.exe	WMIC.exe
PID 4224 wrote to memory of 3960	4224	cmd.exe	WMIC.exe
PID 4224 wrote to memory of 3960	4224	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 2724	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 2724	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 2724	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 2724 wrote to memory of 3944	2724	cmd.exe	WMIC.exe
PID 2724 wrote to memory of 3944	2724	cmd.exe	WMIC.exe
PID 2724 wrote to memory of 3944	2724	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 4428	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 4428	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 4428	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4428 wrote to memory of 3164	4428	cmd.exe	WMIC.exe
PID 4428 wrote to memory of 3164	4428	cmd.exe	WMIC.exe
PID 4428 wrote to memory of 3164	4428	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 328	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 328	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 328	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 328 wrote to memory of 228	328	cmd.exe	WMIC.exe
PID 328 wrote to memory of 228	328	cmd.exe	WMIC.exe
PID 328 wrote to memory of 228	328	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 1804	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 1804	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 1804	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 1804 wrote to memory of 4280	1804	cmd.exe	WMIC.exe
PID 1804 wrote to memory of 4280	1804	cmd.exe	WMIC.exe
PID 1804 wrote to memory of 4280	1804	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 4928	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 4928	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 4928	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4928 wrote to memory of 1572	4928	cmd.exe	WMIC.exe
PID 4928 wrote to memory of 1572	4928	cmd.exe	WMIC.exe
PID 4928 wrote to memory of 1572	4928	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 2336	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 4464 wrote to memory of 2336	4464	af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe	cmd.exe
PID 2336 wrote to memory of 3808	2336	cmd.exe	cscript.exe
PID 2336 wrote to memory of 3808	2336	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe
"C:\Users\Admin\AppData\Local\Temp\af333dbeab9268398d985eb80c74adfaa84210a7e6222ab3fc1684a73f052ff1.exe"
1⤵
- Modifies security service
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wuauserv' get started,state /value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' call startservice>C:\Users\Admin\AppData\Local\Temp\svctest.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wuauserv' call startservice
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' call stopservice
2⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wuauserv' call stopservice
3⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' call stopservice
2⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wuauserv' call stopservice
3⤵
PID:3164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='ClipSVC' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='ClipSVC' get started,state /value
3⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wlidsvc' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wlidsvc' get started,state /value
3⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='sppsvc' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='sppsvc' get started,state /value
3⤵
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\Admin\AppData\Local\Temp\PID8.vbs)>>C:\Users\Admin\AppData\Local\Temp\kms.log
2⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\system32\cscript.exe
cscript.exe /nologo C:\Users\Admin\AppData\Local\Temp\PID8.vbs
3⤵
PID:3808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PID8.vbs
Filesize
2KB

MD5
78d143bc6c1968d0a228b29e823d051e

SHA1
a11dfa069c0b49487f55b32e8e9e89fad3796b5b

SHA256
dca511dfdbaadbad34a89f0fa4c86de1a8a37fedc326f7bc17a746d44b0fbaff

SHA512
af82ab5a8855576f0f29a681b07befd456ebca7e381e8c902e9151ceabf6c59035d02ead07fc98b2e601ea11746887664acee73f39ee2c029685289f9c519068

Download Submit
C:\Users\Admin\AppData\Local\Temp\kms.log
Filesize
35B

MD5
7fe0b758af0207e3dae31e0618c54afb

SHA1
64de9a12c49e7c810adb5af08ae83e10fb2362df

SHA256
8fb528281a0893afe0333cfa06673559658d046ef7bde09e83aeebc2126e0e29

SHA512
b1811b3e976dd3a28faf2ef33d9b48b1572bc1aed3ce6ec2f7c9d21f337f4336836d48a7b5f049f64a7bc80b19015d4b41fb24d731f4310359796459ab0de04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svccheck.txt
Filesize
78B

MD5
b4cf1eee929f22c00ac2f5720ef7cfda

SHA1
d003a0ceaa5062863e2d2677b11f559ef32caa5d

SHA256
9c3a3f6432a7109b262cf38a5f50f4701139d6b6420eceb484aa86b534077721

SHA512
db3ab178b773f63909b6a759e3a91389991d2844f97b63e83b759187e5d2f31a16df4fb1512493ec74d944a8baa9a83559ab9b99a87171182ec74c556a2df620

Download Submit
C:\Users\Admin\AppData\Local\Temp\svccheck.txt
Filesize
76B

MD5
50ba16b930ad981fbbf1314a5fd824c5

SHA1
bbe538f2f30c674426b20e00cd408d9f17e54a65

SHA256
ae782d53030dd93bc8a483f5bf7ace13e8b87d9135a5cd3544aafc47aa1d19da

SHA512
d3163bce4a9513fa84fabab6ba1acf5de90161207caccbc57079b9a08221d6dcad5d418a41ad5bddaed8ee81dea1f1a69340c4ee226cadd12e0ff81ac91bfbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\svccheck.txt
Filesize
76B

MD5
50ba16b930ad981fbbf1314a5fd824c5

SHA1
bbe538f2f30c674426b20e00cd408d9f17e54a65

SHA256
ae782d53030dd93bc8a483f5bf7ace13e8b87d9135a5cd3544aafc47aa1d19da

SHA512
d3163bce4a9513fa84fabab6ba1acf5de90161207caccbc57079b9a08221d6dcad5d418a41ad5bddaed8ee81dea1f1a69340c4ee226cadd12e0ff81ac91bfbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\svccheck.txt
Filesize
76B

MD5
50ba16b930ad981fbbf1314a5fd824c5

SHA1
bbe538f2f30c674426b20e00cd408d9f17e54a65

SHA256
ae782d53030dd93bc8a483f5bf7ace13e8b87d9135a5cd3544aafc47aa1d19da

SHA512
d3163bce4a9513fa84fabab6ba1acf5de90161207caccbc57079b9a08221d6dcad5d418a41ad5bddaed8ee81dea1f1a69340c4ee226cadd12e0ff81ac91bfbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\svctest.txt
Filesize
183B

MD5
85c54a0c7e1079aecd57bd17077eb753

SHA1
a23f9e9a16b8ddb73817a3ecb4dd116ce4d40ffb

SHA256
261fac94433884dd8400a960e673d5193c6336a32518b9fa14fe4aee1476e585

SHA512
7f573a744138bfac6e1e640c6da818e23ed54f82d5dd43bc9f2d6acf44462afdeeb472e58cff02cfa4bf0c7e4da690b53f3caa72e8a9ad081428dcf574170772

Download Submit
memory/228-141-0x0000000000000000-mapping.dmp

Download
memory/328-140-0x0000000000000000-mapping.dmp

Download
memory/696-130-0x0000000000000000-mapping.dmp

Download
memory/1572-147-0x0000000000000000-mapping.dmp

Download
memory/1804-143-0x0000000000000000-mapping.dmp

Download
memory/2336-149-0x0000000000000000-mapping.dmp

Download
memory/2724-136-0x0000000000000000-mapping.dmp

Download
memory/3164-139-0x0000000000000000-mapping.dmp

Download
memory/3808-150-0x0000000000000000-mapping.dmp

Download
memory/3944-137-0x0000000000000000-mapping.dmp

Download
memory/3960-134-0x0000000000000000-mapping.dmp

Download
memory/4224-133-0x0000000000000000-mapping.dmp

Download
memory/4268-131-0x0000000000000000-mapping.dmp

Download
memory/4280-144-0x0000000000000000-mapping.dmp

Download
memory/4428-138-0x0000000000000000-mapping.dmp

Download
memory/4928-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads